The Network Security Engineer III is a contributor to the overall design, configuration and troubleshooting of the next generation firewall and network security infrastructures supporting academic, medical and research across the enterprise. The engineer III will support systems consisting of a multi-tiered architecture of firewalls and security infrastructures to achieve the highest performance, availability and security model possible.
Responsible for infrastructure engineering, maintenance, and support of complex network security systems for a large scale, multi-site, and geographically distributed enterprise network. Scope of supported systems ranges from servers and desktop hardware and software, multiple operating systems, and proprietary network security systems and appliances (e.g., secure remote access, firewalls, routers, intrusion prevention systems, intrusion detection systems, vulnerability scanning and management, incident response, and regulatory compliance systems). Collaborates with business partners and the Chief Information Security Officer to establish and maintain policies and practices that ensure regulatory compliance. These network security systems provide IT services to thousands of users throughout Johns Hopkins and have an enterprise wide complexity and scope.
Job Scope/Complexity: This position is on a team of network security engineers and may act as a point of contact for all Network Security matters related to the enterprise. They will participate in all matters related to the planning and integration of all Next Generation Firewall platforms and Site to Site VPN infrastructures. This includes Security auditing, remediation activities, network security monitoring, consolidation of services, and network and security integration. Incumbents are expected to act independently (with minimal supervision) in representing the Johns Hopkins Network Security team and executing all technical tasks related to network and security integration. Vendor management, and close collaboration with technical resources and management are critical to this position. Expense management, resources and time tracking are also critical elements of the position. Risk analysis and remediation as it relates to network security issues are directly under control of the incumbent in this position.
The major efforts and tasks of this position are highly complex, technical and enterprise wide in scope. Information security threats are an evolving problem with new sources of threats and variations to older problems changing daily. Due diligence is required in monitoring and understanding these problems. This is the third level of a three tiered Network Security Engineer position. Network Security risks are abstract in nature and require a balanced response that mitigates risks without disrupting services. Technical competence is expected to be at the highest level, with increased expectation for leadership responsibility. Tasks and projects are highly complex in nature. Position includes project and technical leadership along with mentoring and assistance with development of other staff. Leadership of others, both within and outside the team, is critical. Decisions recommended and made by incumbent affect and impact enterprise systems and operations. Position works in a highly independent manner under limited supervision. Develops training materials, documentation and conducts training for other staff members. Provides feedback to management on staff technical development and competency.
Job Responsibilities: The responsibilities listed below are typical examples of the work performed by this position. Not all duties assigned to this position are included, nor is it expected that everyone in this position will be assigned every job responsibility. The position is responsible for the network security infrastructures including but not limited to Next Generation firewalls and Site to Site VPN infrastructures. The position will require the use of security monitoring tools and best practices to remediate and develop network segmentation plans.
20% RISK MANAGEMENT:
Implements and supports systems and processes to reduce the security threats to Hopkins Network and IT infrastructure. These include but are not limited to data loss, exposure of private data, inappropriate systems access, denial of service, computer viruses and Trojans or any other indication of compromised systems.
Provides network security risk and vulnerability assessments, and provides recommendations to mitigate risks for larger to enterprise-wide systems that are highly complex in nature.
Represents network security in IT and business projects for network security evaluations and risk assessments.
Researches specific elements of regulatory compliance requirements (HIPPA, FERPA, PCI, Sarbanes Oxley, FISMA) and develops recommendations for network security compliance,
Provides risk management consulting services to Hopkins business units, partners and affiliates on cyber security and network vulnerability and risk mitigation for projects that are highly complex in nature.
Provides direct input into the Network Security Architecture and may be responsible for updating portions of the architecture document on an ongoing basis.
Develops processes and practices for risk identification and mitigation.
20% SYSTEMS ANALYSIS AND DESIGN:
Develops and executes highly technical and/or complex project plans and systems that are based on knowledge of the business and information security needs of the Johns Hopkins enterprise community. These may involve cross divisional support.
Provides network security analysis and design consulting services to Hopkins business units, partners and affiliates on cyber security and network vulnerability and risk mitigation for projects that are highly complex in nature. They may also involve sensitive info (PHI,PII).
Develops technical security systems and procedures for IT systems that process all classification levels of electronic information (see JH electronic information classification levels at http://it.jhu.edu/policies/itpolicies.html#Classification). These Enterprise wide network information security efforts include: wired and wireless networking; telecommunications; secure messaging; enterprise clinical information systems (e.g., EPR, POE); student information systems (e.g., ISIS); and enterprise business solutions (e.g., Enterprise Business Solution (SAP)).
Provides knowledgeable technical and project management (full life-cycle) responsibilities in more than one enterprise focused information security discipline, including, but not limited to: risk management; network intrusion detection and prevention; security event / incident response; security policy; vulnerability management; regulatory compliance; and encrypted and secure remote access for Hopkins staff, Hopkins remote entities, and business partners.
