Cyber Security DevOps Senior Specialist

Job purpose / role:

To assist, review and validate in implementations of cybersecurity requirements across development activities in Business Technology.

Areas of responsibility:

Policies, Processes & Procedures                

• Follows all relevant departmental policies, processes, standard operating procedures and instructions so that work is carried out in a controlled and consistent manner

Day- to-day operations 

• Follows the day-to-day operations related to own job to ensure continuity of work

Cyber Security DevOPS Analyst

• Supports projects or change initiatives through the preparation of technical plans and application of cybersecurity and DevOps design principles.
• Selects appropriate testing approach for automated testing of cybersecurity controls and countermeasures in the DevOps pipeline.
• Analyses and reports on test activities, results, issues and risks, for the cybersecurity initiatives within the DevOps pipeline.
• Plans the capture and management of configuration items and related information for cybersecurity controls and countermeasures within the DevOps pipeline.
• Develops, configures and maintains tools (including automation) to identify, track, log and maintain accurate, complete and current information for cybersecurity controls and countermeasures within the DevOps pipeline.
• Reports on the status of configuration management. Identifies problems and issues to recommend corrective actions, and report on progress cybersecurity initiatives within the DevOps pipeline.
• Assesses and analyses release components for input to release scheduling, maintains and administers tools and methods for cybersecurity software delivery, deployment and configuration of the DevOps pipeline.
• Conducts vulnerability and baseline configuration scanning, change related penetration and security testing activities such as initial information gathering and standard probing; and engagement with engineering/ product teams to resolve identified security vulnerabilities
• Assists in ensuring security is embedded as part of the agile deployment covering sprint planning, defining security user stories and test cases, participating in scrum cadence and sprint retrospectives
• Use security testing and code scanning tools to conduct code reviews
• Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.
• Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
• Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
• Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews.

Continuous Improvement

• Contributes to the identification of opportunities for continuous improvement of processes and practices taking into account ‘international best practice’, improvement of business processes, cost reduction and productivity improvement

Reporting

• Assists in the preparation of timely and accurate reports of Riyad Bank to meet company and department requirements, policies and standards

Safety, Quality & Environment   

• Complies with all relevant safety, quality and environmental management policies, procedures and controls to ensure a healthy and safe work environment

Related Assignments      

• Performs other related duties or assignments as directed within the confinement of the departmental roles and responsibilities. 

• Knowledge of network components, their operation and appropriate network security controls and methods.
• Knowledge of cybersecurity related threats and vulnerabilities.
• Knowledge of the likely operational impact on an organization of cybersecurity breaches.
• Knowledge of cybersecurity authentication, authorization and access control methods.
• Knowledge of vulnerabilities in applications and their likely impact.
• Knowledge of cybersecurity communication methods, principles and concepts that support the network infrastructure.
• Knowledge of cybersecurity defence and vulnerability assessment tools and their capabilities.
• Knowledge of computer programming principles.
• Knowledge of the organization's enterprise cybersecurity architecture.
• Knowledge of how network services and protocols interact to provide network communications.
• Knowledge of incident categories, incident responses and timelines for responses.
• Knowledge of best practice analysis principles and methods.
• Knowledge of IT security principles and methods.
• Knowledge of low-level computer languages required for role.
• Knowledge of systems testing and evaluation methods.
• Knowledge of defence-in-depth principles and network security architecture.
• Knowledge of technology that can be exploited.
• Knowledge of the organization's core business processes and how cybersecurity affects them.
• Knowledge of cybersecurity threats, risks and issues posed by new technologies and malicious actors.
• Knowledge of different types of cyber attackers, their capabilities and objectives.
• Knowledge of the stages of a cyberattack.
• Knowledge of network security architecture concepts including topology, protocols, components, and principles.
• Knowledge of Windows and Unix ports and services.
• Knowledge of confidentiality, integrity and availability requirements.
• Knowledge of OSI model and underlying network protocols.
• Knowledge of systems security testing and evaluation methods.
• Knowledge of countermeasure design for identified security risks.
• Knowledge of how to map networks and recreate network topologies.
• Knowledge of packet-level analysis using appropriate tools.
• Knowledge of emerging technologies and their potential for exploitation.
• Knowledge of cybersecurity vulnerabilities across a range of industry standard technologies.
• Knowledge of the principal methods, procedures and techniques for gathering, producing, reporting and sharing cybersecurity information.
• Knowledge of intrusion detection and prevention system tools and applications.
• Knowledge of network protocols and directory services.
• Knowledge of penetration testing and red teaming principles, tools and techniques.
• Knowledge of an organization’s threat environment.
• Knowledge of encryption algorithms.
• Knowledge of public sources detailing common application security risks and mitigations.