Summary

The mission of New Visions' Product unit is to support New Visions as a high performing organization by providing accurate and timely information related to New Vision's intended impact of disrupting poverty by creating and sustaining a network of high performing schools. We deliver accurate and accessible data reporting for New Visions' Affinity Network, Charter Management Organization, Talent Development Programs, New Visions' internal functions and the NYC Community Schools Initiative.

The Application Security Engineer is responsible for developing, implementing, updating, communicating and managing the Information Security Program and Policies to ensure that adequate security controls are in place to protect the confidentiality, integrity, and availability of information systems. The ASE is further responsible for proactive planning, trend analysis and reporting related to risks and trends. The job entails leading efforts to securing code (including code reviews, project security reviews, and penetration testing support), and application scanning processes throughout the stages of the software development lifecycle while working collaboratively with cross-functional teams.

Essential Job Functions:

Security policies and programs

• Ensure that the Security Program and Policies covers all sensitive data New Visions stores in any cloud environment, including AWS, cloudSQL and firebase, or additional services
• Create-update user-facing documentation linked to New Visions tools in addition to internal SOPs
• Review vendor-specific security criteria and ensure that New Visions meets all external security requirements, as well as remaining in compliance with state and federal law
• Identify and assess the impact of exceptions between the implemented level of security tolerances and organization Information Security programs and policies, with a focus on availability, integrity and confidentiality of information processed.

Cross-team deployment & compliance

• Perform design reviews and risk assessments for new applications integrating with core services
• Write software to detect, remediate, and enforce security standards in AWS
• Guide product engineering teams to adopt security standards directly in our software and development lifecycle, ensuring that information security is adequately addressed in the development stage of any new business line technology
• Perform analysis of log files and data outputs and perform triage of incoming issues using a ticketing & tracking system.
• Design and develop systems that monitor system security and provide management reports to protect and ensure the safety of the organization's information assets
• Provide tuning recommendations of security tools based on the analysis of empirical data
• Produce and review daily and weekly metrics for security events
• Interact and liaison with internal and external auditors and organization examiners regarding the organization Information Security Programs including the procurement of information security related documents and reports
• Make information security risk-based prioritization decisions, analyzing business risk, and proffering complex business/risk trade-off recommendations and decisions
• Maintain connections in the broader world of education data security, and be aware of current events regarding security and education data

Auditing and Testing

• Conduct information security risk assessments/reviews for presentation to senior leadership
• Create a schedule of external security audits and penetration testing and identify external vendors to conduct testing
• Manage relationships and provide guidance to external vendors during organizational security testing and audits
• Evaluate effectiveness of security tools and testing methods including but not limited to FERPA controls related to information security, Data Loss Prevention, DAST, SAST
• Ensure that machine and process logs are accessible and usable

User management

• Verify that information security controls around user access, change management, systems' access and utilization are working as intended through the use of daily monitoring tools and provide reports to management
• Support the audit process of user access to new visions products and systems containing PII

Required Education and Experience:

• 4-6 years of experience in information security, information technology, or related field, with specific experience in administering an information security program
• Relevant education and certifications of Information Security Management and substantial knowledge of Information Security Standards and regulations required
• Experience with GAFE or AWS required including networking concepts in cloud environments
• Experience with Various RDBMS systems, noSQL systems and APIs
• Proven track record of results in Information Security, preferably complemented with IT Risk Management and IT Audit. Operational Security experience also a plus
• Experience with penetration testing and tools a plus.
• Experience testing single page javascript web applications
• Security+ Certification

Required Knowledge and Skills:

• AWS Services including EC2, VPC, S3, Glacier, EFS, EKS, Kinesis, Lambda, RDS, DynamoDB, Redshift
• AWS security implementations using IAM, KMS, Trusted Advisor, Security Groups, NACL
• Administration of windows and unix/linux with strong software design and implementation know-how, strong familiarity with web protocols, and be well-versed in application security and infrastructure security
• Result-orientation: Identifying issues, and predisposition for action to drive the remediation of the issues
• Willingness to learn new technologies and practices
• Exceptional analytical skills and proven track record for being able to troubleshoot and prioritize needs
• Excellent understanding of Vulnerability scanning technology, including host, network and web based technologies
• Incident response, intrusion analysis and proactive defense methodology

Preferred Knowledge and Skills:

• Experience with Identity Management process including Oauth2
• Knowledge of node js/javascript development
• Knowledge of javascript, typescript, google apps script, python
• Working knowledge of, and experience in, the policy and regulatory environment of information security
• Penetration Testing, GIAC Critical Controls Certification, GIAC Penetration Tester, AWS Certified Solutions Architect.
• One or more of the following certifications: Certified Ethical Hacker, GIAC Intrusion Analyst, GIAC Web Application Defender, GIAC Web App
• Experience with authoring, implementing, and managing standardized compliance programs (SOC II, ISO-27001, etc.) using governance frameworks (NIST 800-53, CIS, COBIT, etc.)
• Experience with FERPA or other Government Privacy standards.
• Knowledge of DevOps processes and CI/CD pipelines throughout their life cycles

Disclaimer:

The statements herein are intended to describe the general nature and level of work being performed by the employee in this position. These statements are not intended to be construed as an exhaustive list of all responsibilities, duties, and skills required of a person in this position.

Who We Are

At New Visions for Public Schools, we work to make great public schools common in New York City. We believe that all of New York City's students deserve public schools that make successful futures possible, especially Black, Latinx, and low-income students who have historically had inequitable access to a great public education. Since 1989, New Visions has been a driving force behind some of the most significant reforms to public education in New York City. Today, our diverse team of professionals develop and scale innovative tools and approaches that help educators address common challenges. Learn more about New Visions HERE.

We operate ten public charter schools in the Bronx, Brooklyn, and Queens and, as a trusted partner of the NYC DOE, we help 1,050 public district schools plan for the success of over 600,000 students citywide. In 2019-20, graduation rates in our Charter and Affinity networks were 94.9% and 86.9% and our college readiness rates were 56.9% and 61.6%.

Equal Employment Opportunity Statement

New Visions for Public Schools is an equal opportunity employer. It is the policy of New Visions that all employees and applicants for employment will be treated in all respects on the basis of their merit and qualifications and without regards to their race, color, national origin, age, disability, sexual orientation, religion, gender, military status, marital status, ancestry, or any other reason prohibited by law.

New Visions believes that our teams should reflect the diverse communities we serve and that our culture and internal structures should be inclusive and equitable for all employees. We also recognize that perspectives from communities that have been historically marginalized are critical to the work we do. Hence, we strongly encourage applications from individuals living in the communities that we serve or who are members of historically marginalized communities.

New Visions provides a comprehensive and competitive compensation and benefits package in addition to the opportunity to make a significant impact on education reform and in the lives of urban youth.