Information Security Engineer IV

Job Description

Must Have

Experience with vulnerability triage, validation, and prioritization.

Must be able to communicate ideas both verbally and in writing to management, business and IT sponsors, and technical resources in language that is appropriate for each group.

Strong understanding of application security principles, secure development practices, and common vulnerabilities (e.g., OWASP Top 10).

Nice To Have

Ability to review and understand source code to validate vulnerabilities.

Experience with vulnerability management or tracking platforms (e.g., ticketing systems, dashboards).

Familiarity with vulnerability scanning tools and outputs (e.g., SAST, SCA, DAST).

Job Profile Summary

The Information Security Engineer (ISE) will support the Enterprise Vulnerability Management (EVM) Application Security team s day-to-day operations, with a primary focus on vulnerability intake, triage, and validation activities. This role is responsible for reviewing and triaging submissions to the Bank s Vulnerability Disclosure Program (VDP) and Bug Bounty Program (BBP), as well as evaluating False Positive Review Requests submitted by application teams. This role requires assessing the validity and security impact of reported vulnerabilities, ensuring accurate tracking and coordination of remediation ownership, and supporting remediation efforts through the Bank s centralized vulnerability management processes.

Job Description

GENERAL FUNCTION:

The Information Security Engineer (ISE) will be responsible for supporting the operational processes of the Enterprise Vulnerability Management Application Security program. This role includes reviewing, validating, and triaging vulnerability submissions from the Bank s Vulnerability Disclosure and Bug Bounty Programs, as well as evaluating internally generated findings requiring false positive determination. The ISE ensures valid vulnerabilities are accurately assessed, prioritized, assigned to the appropriate remediation owners, and tracked within centralized systems. The role requires strong application security knowledge, sound judgment in assessing exploitability and business impact, and effective communication with application and engineering teams.

Responsible and accountable for risk by openly exchanging ideas and opinions, elevating concerns, and personally following policies and procedures as defined. Accountable for always doing the right thing for customers and colleagues and ensuring that actions and behaviors drive a positive customer experience. While operating within the Bank's risk appetite, achieves results by consistently identifying, assessing, managing, monitoring, and reporting risks of all types.

ESSENTIAL DUTIES & RESPONSIBILITIES:

VDP & Bug Bounty Triage

o Review and triage vulnerability submissions from external researchers.

o Validate technical accuracy, exploitability, and business impact.

o Assess severity and impact in alignment with established scoring models and program standards.

o De-duplicate and disposition invalid or non-actionable submissions.

o Classify vulnerabilities using established taxonomy.

o Identify and assign remediation owners using established processes.

o Support vulnerability tracking within centralized tools.

False Positive Review & Validation

o Evaluate false positive requests from application teams.

o Analyze scanner findings (SAST/SCA) and perform source code review as needed to validate findings.

o Determine validity and provide evidence-based disposition with rationale.

Operational Support

o Contribute to continuous improvement of triage standards, playbooks, and procedures.

o Maintain awareness of common application security vulnerabilities and emerging threats.

Risk & Compliance Support

o Ensure vulnerability handling aligns with internal policies, standards, and regulatory expectations.

o Maintain defensible documentation and provide supporting evidence for audit, regulatory, and internal review requirements.

o Escalate high-risk or time-sensitive vulnerabilities as appropriate.

Stakeholder Communication

o Communicate findings, impact, and remediation guidance clearly.

o Partner with application and engineering teams to enable timely remediation.

MINIMUM KNOWLEDGE, SKILLS & ABILITIES REQUIRED:

Bachelor s degree in Computer Science, Information Security, or related field, or equivalent practical experience.

3 5 years of related experience in information security, application security, or vulnerability management.

Strong understanding of application security principles, secure development practices, and common vulnerabilities (e.g., OWASP Top 10).

Experience with vulnerability triage, validation, and prioritization.

Familiarity with vulnerability scanning tools and outputs (e.g., SAST, SCA, DAST).

Ability to review and understand source code to validate vulnerabilities.

Strong analytical skills to assess exploitability and business risk.

Experience with vulnerability management or tracking platforms (e.g., ticketing systems, dashboards).

Strong attention to detail and ability to make defensible decisions.

Must be able to communicate ideas both verbally and in writing to management, business and IT sponsors, and technical resources in language that is appropriate for each group.

Previous experience working with distributed or offshore teams desired.

Financial industry experience is a plus.