Senior Information Security Engineer
Engineering | San Francisco, CA | Full Time
The impact of chronic conditions on health care is immense: chronic diseases, including diabetes and heart disease, affect up to 1 in 3 individuals. Up to 1 in 4 people also struggle with mental health concerns. These chronic conditions drive 80% of the over $3 trillion dollars we spend on healthcare in the US.
Vida Health is working to address this need. Our goal is to help people better manage their health by making positive changes to the way they live. Using our mobile-first platform, we connect people to programs backed by research and give them one-on-one support from personal health coaches or therapists. Clients meet with their coaches or therapists using secure in-app video chat and messaging. By collecting real-time data from the client and their devices, Vida is able to guide clients’ progress over time and help them make sustainable improvements to their health.
About the role:
As our Information Security Engineer, to keep Vida HIPAA-compliant, you will help ensure the trusted and optimal operations of our production and corporate computing environments with a cloud forward approach. This position will set up the tools and procedures for our team to monitor the security posture of the company for internal and external risks to our systems, networks, and data. As part of these efforts, you will be responsible for developing and implementing security solutions in concert with various Vida teams (Engineering, IT, HR, etc). Being a cloud forward company, automation and monitoring is key - you will lead the design and development of secure automation practices in an agile framework to support compliance and security for the Vida’s cloud infrastructure at scale, for both production and corporate security infrastructure/efforts. With this focus, you will be key in implementing and managing all of the daily and ongoing information security risk management efforts and programs for Vida, to include incident response and security operations. This role is responsible for responding to security questionnaires, maintaining documented processes, managing security compliance of Vida’s third party vendors. This role reports to our Enterprise Infrastructure Engineering Manager and is located in our San Francisco office.
Help implement a capability driven and highly automated approach to our security operations, monitoring & detection, incident response capabilities, and our overall information security risk management program efforts
- Facilitate and embed security controls into our continuous integration and delivery process efforts, baking security into the infrastructure
- Set up monitoring dashboards, alerts, log management, and other security operations capabilities by utilizing industry standard tools and platforms (open source or commercial technologies) with our currently deployed toolsets/platforms
- Ensure our currently deployed toolsets/platforms are deployed and configured optimally with our business needs and risk thresholds in mind
- Monitor for, provide analysis on, and take action on identifying and mitigating risk:
- Current happenings in the information security space.
- Findings from information technology and information security monitoring and detection toolsets.
- Reports from assessments, to include external auditors and penetration testers.
- Alerts and detections from our monitoring tools
- Conduct analysis on findings, pulling together indicators of compromise (IoCs), event timeline, and summary of situation with recommendations for mitigation and path forward.
- Present evidence and findings to leadership, customers, and possibly law enforcement and legal entities
- The deployment, secure configuration, and management of our monitoring and detection as well as other security toolsets.
- Documentation and best practices for the team's efforts
- Recommendations and best practices for securing our services, networks, and systems
- Assist in the coding/scripting of automation for information security monitoring and mitigation actions
- Solve problems relating to critical services and business processes that improve our security risk posture and business processes
- Fill security questionnaires from Vida’s enterprise customers
- Develop and maintain Vida’s information security policies and procedures
- Manage annual pen tests and coordinate any remediations resulted from them with engineering
- Obtain and keep HITRUST certification active, implement any missing gaps
- Drive Vida’s Security Committee meetings
- Help fix backend code related to security features or remediations
- Ability to monitor, evaluate, and interpret vulnerabilities/CVEs, vulnerability assessments, cloud platform/system/device/IDS/IPS logs, threat analysis, and malware.
- In-depth knowledge on how to administer and effectively manage monitoring and detection systems that are UNIX, Linux, and/or BSD based that are based in AWS.
- Understand security concepts in AWS cloud and familiarity with available AWS security tools, such as Inspector, GuardDuty, Config, CloudTrail, etc.
