Vulnerability Management Analyst

This is a fully remote position, open to applicants in Florida, +8 more states.

📋 Description

• Carry out regular vulnerability scans of networks, servers, endpoints, cloud environments, and applications utilizing approved tools.

• Examine scan results to distinguish false positives, ascertain exploitability, and evaluate business and regulatory risks.

• Rank vulnerabilities based on CVSS scores, threat intelligence, asset significance, and the risk impact on financial institutions.

• Monitor vulnerabilities through remediation, validation, and closure using ticketing or governance systems.

• Conduct re-scans to verify the effectiveness of remediation efforts.

• Ensure that vulnerability management practices are in line with FFIEC Cybersecurity Assessment Tool (CAT), NCUA or banking regulatory guidance, GLBA Safeguards Rule, and Internal Information Security and Risk Management policies.

• Generate documentation, metrics, and evidence for internal audits, regulatory examinations, and third-party evaluations.

• Assist in risk acceptance decisions by documenting compensating controls and residual risks.

• Collaborate with IT infrastructure, application development, cloud, and network teams to resolve identified risks.

• Convert technical vulnerability findings into clear business risk terms for leadership and non-technical stakeholders.

• Offer advice on secure configurations, patching, and vulnerability mitigation strategies.

• Engage in security incident response activities when vulnerabilities are exploited or pose imminent risk.

• Keep track of emerging threats, zero-day vulnerabilities, and industry advisories pertinent to financial services.

• Contribute to the development of vulnerability management policies, standards, and procedures.

• Aid in the coordination of penetration testing and the analysis of results.

• Gather, organize, and maintain security control evidence and artifacts for monthly continuous monitoring deliverables and assessment/authorization activities, ensuring compliance with required frameworks.

• Ensure accurate system inventory and authorization boundary documentation to align scanning scope with approved system boundaries.

• Analyze scan results for false positives, document justifications, and prepare deviation requests with supporting risk assessments.

• Participate in change management processes to ensure that continuous monitoring activities are aligned with system changes and maintain compliance posture.

• Support and maintain enterprise vulnerability management tools (such as Tenable, Nessus, Burp, Qualys, Rapid7, Wiz, Prisma, Microsoft Defender), ensuring timely updates and patches.

• Execute regular and on-demand scans across operating systems, databases, web applications, and containers, then collaborate with technical teams to generate tickets for remediation.

• Monitor and document vendor dependencies, operational requirements, and open vulnerabilities, providing clear monthly reports and updates.

• Contribute to enhancing internal standards and processes, including the upkeep of documentation, training materials, and standard operating procedures.

• Oversee the daily operations of the vulnerability management program, closely collaborating with the patch management analyst to identify and address vulnerabilities, and actively participate in weekly vulnerability management team meetings.

• Adhere to all Federal Regulations relevant to your job responsibilities, including BSA.

⛳️ Requirements

• A Bachelor's degree in Information Security, Computer Science, Information Technology, or equivalent experience is required.

• A minimum of 3 years of professional experience in vulnerability management, security operations, or IT risk within a regulated environment is required.

• The GIAC (GSEC or GEVA) certification is preferred at the time of hire but must be completed within 6 months of employment.

• Familiarity with financial industry regulations and frameworks (FFIEC, NCUA, GLBA, NIST) is required.

• Practical experience with vulnerability scanning tools, such as Tenable (Nessus, Tenable.io), Qualys, Rapid7, or similar platforms is required.

• A strong understanding of network, operating system, and application vulnerabilities, patch management processes, and secure configuration standards (CIS Benchmarks) is required.

• Comprehensive knowledge of vulnerability scanning technologies and methods, including scoring systems (CVSS, CMSS) and risk prioritization frameworks is required.

• Experience in delivering monthly or periodic vulnerability status reports and tracking remediation efforts with both internal and external teams is required.

🏝️ Benefits

• 25 days of paid time off and 10 paid holidays

• 16 hours of paid Volunteer Time Off

• 401K Retirement with up to 6% employer match

• Excellent Health, Dental, Vision insurance, including multiple plan options

• Health Savings Account with generous employer contributions

• Employer paid Life insurance, Short-Term and Long-Term Disability

• Tuition Reimbursement from $4,000 - $7,000 per calendar year

• Robust Learning and Development program that includes an annual professional development stipend