Lenovo

Product Security Analyst – ISG Product Security Office

Lenovo Infrastructure Solutions Group’s (ISG) Product Security Office is seeking a Product Security Analyst to support Lenovo ISG’s Secure Development Lifecycle activities and related processes for maintaining a high-level of security in the products and services we sell to our customers.  This position will join an established team of security architects, penetration testers, and security analysts in securing an expanding product and services portfolio and supporting the business’ evolving security needs.

This is a dynamic product security role, with the successful candidate having a solid security knowledge base to draw from; the ability to multi-task across several projects concurrently, adapt, and develop deeper expertise as needed; and be comfortable taking ownership of projects to ensure effective delivery.

Representative responsibilities:

• Analyzing industry standards, guidance, legislation, etc. for applicability, to identify gaps, and to recommend actions and solutions
• Supporting Software and Hardware Bill of Materials (SBOM and HBOM) activities
• Analyzing security weaknesses to identify patterns and root causes, then develop security guidance to address root causes
• Assessing products for compliance with security requirements
• Creating security guidance, compliance, and standards documentation
• Supporting product vulnerability management activities
• Supporting product security certification activities
• Supporting secure development lifecycle initiatives

Position Requirements

Basic Qualifications:

• Three-plus (3+) years of experience in one or more of the following areas: application security, hardware security, system security, security compliance, and/or secure development lifecycles
• BS in Information Security, Cybersecurity, Management Information Systems, or related degree

• Non-BS degree candidates with additional years of relevant work experience

• Security certification preferred, such as CompTIA Security+, SANS GSEC, or Associate of (ISC)2

• Knowledge of secure software development fundamentals
• Experience with analyzing and developing security requirements
• Experience with industry and government security standards and compliance, ideally including one or more of the following: ISO 27000-series, NIST Risk Management Framework (RMF), FISMA, FedRAMP, NIST SP800-series, NIST Cybersecurity Framework, NIST Secure Software Development Framework, Building Security In Maturity Model (BSIMM), PCI-DSS, O-TTPS / ISO 20243, or similar
• Experience in vulnerability management and triage

Key Personal Traits:

• Team player and a self-starter
• Critical thinking, analytical ability, and problem solving
• Strong verbal and written communication skills

Travel:

• 5% (travel typically not needed, but possible on occasion post-COVID)