Designs enterprise network information security systems and services in support of the mission of Johns Hopkins Institutions.
Independently determines or interprets complex requirements for existing or new network information security systems; identifies and/or develops and tests solutions to meet requirements; develops recommendation for implementation; implements and develops documentation for monitoring and maintenance.
Provides tactical and strategic planning for ongoing management of network security platforms.
20% INSTALL AND CONFIGURE:
Implements and configures technical security systems and procedures for IT systems that process all classification levels of electronic information (see JH electronic information classification levels at http://it.jhu.edu/policies/itpolicies.html#Classification). These Enterprise wide network information security efforts include: wired and wireless networking; telecommunications; secure messaging; enterprise clinical information systems (e.g., EPR, POE); student information systems (e.g., ISIS); and enterprise business solutions (e.g., Enterprise Business Solution (SAP)).
Installs and configures large to enterprise-wide security appliances and solutions.
Works with JH management and staff to develop and communicate enterprise network information security policies (http://it.jhu.edu/policies/itpolicies.html#Network).
Implements changes by adhering to the change management policies and procedures for any given project. Communicates to all parties the nature, significance, and risk factors of the solution.
Develops change management practices for lower level engineers and systems administrators.
Installs, configures, and/or interprets results of network security analyzers and log events.
Develops scripts, tools, and other forms of automation to assist junior level staff in analyzing security events and related data.
20% TECHNICAL COLLABORATION:
Leads and/or directs technical engineers in administration of enterprise network information security systems and services in support of the mission of the Johns Hopkins Institutions.
Represents network security in IT and business projects for network security evaluations and risk assessments.
Leads the work with Enterprise infrastructure support services for data center logistics; coordinate enterprise network security system changes with affected JH customers and staff at one or more JH institution campus or location.
Manages one or more network security platforms (Firewalls, IDS, IPS, Security Assessment tools).
Provides oversight to vendors, affiliates and lower level staff
Coordinates activities with customers and other IT organizations.
Serves as the primary contact for assigned security platforms.
Develops guidance and training for other engineers
Establishes practices and works with external law enforcement organizations to assist with investigations or threats that are related to the Johns Hopkins Network and/or highly confidential in nature.
20% MAINTAIN AND TROUBLESHOOT:
Monitors network for emerging threats across the cyber security landscape and makes recommendations to reduce and/or eliminate the threats to the Hopkins Enterprise Network.
Maintains and troubleshoots technical security systems and procedures for IT systems that process all classification levels of electronic information (see JH electronic information classification levels at http://it.jhu.edu/policies/itpolicies.html#Classification). These Enterprise wide network information security efforts include: wired and wireless networking; telecommunications; secure messaging; enterprise clinical information systems (e.g., EPR, POE); student information systems (e.g., ISIS); and enterprise business solutions (e.g., Enterprise Business Solutions (SAP)).
Leads confidential security incident and event investigations. Investigates forensic evidence of security breaches and compromises. Identifies root causes, develops and implements alternatives to eliminate the source of the compromise and potential for re-occurrence. May require coordinating an Enterprise wide team.
Analyzes data from enterprise information security events (including, but not limited to: technical forensic data, incident records, analysis of network traffic). Provides reports and recommended response actions to Network Security Architect and/ or security manager.
Produces ad-hoc and recurring reports on network security system measurement statistics.
Reviews abstract information regarding network traffic flow and access for anomalies and potential breaches to network security. Develops processes for others to follow in reviewing the information.
Troubleshoots highly complex network and security problems, involving switching, routing and security policy issues.
Incumbents in this position are expected to be available oncall on a 7x24 basis. Support may be expected for both elements of the Hopkins network and the Community Hospitals
Bachelor’s degree in IT or related field.
Advanced degree in IT or related field and/or professional security training and certification (e.g. SANS/GIAC, CISA, CISM, CISSP) preferred.
Additional experience may substitute for education to the extent allowed by the JHU Equivalency Formula.
JHU Equivalency Formula: 30 undergraduate degree credits (semester hours) or 18 graduate degree credits may substitute for one year of experience. Additional related experience may substitute for required education on the same basis. For jobs where equivalency is permitted, up to two years of non-related college course work may be applied towards the total minimum education/experience required for the respective job.
Six years related experience.
Must have a solid understanding of how to develop and troubleshoot firewall policies.
Specialized education can be substituted for experience.
Preferred Job Qualifications:
Knowledge in the assigned IT environments.
The following are some of the technologies the team uses. Knowledge or familiarity with a few of these technologies is preferred:
Cisco ASA & Firepower.
Palo Alto Next Generation Firewalls.
Palo Alto Panorama.
Using Cisco IOS for Business Partner VPN Connectivity.
Scripting and Automation tools.
Splunk & Syslog.
Knowledge, Skills, & Abilities:
Experience implementing and enforcing IT Security Policies using network based tools and controls.
