Job Description
Description
Job Title: Cybersecurity Analyst Levels 1-7, Critical Assets and Incident Response
Salary Range: Level 1: $82,857 - $105,000
Level 2: $87,685 - $115,500
Level 3: $95,929 - $127,050
Level 4: $102,760 - $139,755
Level 5: $114,537 - $153,731
Level 6: $124,311 - $169,104
Level 7: $140,917 - $186,014
POINTS:
Level 1 - 282
Level 2 - 323
Level 3 - 393
Level 4 - 451
Level 5 – 551
Level 6 – 634
Level 7 – 775
DEPT/DIV: MTA Information Technology/ Office of IT Cyber Security Services
SUPERVISOR: Cybersecurity Officer - Threat, Intelligence & Forensics
LOCATION: 2 Broadway, New York, NY 10004
HOURS OF WORK: 9:00am-530pm (7.5 hours/day) or as required
This position is eligible for telework. New Hires are eligible to apply 30 days after their effective date of hire.
Summary:
The purpose of this position is to provide critical technical expertise in managing and analyzing cybersecurity critical assets and incident response functions. The Cybersecurity Analyst will be responsible for all steps of the Incident Response lifecycle including preparation, detection, containment, eradication, recovery, and lessons learned. This position also interfaces with the technologies, people, and processes which serve critical operational & public-facing services. This position is a Tier 3 SOC position and as such will include on-call responsibilities commensurate with Cybersecurity Incident Response functions. The cybersecurity analyst will need to recognize the unique challenges associated with securing business-critical technologies and recommending solutions for a highly complex and diverse 24/7 environment.
Responsibilities:
Incident Response for a variety of systems including Windows, Linux, MAC, and custom operating systems.
Responds to computer security incidents according to the computer security incident response policy and procedures
Incident response functions include mitigating actions to contain activity and facilitating forensics analysis when necessary while minimizing operational impact
Validates and maintains incident response plans and processes to address potential threats
Performs root-cause analysis to document findings, and participate in root-cause elimination activities as required
Communicates investigation findings to relevant business units to help improve the information security posture
Identifies the tactics, techniques, and procedures (TTPs) of potential threats through the MITRE ATT&CK or similar frameworks
Interface with Third Party Risk Management group where appropriate
Provide forensics support and support Chain of Custody requirements
Distinguish and prioritize escalations as false-positives or true-positives
Researching emerging threats and vulnerabilities to aid in the identification of network incidents, and supports the creation of new architecture, policies, standards, and guidance to address them
Reviews alerts and data from sensors and documents formal, technical incident reports
Provides timely and relevant updates to appropriate stakeholders and decision makers including technical and executive reports
Compiles and analyzes data for management reporting and metrics
Analyzes potential impact of new threats and communicates risks back to detection engineering functions
Uses judgment to form conclusions that may challenge conventional wisdom
Hypothesizes new threats and indicators of compromise
Monitors threat intelligence feeds to identify a range of threats, including indicators of compromise and advanced persistent threats (APTs)
Participate in the creation of enterprise security documents (policies, standards, baselines, guidelines, and procedures) under the direction of the IT Security Manager, where appropriate.
The role will provide a proactive approach to cybersecurity while also performing investigation of security incidents related to MTA operations related to Cyber Security.
Responsibilities:
Level 1
Properly assess scope, urgency, and impact of incidents
Collaborates with end users including security incident ingestions and recovery efforts
Assist with building up critical asset inventory / cyber risk portfolio
Coordinates with other IT and ICS/SCADA stakeholders for incident validation & response
Provide digital forensics support and guidance
Reviews incident escalations from Tier 1 & Tier 2 SOC and provides feedback upon incident completion
Performs Incident Response functions and collaborates closely with senior incident response members
Disseminates incident reports in alignment with MITRE ATT&CK framework
Reviews sandbox reports for heuristic information pertaining to the bottom of the “Pyramid of Pain”
Creates technical & executive incident reports
Serve as part of the 24/7 on-call schedule for Incident Response
Travel as needed to any MTA location across the Tristate area
Maintain current Incident Response contact information
Assist in other ad-hoc functions as required
Performs basic analysis while following established procedures to ensure security of systems, contractor, and/or process
Performs basic troubleshooting and escalates issues as appropriate to ensure effective resolution of security baseline deviations and risks
Level 2
Same as Level 1 with the following additional responsibilities:
Ability to properly baseline and respond to operational technology anomalies
Provide input into the creation and maintenance of Incident Response policies and procedures
Read sandbox reports for heuristic information throughout the entire “Pyramid of Pain”
Understand and decipher obfuscated code and PowerShell arguments
Provide SOAR input as they pertain to Incident Response functions
Provide incident response support for Critical incidents
Perform internal confidential investigations
E-discovery searches
Provides routine analysis on assigned technologies, following established procedures to ensure safety and security of systems, vendor performance, or processes.
