Security Engineer

Why Orthofix?

We are a leading global spine and orthopedics company with a premier portfolio of biologics, innovative spinal hardware, bone growth therapies, specialized orthopedic solutions and a leading surgical navigation system. Our combined company is over 1,600 strong, with products distributed in 68 countries worldwide and a global R&D, commercial and manufacturing footprint, and this is just the beginning!

Come join our global team of dedicated professionals who through their extraordinary efforts demonstrate every day their commitment to our mission of improving the lives of patients. At SeaSpine and Orthofix our culture is built around Integrity and the core beliefs we live by: Exceed Expectations, Work Together, Be Respectful, Get Lean and Have Fun!

How you'll make a difference?

This position has the primary responsibility for implementing strategic initiatives involving information technology (IT) security capabilities and technical controls globally. As directed, this position participates in the design, development, and delivery of those security capabilities within the IT department as well as facilitating or advising of controls for the business units when needed. The responsibilities also include assisting in the development of technical standards and standard operating procedures and other related governance pertinent to IT operations. This position works closely with IT operations staff (US and International) and may also interact with Finance, Operations, Sales, Compliance, Legal, Quality Assurance, Human Resources, and other areas to ensure that company information assets are protected as required by regulatory compliance at all levels, federal and state and corporate.

The Security Engineer must have strong expertise and experience in implementing and managing the Technical Security Safeguards required by HIPAA/HITECH, PCI-DSS and Sarbanes-Oxley Act, as well as responsibility and oversight securing configurations on operating environments, including networks, routers/firewalls, workstations, mobile devices. Duties will include collaboration with DBAs and web programmers for data encryption and secure programming strategies.

This position primarily supports strategic initiatives involving information technology (IT) security controls. This position designs, develops, and delivers security controls across the IT systems as directed. The responsibility also includes facilitating and executing the enforcement and administration of the IT Security program’s monitoring and governance efforts related to security events and support for remote and network access systems for the Orthofix office locations.

The IT Security Engineer is responsible for monitoring security systems to detect potential attacks as they occur and validating controls in business systems. This includes providing a full analysis of previous malicious attacks, using multiple infrastructure and security systems to look for suspicious or anomalous activities, and adhering to the global Orthofix incident response plan to help in the response activities.

Strong expertise and experience in implementing and managing the Technical Security Safeguards implemented by Orthofix IT Security standards are required, as well as responsibility for oversight for securing configurations on operating environments, including networks, routers/firewalls, workstations, and mobile devices.

What will your duties and responsibilities be?

The following are the essential functions of this position. This position may be responsible for performing additional duties and tasks as needed and assigned.

• Facilitate and execute the enforcement and administration of the Global IT Security Program’s monitoring and governance efforts.
• Perform daily operational real-time monitoring and analysis of security events, particularly suspicious/malicious activities, from multiple sources and identify unauthorized activities.
• Provide security-related on-call emergency support as defined by standard operating procedures. Participate as a Security Incident Response Team member and conduct and steward investigation activities. Work closely with other IT groups while conducting investigations.
• Review threat information, keep up to date with the latest threats, and gain an understanding of common vulnerabilities and cyber-attack techniques.
• Act as project lead for small projects or as a technical contributor to larger projects.
• Manage the vulnerability management process.
• Securing the configurations on operating environments, including networks, routers/firewalls, workstations, and mobile devices.
• Support internal and external penetration exercises, including remediation and improvement of security operations and incident response.
• Defend systems against unauthorized access and malicious activities.
• Recommend configurations and support security tools such as firewalls, anti-virus software, patch management systems, etc.
• Perform vulnerability detection, risk analyses, and security assessments.
• Identify anomalies and abnormalities and report violations.
• Respond immediately to security incidents and provide post-incident analysis.
• Train company staff in security matters as needed, from end user to leadership position.
• Provide effective communication to business leaders and end users as needed.
• Participate in any information security-related activity as directed.
• Maintain and update CASB policies.
• Develop and maintain a baseline for operating systems, applications, and network equipment.
• Maintain and update WAF policies.
• Monitor external security posture and design mitigation plans in collaboration with stakeholders.
• Collaborate with team members to learn and assist with the Application Development and Embedded Devices security program.
• Identify gaps in coverage and update policies and controls as technology evolves.
• Audit patching compliance and present metrics to reflect the current state.
• Interact with the Infrastructure team on all servers, network equipment, security posture, and applications.
• Work with InfoSec Team Members to create periodic newsletters for Cybersecurity awareness to all users based on ongoing risks observed.
• Perform Security Vendor Reviews as part of the Vendor Assessment Program
• Maintain and update the Data Loss Prevention Program.
• Maintain and update the email gateway policies based on ongoing threats.
• Audit firewall policies and work with the infrastructure team to enhance protection.
  
