Information Security Architect - Shift4

As part of our continued growth, we're looking for an Information Security Architect.

Key Roles and Responsibilities:

• Play key role in product & system design, reviews and solution architecture, and provide security guidelines, all in a highly regulated ecosystem.
• Control and manage mitigation plan implementation as part of the above security guidelines
• Identify, research, explore, and lead the evaluation and implementation of new security controls for the required business projects
• Work closely with the product team to enhance Finaro’s product security
• Work with IT teams on new innovative infrastructure projects, including VM environments, network infrastructure, storage systems, DB platforms, and cloud environments, and provide security guidance for all related fields and layers respectively
• Work with R&D teams to enhance application security within Finaro software

Technical Skills for Shift4EU Security Architect:

1. Understanding of API Protocols and Standards: REST (Representational State Transfer): Deep knowledge of RESTful APIs and how to secure them. (O) SOAP (Simple Object Access Protocol): Understanding SOAP APIs and their security requirements.
2. Authentication and Authorization- OAuth 2.0 and OpenID Connect: Implementing and securing APIs with OAuth 2.0 and OpenID Connect for secure access and identity management. JWT (JSON Web Tokens): Using JWT for secure token-based authentication and authorization.
3. API Key Management: Best practices for managing and securing API keys.
4. Encryption and Data Protection.
5. Transport Layer Security (TLS): Ensuring secure communication using TLS to protect data in transit.
6. Encryption Standards: Knowledge of encryption techniques to protect sensitive data in API requests and responses.
7. WAF & API Gateway and Management.
8. WAF Solutions: Experience with F5, Cloudflare, and Akamai for security policy enforcement.
9. API Gateway Solutions: Experience with API gateway platforms like Kong, Apigee, AWS API Gateway, or Azure API Management for centralized API management and security enforcement. (O) Rate Limiting and Throttling: Implementing rate limiting and throttling to prevent abuse and ensure fair usage.
10. Security Testing and Vulnerability Assessment.
11. Access Control and Secure Coding Practices.
12. Monitoring and Logging: API Monitoring: Setting up monitoring to track API usage and detect anomalies or potential security incidents. Logging Best Practices: Implementing logging best practices to ensure that API activities are properly recorded for audit and forensic analysis.
13. Integration with DevSecOps: CI/CD Pipelines.
14. Knowledge of Compliance and Regulatory Requirements: (O) Data Privacy Laws: Understanding relevant data privacy laws and regulations such as GDPR, CCPA, HIPAA, and their implications for API security. (O) Industry Standards: Familiarity with industry standards and frameworks like NIST, ISO 27001, and their application to API security.

Requirements:

• Experience as an information security architect in a financial company
• At least 3-5 years in Information Security roles
• Experience in leading Information Security projects from initiation to delivery, including RFI/RFP phases, SOW definition, plan, integration, and full delivery
• Experience with OS security, mainly Linux
• Experience with information security systems including Network firewalls, IDS/IPS, WAF, Multi-Factor Authentication platforms, VPN systems, Central anti-virus systems, etc.
• Experience with cloud infrastructure/cloud security (mainly AWS)
• Experience with open-source tools and platforms
• Excellent English (both speaking and writing)

Advantages:

• Required: CCNA, advantage: CISSP and/or CSSLP certification
• Experience with web & application security, familiar with OWASP frameworks, solutions and initiatives
• Experience with database security, mainly Oracle, MySql, and PostgreSQL
• Experience with security projects such as Static Code Analysis, DB Firewall, and CASB implementations
• Experience with offensive security and penetration testing tools