Reviews and correlates system logs to identify potential cybersecurity and technical issues.
Level 3
Same as Level 2 with the following additional responsibilities:
Ability to perform basic malware static analysis
Participation in cybersecurity tabletop exercises
Perform internal & external confidential investigations
Recommend countermeasures for validated security incidents to prevent recurrence
Participate in the evaluation of new products and technologies, under the direction and guidance of senior colleagues, relevant to Incident Response to enhance cybersecurity posture and reduce risk to the MTA while achieving objectives
Provides proactive monitoring and analysis for a domain of the cybersecurity to ensure systems security baseline targets are met.
Implements changes to one or more cybersecurity related domain technologies, executing tests and reporting on security baselines, violations/anomalies, to meet requested needs.
Troubleshoot and investigate cybersecurity incidents and issues by analyzing a chain of events and applying technical knowledge following established procedures and standards to resolve immediate customer needs.
Maintains and updates existing documentation and standard operating procedures to ensure accurate and timely information is available for assigned systems.
Works with more experienced colleagues and other IT technical resources to improve coordination of cybersecurity requirements and analyze issues as they arise
Participate in the evaluation of new products and technologies, under the direction and guidance of senior colleagues, relevant to assigned cybersecurity area to enhance cybersecurity posture and reduce risk to the MTA while achieving objectives.
Level 4
Same as Level 3 with the following additional responsibilities:
Ensures Incident Response playbooks are current with all federal mandates, guidelines, and best practices
Provides incident report briefings to senior IT leadership
Recommends solutions to secure obsolete systems
Maintain Incident Response metrics and provide recommendations to lower SLAs
Analyzes the current state of the infrastructure and identifies opportunities for improvement to ensure systems meet business needs. Contributes to changes to established roadmaps, documents them effectively and executes the implementation of changes in their area(s) of responsibility
Executes to the defined product lifecycle, manages the product lifecycle for a component of the infrastructure, proposes changes for implementation, gathers data and analyzes capacity and performance to assure operational availability.
Analyzes the current state of the infrastructure and identifies opportunities for improvement to ensure systems meet business needs. Contributes to changes to established roadmaps, documents them effectively and executes the implementation of changes in their area(s) of responsibility.
Provides ongoing support and troubleshooting for installed technical solutions by analyzing a chain of events and applying technical knowledge, following established procedures and standards to resolve immediate customer needs.
Investigates, evaluates, and tests new products and technologies relevant to assigned infrastructure subsets to enhance cybersecurity analytics and overall security posture. Implements and/or supports the implementation of new technologies for their area of the cybersecurity that affects infrastructure, applications and/or processes.
Promotes security standards and supports efforts to expand and migrate to future security architecture to improve security and share learning.
Level 5
Same as Level 4 with the following additional responsibilities:
Provides technical leadership in all phases of Incident Response lifecycle
Liaisons with federal partners for Incident Response efforts
Adds new components to a roadmap, documents them effectively, and directs the testing and implementation of changes.
When provided with an objective to improve security in Incident Response, develops and implements action plans needed to effect the change.
Research new technologies/products and their impact on the infrastructure, prepares a preliminary evaluation of technologies/products and associated costs, and develops and presents recommendations to support anticipated future business needs.
