Description

The Chubb Information Security team is responsible for protecting information and information systems against unauthorized access, detecting and responding to attempts to gain access and enabling access through our identity processes. Chubb operates a global information security team supporting local business units across five regions (Asia Pacific, North America, Latin America, Japan, and Europe including the Middle East and Africa). Our global information security strategy is developed with input from each of these regions and translated into programs that are then executed by the regions using resources from each region (especially, our infrastructure partners).

The Infrastructure Vulnerability Manager is a global role that requires a high degree of technical expertise, excellent oral and written communication skills, and the ability to work independently. The person is responsible for a broad range of tasks, including the day-to-day administration of vulnerability scanning tools. Qualified candidate will be responsible for assessing identified vulnerabilities, prioritizing, reporting and driving remediation of vulnerabilities relating to systems, applications, and infrastructure devices.

The candidate will be responsible for leading program maturity efforts and initiatives in Vulnerability Management functions within the Chubb Information Security department. This includes, but is not limited to driving improvements with vulnerability scanning automation; validation of vulnerability findings; asset discovery; regulatory scanning requirements; driving next generation security operations approaches/tools and producing automated dashboards to measure the effectiveness of the program.

We are looking for individuals who have experience performing daily, hands-on, network and software security assessment and remediation activities and support the security team as part of the vulnerability management program. The position includes performing network scans and software security activities within the defined application security program including; O/S vulnerability testing and analysis, use of common tools, written and verbal articulation of remediation recommendations and follow up.

Duties & Responsibilities:
• Manage and maintain vulnerability scanning toolset
• Perform asset and network discovery activities, helping to ensure full coverage of the Chubb environment
• Establish a strategy and framework for performing validation of scanning results
• Review, asses, and mitigate vulnerability assessments on information systems and infrastructure
• Prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
• Recommend, schedule and/or apply fixes, security patches and any other measures required in the event of a security breach
• Collate security incident and event data to produce monthly exception and management reports
• Implement or coordinate remediation required by audits, and document exceptions as necessary.
• Developing program quality metrics as both program performance indicators and enterprise risk indicators
• Work closely with Application Vulnerability team to integrate vulnerability findings against application level scans to provide a holistic security posture for assets
• Leverage Chubb inventory and patch management systems to provide reporting and governance for vulnerability impact and remediation progress
• Monitor security vulnerability information from vendors, and third parties
• Helping to develop the Chubb's next-generation vulnerability management program including formalized assessment criteria, integration with asset inventory, enterprise vulnerability scanning, and remediation tracking and governance.

Qualifications

Minimum Qualifications:
• Bachelor's Degree in Computer Science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience. Master's Degree preferred.
• Minimum 2 years of experience leading Vulnerability Management or similar Information Security teams
• Expert level experience with management of Rapid7 Nexpose
• Ability to perform vulnerability assessments and penetration testing using manual testing techniques, scripts, commercial and open source tools
• Ability to demonstrate knowledge with prioritizing remediation activities with operational teams through risk ratings of vulnerabilities and assets
• Ability to read, write and modify scripts for automation of vulnerability management tasks
• Excellent verbal and written communication
• Strong analytical skills
• Strong team player with ability to take charge of their area of expertise
• Comfortable working outside their comfort zone with a willingness to learn
• Working experience with industry frameworks (CSF, ISO, COBIT, etc.)
• Experience in deploying and operating vulnerability scanning infrastructure and services
• Previous hands on experience in application or network penetration testing
• Strong knowledge industry standards regarding vulnerability management including Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS)
• Strong knowledge of technology and security topics including network security, wireless security, application security, infrastructure hardening and security baselines, web server and database security
• Must have experience developing scan policies, reading, and developing vulnerability reports

Preferred Qualifications
• Knowledge of computer networking concepts and protocols, and network security methodologies
• Knowledge of risk management processes (e.g., methods for assessing and mitigating risk)
• Knowledge of specific operational impacts of cybersecurity lapses
• Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists)
• Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code)
• Knowledge of systems diagnostic tools and fault identification techniques
• Knowledge of system administration, network, and operating system hardening techniques
• Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services
• Knowledge of penetration testing principles, tools, and techniques
• Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems
• Skill in performing impact/risk assessments
• Skill in the use of penetration testing tools and techniques
• Ability to identify systemic security issues based on the analysis of vulnerability and configuration

EEO Statement

At Chubb, we are committed to equal employment opportunity and compliance with all laws and regulations pertaining to it. Our policy is to provide employment, training, compensation, promotion, and other conditions or opportunities of employment, without regard to race, color, religious creed, sex, gender, gender identity, gender expression, sexual orientation, marital status, national origin, ancestry, mental and physical disability, medical condition, genetic information, military and veteran status, age, and pregnancy or any other characteristic protected by law. Performance and qualifications are the only basis upon which we hire, assign, promote, compensate, develop and retain employees. Chubb prohibits all unlawful discrimination, harassment and retaliation against any individual who reports discrimination or harassment.