Knowledge of compliance requirements including: PCI, HIPAA, and other regulatory and privacy requirements for higher education and health care.
Must demonstrate strong critical thinking and analytical reasoning skills.
Ability to work on multiple priorities effectively.
Ability to prioritize conflicting demands.
Ability to execute assigned project tasks within established schedule.
Ability to work collaboratively in a team environment.
Ability to communicate effectively in the service of users and colleagues.
Writes and communicates clearly and concisely.
Possesses sound documentation skills.
Ability to maintain confidentiality
Must demonstrate exemplary customer service skills.
Work requires a strong understanding and extensive work experience with at least two of the ten (ISC) Information Security Domains (Access Control; Application Development Security; Business Continuity and Disaster Recovery Planning; Cryptography; Information Security Governance and Risk Management; Legal, Regulations, Compliance and Investigations; Operations Security; Physical (Environmental) Security; Security Architecture and Design; Telecommunications and Network Security).
Expert knowledge of complex firewall environments. This includes multi access perimeter, enterprise red zones and specialty firewall configurations. Development of complex firewall access policies, policy groupings, access control lists and firewall interface management.
Expert knowledge and experience with information security technologies, methodologies, and practices including, but not limited to: risk assessment and management; intrusion detection and prevention; vulnerability assessment and management; system administration (Windows, OS X, Linux, Unix, etc.); security policy, standards, and best practices; security incident response; auditing and security administration of network security systems and operating systems; access control; encryption; firewalls; secure proxies; networking; database and application security; security event log analysis; virus prevention and remediation; and custom programming/scripting.
Expert understanding of the use of open source network security tools (i.e. NMAP, Snort).
Completely familiar with network vulnerability assessments and processes.
Expert knowledge of network interconnect practices and the use of both public (internet) and private network interconnect services.
Capable leading other engineers through troubleshooting highly complex network and security problems, involving switching, routing and security policy issues.
Complete understanding of the interoperability of Network Security systems.
Strong understanding of TCP/IP, the OSI model, and appropriate standards and practices associated with a secure enterprise technical framework are required.
Classified Title: Network Security Engineer III Working Title: Network Security Engineer III Role/Level/Range: ATP/04/PF Starting Salary Range: Commensurate with Experience Employee group: Full Time Schedule: Monday-Friday, 8:30am-5:00pm Exempt Status: Exempt Location: 02-MD:Mount Washington Campus Department name: 10003725-IT@JH Networking, Telecom and Data Ctr Personnel area: University Administration
The successful candidate(s) for this position will be subject to a pre-employment background check.
If you are interested in applying for employment with The Johns Hopkins University and require special assistance or accommodation during any part of the pre-employment process, please contact the HR Business Services Office at firstname.lastname@example.org. For TTY users, call via Maryland Relay or dial 711.
The following additional provisions may apply depending on which campus you will work. Your recruiter will advise accordingly.
During the Influenza ("the flu") season, as a condition of employment, The Johns Hopkins Institutions require all employees who provide ongoing services to patients or work in patient care or clinical care areas to have an annual influenza vaccination or possess an approved medical or religious exception. Failure to meet this requirement may result in termination of employment.
The pre-employment physical for positions in clinical areas, laboratories, working with research subjects, or involving community contact requires documentation of immune status against Rubella (German measles), Rubeola (Measles), Mumps, Varicella (chickenpox), Hepatitis B and documentation of having received the Tdap (Tetanus, diphtheria, pertussis) vaccination. This may include documentation of having two (2) MMR vaccines; two (2) Varicella vaccines; or antibody status to these diseases from laboratory testing. Blood tests for immunities to these diseases are ordinarily included in the pre-employment physical exam except for those employees who provide results of blood tests or immunization documentation from their own health care providers. Any vaccinations required for these diseases will be given at no cost in our Occupational Health office.
Equal Opportunity Employer Note: Job Postings are updated daily and remain online until filled.
Johns Hopkins University remains committed to its founding principle, that education for all students should be grounded in exploration and discovery. Hopkins students are challenged not just to learn but also to advance learning itself. Critical thinking, problem solving, creativity, and entrepreneurship are all encouraged and nourished in this unique educational environment. After more than 130 years, Johns Hopkins remains a world leader in both teaching and research. Faculty members and their research colleagues at the university's Applied Physics Laboratory have each year since 1979 won Johns Hopkins more federal research and development funding than any other university. The university has nine academic divisions and campuses throughout the Baltimore-Washington area. The Krieger School of Arts and Sciences, the Whiting School of Engineering, the School of Education and the Carey Business School are based at the Homewood campus in northern Baltimore. The schools of Medicine, Public Health, and Nursing share a campus in east Baltimore with The Johns Hopkins Hospital. The Peabody Institute, a leading professional school of music, is located on Mount Vernon Place in downtown Bal...timore. The Paul H. Nitze School of Advanced International Studies is located in Washington's Dupont Circle area.