Receives security and performance data and analyzes the baselines and efficacy of installed technologies. Proposes and implements any required changes, including identifying and planning for any resulting impacts on other technologies to optimize system availability and continuity.
Provides ongoing support and troubleshooting for incidents, correlations and reporting to more junior analysts & incident responders to resolve immediate security threats and/or customer needs.
Arbitration subject matter expert
Provides technical leadership to project teams in their area of expertise and/or leads teams to complete projects specific to their area(s) of expertise to maximize and share learning.
Provides guidance and technical coaching to less experienced staff to support effective workflow and develop technical talent.
Level 6
Same as Level 5 with the following additional responsibilities:
Provides Incident Report briefings to C-level leadership
Serves as a technical resource for multiple components of the security architecture, risk analysis, and analytics to help define the problems and identify remediation strategies for them.
Troubleshoots and analyzes most problems within assigned area(s), providing cybersecurity correlation, expertise, and resolution that may be complicated by technology interdependency and challenging security issues
Participates in planning for the future technical architecture, providing insight into the future of their area of technology in order to continually improve effectiveness and efficiency.
Participates in or leads the development of roadmaps related to their area(s) of expertise to manage and meet identified technology needs.
Participates in the evaluation of new technologies relative to their domain(s) to determine applicability to and best meet the needs of MTA and constituent agencies.
Specifies the monitoring points to assess performance of technologies in their domain(s). Recommends the necessary actions to ensure optimal performance and reliability.
Develops disaster recovery and contingency plans for their domain(s) to provide users with minimal interruptions in service.
Provides technical leadership to project teams in Critical Assets and Incident Response to promote technical understanding and talent development and/or leads teams to complete projects when a project manager has not been assigned.
Contributes to the technical elements of RFPs and RFIs and negotiates with vendors on technical issues to ensure results are delivered in line with user and organization requirements.
Interacts with major providers at the technical expert level to address mission critical issues, evaluates ongoing vendor service level and enforces SLAs and penalties.
Level 7
Same as Level 6 with the following additional responsibilities:
Serve as Incident Commander for critical incidents / crisis response
Third-party risk management for critical systems
Acts as a technical resource for multiple technologies, with vast knowledge of the capabilities and constraints of technologies supported to continually improve system effectiveness and efficiency.
Demonstrates a strong understanding of the current and future technology architecture, including the inter-operability of technologies to effectively integrate MTA systems and support the long-term strategies of the business.
Provides expert level guidance and training to the IT community to maximize and share learning.
Analyzes cross-technology/platform issues and addresses problems factoring in an understanding of the current and future architectures to ensure optimal performance and reliability across systems.
Leads the evaluation of new technologies relative to their domain(s) to determine applicability to and best meet the needs of MTA and constituent agencies. Proposes technology investments supported by a thorough technical analysis and business case.
Develops disaster recovery and contingency plans for their domain(s) to provide users with minimal interruptions in service.
Creates complete RFPs and RFIs and negotiates contract terms and conditions with vendors and procurement in consideration of the needs of the business.
Interacts with major providers at the technical expert level to address mission critical issues, evaluates ongoing vendor service level and enforces SLAs and penalties.
Establishes systems to monitor compliance with architectural standards and to ensure technical integrity.
Education and Experience:
Level 1
Associate degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
SOC (Tier 1 or 2) experience
Basic knowledge and familiarity with monitoring, installing, maintaining and/or troubleshooting cybersecurity related issues associated with applications and/or infrastructure systems
Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Understanding of Operating Systems
Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed
Level 2
Associate degree in Computer Science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree and 2+ years of relevant experience, or a bachelor’s degree in Computer Science or related fields.
Experience as part of an Incident Response team
Basic knowledge and familiarity with installing, maintaining and troubleshooting technology systems.
Proven ability to troubleshoot and support technical issues.
Proven ability to analyze a security risk assessment
Understanding of Operating Systems
Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed.
6 months of experience in a specific (Cloud, Applications, Infrastructure, Security Technology, etc.) cybersecurity domain is preferred.
Level 3
Bachelor’s degree in computer science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience as an Incident Response team member for a 24/7 organization
CISSP or other advanced security-related certification preferred but not required.
