Senior Security Engineer (Systems Certification and Accreditation) – Marriott International HQ – USA


Job Number 20032970
Job Category Information Technology
Location Marriott International HQ| 10400 Fernwood Road| Bethesda|
Maryland| United States
Brand Corporate
Schedule Full-time
Relocation? No
Position Type Management

Start Your Journey With Us
Marriott International is the world’s largest hotel company| with more brands|
more hotels and more opportunities for associates to grow and succeed. We
believe a great career is a journey of discovery and exploration. So| we ask|
where will your journey take you?


Advises and assists Information System Owners with vulnerability remediation
and secure implementation of full technology stack (e.g. application|
middleware| database| servers| etc.). Analyzes system security plans|
certification and accreditation (C&A) documentation to determine system
fitness for operation. Works closely with vulnerability management| risk
management| application security and security architecture to accredit and
authorize systems for operational release. Implements and reviews standards|
policies and procedures to enhance security certification and accreditation
processes. Performs certification activities on an as needed basis which may
include| code reviews| configuration audits| application security assessments|
vulnerability assessments and security control assurance validation. This
position requires a candidate with broad knowledge in network security|
application security and risk management. Candidate will lead setting the
strategy for the configuration| deployment and management of vulnerably
management solutions.


Education and Experience


Undergraduate degree in Cyber Security| Computer Science or related field or equivalent experience/certification.
7+ years of experience in Information Security with at least 3 years of:
Performing risk assessments and analysis within Information Technology.
Performing quality assurance| basic software development and software project management.
2+ years’ experience in
Conducting qualitative risk management concepts
Use of at least one of the following general-purpose scripting language (i.e. Python| Perl| PHP| VB Script| PowerShell).
Application of general application security concepts (i.e. OWASP Top 10| MITRE CWE & CAPEC).
1+ years’ experience with:
Common web technologies (i.e. Docker| Kubernetes| Kafka| WAS| Tomcat| JBoss).
Web Application Security technology and principals (i.e. network segmentation| multi-tier architectures| microservice architecture| transport encryption| tunneling| SAML| OAuth/OIDC| web application firewalls).
All phases of Certification and Accreditation


Graduate degree in Cyber Security| Computer Science or related field.
Current information security certification| such as: Offensive Security Certified Professional (OSCP)| GIAC Penetration Tester (GPEN)| GIAC Enterprise Vulnerability Assessor (GEVA)| Certified Secure Software Lifecycle Professional (CSSLP).
Strong knowledge of vulnerability remediation methods beyond patching (secure configuration| attack surface area reduction| secure code implementation| zero trust networking concepts).
Demonstrated leadership experience in a sourced environment.
Demonstrated ability to work independently and with others.
Demonstrated ability to working in high velocity and complex environments.
Experience with setting the strategy for the configuration| deployment and management of vulnerably management solutions (i.e. Nessus Professional| Tenable Security Center and
Current cloud security certification| including AWS Certified Security – Specialty| GCP Professional Cloud Security Engineer
Proficient in quantitative risk management concepts.
Experience with performing SAST/DAST and Penetration Tests.
Experience with Fortify SCA/SSC.
5+ years of experience in infrastructure engineering (building| patching and managing RHEL systems at scale)
Proficient in at least one general-purpose system language (i.e. Java| C/C++| Golang| C#| Objective-C).


Lead setting the strategy for the configuration| deployment and management of vulnerably management solutions (i.e. Nessus Professional| Tenable Security Center and
Perform comprehensive assessments of the management| operational| and technical security controls in an information system to determine the extent to which the controls are implemented correctly and producing the desired outcome| relative to the security requirements.
Initiate and/or evaluate vulnerability scans against application source code and infrastructure as needed to certify and accredit systems.
Manage third party security service provider resources or services that contribute to system certification assessments.
Analyze system architectures and designs to identify deficiencies in security control implementation| secure configuration and mitigation of security risk.
Provides authorization to operate| interim authorization to operate or denial of authorization to operate based on certification and accreditation state.
Review security accreditation packages (approved system security plans| security assessment report| plan of actions and milestones).
Respond to production risk analysis inquiries and provide guidance based on previously authorized releases and accreditation packages.
Leverage vulnerability scanning platforms (i.e. Fortify SCA| WebInspect| Netsparker| Zap| BurpSuite| Aqua CSP| to perform detailed vulnerability assessments of applications and systems.
Provide patching guidance based on information provided by vulnerability assessment tools and vendor supplied remediation data.

Technical Leadership

Trains and/or mentors other team members| and peers as appropriate
Provides financial input on department or project budgets| capital expenditures or other cost/resource estimates as requested
Identifies opportunities to enhance existing processes

IT Governance

Follows all defined IT standards and processes (i.e. IT Governance| SM&G| Architecture| etc.)| and provides input for improvements to the appropriate process owners as needed
Maintains a proper balance between business and operational risk

Follows the defined project management standards and processes