  
  

What skills and experience will you need?

The requirements listed below are representative of the education, knowledge, skill and/or ability required for this position.

• 5 years of IT security administration with networked systems in a medium or large business environment
• 5 years of hands-on experience in configuring and managing servers, networks including firewalls, routers, client machines, mobile device.
• Fluency in English, written and spoken.
• Professional certification in IT security management is desirable.
• Hands-on knowledge of Infrastructure components.
• Security-related certificates from one of the following vendors are highly desired.
• ISC2
• CompTIA
• ISACA
• EC-Council
• GIAC
• Cloud Security Alliance
• OffSec
• Cisco
• Experience in mitigating risks and adverse events on web-facing applications, servers, client machines, and mobile devices.
• Experience remediating audit issues, including developing compensating controls.
• Strong knowledge of the NIST Cyber Security framework, particularly the vulnerability management process.
• Experience in designing and implementing technical security safeguards.
• Experience in developing policy-based safeguards around the use of technology and infrastructure.
• Hands-on knowledge of the following:
• Data Loss Prevention tools
• Web Application Firewalls
• SIEM tools
• Email gateways, preferably Mimecast.
• Rapid7 tools (preferred)
• Solid understanding of mail flow
• Advanced problem-solving skills.
• Excellent verbal and written communication skills
• Adaptability for learning new business concepts within new environments and staff situations.
  
  
  

Supervisory Responsibilities

• Close collaboration with all IT Managers and their staff is required.
  
  
  

What qualifications are preferred?

The education, knowledge, skills and/or abilities listed below are preferred qualifications in addition to the minimum qualifications stated above.

Education/Certifications

• N/A
  
  
  

Additional Experience, Skills, Knowledge And/or Abilities

• N/A
  
  
  

Physical Requirements / Adverse Working Conditions

The physical requirements listed in this section include but are not limited to the motor/physical abilities, skills, and/or demands required of the position in order to successfully undertake the essential duties and responsibilities of this position. In accordance with the Americans with Disabilities Act (ADA), reasonable accommodations may be made to allow qualified individuals with a disability to perform the essential functions and responsibilities of the position.

• Regularly required to sit for extended periods of time; frequently required to stand, walk, and use business equipment on daily basis such as PC, copier, fax, telephone, etc. occasionally required to reach overhead, bend and lift objects up to 20 lbs.
• Eyesight and hearing must be correctable to standard level.
  
  
  

DISCLAIMER

The duties listed above are intended only as representation of the essential functions of this position. The omission of specific statements of duties does not exclude them from the position if the work is similar, related, or a logical assignment to the position. The job description does not constitute an employment agreement between the employer and employee and is subject to change at the sole discretion of the employer. Nothing in this document alters an employee’s at-will employment status.

We are committed to providing equal employment opportunities to all employees and applicants without regard to race (including traits historically associated with race, such as hair texture and protective hairstyles, including braids, locks, and twists), ethnicity, religion, religious creed (including religious dress and grooming practices), color, caste, sex (including childbirth, breast feeding, and related medical conditions), gender, gender identity or expression, sexual orientation, national origin, ancestry, citizenship status, uniform service member and veteran status, marital status, pregnancy, age (40 and over), protected medical condition (including cancer and genetic conditions), genetic information, disability (mental and physical), reproductive health decision-making, medical leave or other types of protected leave (requesting or approved for leave under the Family and Medical Leave Act or the California Family Rights Act), domestic violence victim status, political affiliation, or any other protected status in accordance with all applicable federal, state, and local laws.

This policy extends to all aspects of our employment practices including, but not limited to, recruiting, hiring, discipline, termination, promotions, transfers, compensation, benefits, training, leaves of absence, and other terms and conditions of employment.