Certifications in technology subdomains preferred but not required (ie. Cloud, Applications, Infrastructure, Security Technology, etc.)
2+ years of relevant experience.
Requires prior experience with installing, maintaining and troubleshooting technology systems.
Proven ability to troubleshoot and support technical issues using standardized procedures.
Proven ability to analyze a security risk assessment or conduct one with guidance
Understanding of Operating Systems and Hardware
Understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Scripting or programming skills (PERL, Python, PowerShell, etc.) preferred as needed.
1 year of experience in a specific (Cloud, Applications, Infrastructure, Security Technology, etc.) cybersecurity subdomain is preferred.
Level 4
Bachelor’s degree in computer science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience as part of an Incident Response team for a large global / utilities / critical infrastructure organization
3+ years of relevant experience or 18 months of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
Current CISSP or other advanced security-related certification preferred but not required.
Certifications in technology subdomains preferred but not required (ie. Cloud, Applications, Infrastructure, Security Technology, etc.)
Proven ability to independently evaluate and resolve most problems within an area of infrastructure, applications within a security domain context.
Proven ability to analyze and/or conduct a security risk assessment
Understanding of Operating Systems and Hardware
Advanced understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Scripting or programming skills (PERL, Python, PowerShell, etc.)
Level 5
Bachelor’s degree in computer science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
5+ years of relevant experience or 2.5 years of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.)
Current CISSP or other advanced security-related certification preferred.
Certifications in technology subdomains preferred but not required (ie. Cloud, Applications, Infrastructure, Security Technology, etc.).
Experience as a Senior Incident Response analyst
Progressive cybersecurity related accomplishments
Requires broad technical knowledge of multiple technologies, or an in-depth knowledge of one technology including its impact on other technologies.
Proven ability to analyze and/or conduct a security risk assessment
Understanding of Operating Systems and Hardware
Advanced understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Scripting or programming skills (PERL, Python, PowerShell, etc.) as needed.
Level 6
Bachelor’s degree in computer science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience as an Incident Response Lead
8+ years of relevant experience or 4 years of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
CISSP or other advanced security-related certification preferred
Certifications in technology subdomains preferred (ie. Cloud, Applications, Infrastructure, Security Technology, etc.).
Verifiable implementation of security domain controls for enterprise technologies
Requires seasoned expertise in multiple technologies and strong understanding of the current and future technology architecture, including the inter-operability of technologies.
Advanced ability to conduct and analyze a security risk assessment
Understanding of Operating Systems and Hardware
Expert understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Some scripting or programming skills (PERL, Python, PowerShell, etc.) as needed.
Level 7
Bachelor’s degree in computer science or related fields. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience as an Incident Commander for a large & complex organization
10+ years of relevant technology based or cybersecurity experience or 5 years of experience in a specific cybersecurity subdomain (Cloud, Applications, Infrastructure, Security Technology, etc.).
CISSP and other advanced security-related certification preferred.
Certifications in technology subdomains preferred (ie. Cloud, Applications, Infrastructure, Security Technology, etc.).
Significant practical expertise in cybersecurity related disciplines.
Requires seasoned expertise in multiple security domains, technologies and strong understanding of the current and future technology and security architecture, including the inter-operability of security solutions and technologies.
Requires proven track record of successful implementation of architectural designs.
Expert ability to conduct and analyze a security risk assessment
Advanced understanding of Operating Systems and Hardware
Expert understanding of TCP/IP (OSI Layers 1– 4) and Internet and Intranet technologies required (OSI Layers 5-7) required.
Some scripting or programming skills (PERL, Python, PowerShell, etc.) as needed
Other Information
Please be advised that pursuant to MTA Code of Ethics and New York State Ethics Law, you have been designated as a policy maker. Therefore, you will be required to file an annual financial disclosure statement with the Commission on Ethics and Lobbying in Government. The Commission will notify you of this filing requirement via your work email. Upon receipt of notification from the Commission you will have 30 days to complete your financial disclosure statement.
Equal Employment Opportunity
MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.
The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.