Security Engineer

Role description:

Cyber Security Designs, Strategies, and Security Patterns, data security and compliance by implementing GCP, Azure security best practices, managing IAM roles and permissions, GCP, Azure environments by implementing robust security controls, encryption, and access management policies

Key responsibilities:

Each team that owns a security control has been responsible for creating the format they use to guide the consumers of that control

1. Engineering Guardrails that help security control users identify the strategic solution to meet their use case and map to the appropriate engineering pattern

a. Depending on the type of security control, the security control users would know the use case they need to meet, the technology they are using, and the environment it’s needed it.

i.      For example, the use case may be something like “as a production oracle database deployed in AWS that holds PII data, I need field level encryption for defined columns”. The guardrail would map field level encryption (control required) for production oracle databases (technology/platform) in AWS (environment/datacentre) to the specific engineering pattern that tells them how to meet that use case for oracle in AWS.

2. Engineering Patterns tell the security control users how to use the required control on the technology/platform they are using and for each environment/datacentre. Many of the engineering patterns will be the same regardless of the technology/platform or environment/datacentre. But when those variables do impact HOW a user onboards a given security control, patterns specific to their overall use case is required.

Each technology that is used to meet security use cases will have engineering patterns documented. Engineering patterns will be mapped to an engineering guardrail There will be an engineering pattern for each variation that is needed to meet known use cases. For example, if different steps are required to onboard the security control on different technologies, platforms, environments, or datacentres, unique patterns will be written for each known combination resulting in needing to follow different steps.

GSRA and AccSec Teams agree on prioritised list of Technologies that need to have Engineering Patterns generated Contractor will work with relevant Product Owner and Engineering Leads to identify each unique use case that requires an engineering pattern Contractor will work with feature team’s engineers to populate the engineering pattern for each unique use case Initial engineering patterns will go through user acceptance testing to ensure the intended audience is able to use the document as expected GSRA and AccSec Teams will work with contractor to ensure proper governance is achieved for each engineering pattern

The maintenance review cycle will be initiated from the date the document completed governance assurance.

Completed engineering pattern will be added to applicable engineering guardrail and published in the Group Security Reference Architecture

Key skills/knowledge/experience:

• Both the Engineering Guardrails and the Engineering Patterns are needed for most, if not all, CSO controlled security technologies.

• The Accelerated Security Workstream and Group Security Reference Architecture team will work with the contractor to prioritise the order the technologies are documented Developing Engineering Guardrail Template

• Developing Engineering Pattern Template User acceptance testing templates

• Test and learn of templates

• Upload finished templates to GSRA SharePoint