- Familiar with log management and security analytics tools for GCP and AWS, including open source tools such as ELK (ElasticSearch, Logstash, & Kibana), Greylog, etc.
- Experience with integrating security in the continuous integration, continuous delivery, and continuous deployment (CI/CD) pipeline (running unit tests, running security tools, managing secrets using Vault) using configuration management and automation tools such as Travis-CI, Jenkins, Chef, Ansible, Puppet, etc.
- Experience with setting monitors and alarms using Datadog, New Relic or tools provided by GCP and AWS
- Experience with static analysis tools such as SonarQube
- Proficiency with using and securing popular cloud services (SAAS, IAAS, etc.).
- In-depth, practical knowledge of how legitimate users administer, use, and secure common operating systems and cloud platforms, and how malicious actors exploit them.
- In-depth knowledge of how legitimate users administer, use, and secure common consumer and enterprise network devices and systems, and how malicious actors exploit them.
- Thorough understanding of computer networking, routing, and protocols.
- Understanding of information security architecture, mitigation of threats, and compensating controls.
- Knowledge of vulnerability and patch management concepts and tools
- Experienced in scripting languages, such as Python, Perl, Ruby, Bash
- Experience with and proven methods for managing the information security incident lifecycle, including incident response, mitigation, after-action reporting, and mapping a path forward.
- Knowledgeable about and able to apply open-source and proprietary information within the industry.
- Excellent oral and written communications skills for working with a diverse professional clientele with varying levels of technical experience. Ability to interact with customers and co-workers both in person and in writing.
- Ability to research highly technical topics and derive logical conclusions using well thought out processes.
- Ability to combine information from various sources into clear, concise technical documents that explain the background and procedures for detecting and mitigating risks.
- Experience with enterprise risk management programs, including internal audits, consulting engagements, information technology reviews, audit, and compliance efforts.
- A willingness and desire to learn.
- Possess and nurture a hacker mentality: Being able to visualize issues and possible solutions outside the box.
- Must be a conscientious, punctual, professional and devoted member of our team; with the ability to safeguard sensitive, restricted, and other information deemed to have special handling and dissemination protocols.
- Highest level of ethics and core values.
- Experience with Regular Expressions (REGEX).
- Effective when working under pressure and good enough to make sure that rarely happens.
- Experience with both RDBMS (MySQL) and NoSQL (Cassandra, Couchbase, Mongo).
- Experience with and proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems
- Familiarity with digital forensics procedures and tools, malware analysis, and reverse engineering.
- Ability to apply statistics and other mathematical methods to data analysis.
- Bachelor's degree, a combination of experience and/or Associates degree, or an equivalent combination of equivalent education and work experience. Degree must be from an accredited institution, with degree in a technical discipline or significant coursework in software development, information security, or information technology is preferred.
- Having or planning to have SANS certifications is a plus. Examples: GIAC Certified Incident Handler (GCIH), GCIA: GIAC Certified Intrusion Analyst, Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance (CSA). The ability to articulate and demonstrate skills are as or more important than the certification.
- At least five (5) years in Information Technology and/or Information Security, including at least three (3) years doing information security risk management, including intrusion analysis, monitoring and detection, and threat/vulnerability analysis in a cloud forward business environment.
Benefits & Perks
Competitive compensation including stock options
A health-oriented office culture including walking 1:1s, healthy food & snacks, fitness challenges, and weekly team runs
Health, Vision, Dental Benefits
Flexible vacation time
FSA and Commuter benefits
401K (no company match at this time)
ABOUT VIDA HEALTH: Vida is a next generation continuous care platform for both consumers and businesses, combining a consumer mobile app, an enterprise care platform offering on demand 24/7 solutions for chronic conditions. Vida platform runs in the cloud, captures real-time data from 100+ devices and apps, and integrates back to the employer, payer, and provider. 133 million people in the U.S. live with a chronic condition, 70% of the $3T healthcare spend in the U.S. goes to preventable chronic conditions.