Description

An exciting career awaits you

At MPC, we’re committed to being a great place to work – one that welcomes new ideas, encourages diverse perspectives, develops our people, and fosters a collaborative team environment.

Position Summary

This is a position on the Cybersecurity and IT Compliance team within the Cybersecurity Governance, Risk, and Compliance organization. The successful candidate will assist in providing guidance and recommendations to improve IT processes and the control environment. This position works closely with business partners including IT, process owners and internal/external audit groups to ensure appropriate controls are in place to mitigate risks.

This position belongs to a family of jobs with increasing responsibility, competency, and skill level. Actual position title and pay grade will be based on the selected candidate’s experience and qualifications.

Key Responsibilities

Associate Cybersecurity Engineer:
• Conducts controls analysis of business process and systems and reports impact of changes and additions to security systems.
• Assists with the resolution of routine multi-functional technical issues. Prepares, performs and presents cybersecurity assessments and associated risks.
• Evaluates the efficiency and effectiveness of Security processes and controls in place ensuring confidentiality, integrity, and availability of data/ information, under guidance of more senior colleagues.
• Recommends and/or executes remediation and develops cost information for such mitigation measures. Monitors networks, systems, and applications for signs of potential cybersecurity incidents. Investigates and analyzes the nature and scope of cyber incidents.
• Analyzes security protocols, compliance reviews, administers, and maintains security audits and reports of server access and activity; participates in disaster recovery planning per corporate guidelines.
• Delivers and implements global security initiatives, policies, and compliance requirements. Works with IT and security engineers to produce metrics related to cybersecurity.
• Takes action through collaboration to improve metric results. Executes cyber security-related consulting, guidance, and support to customers and stakeholders.
• Effectively communicates emerging Information Technology/Operations Technology and cybersecurity technology trends as well as their impact on the security landscape.

Education And Experience
• Bachelor’s Degree in Information Technology, related field or equivalent experience.
• Professional certification, e.g. Security+, Network+, OSCP, GIAC, CEH preferred.
• 3+ years of relevant experience required.

Skills
• Cybersecurity Research - Applies technical knowledge of the latest data, developments, and trends in the cybersecurity world to identify cybersecurity vulnerabilities within an organization or industry.
• Cybersecurity Risk Management - The process of developing cyber risk assessment and treatment techniques that can effectively pre-empt and identify significant security loopholes and weaknesses, demonstrating the business risks associated with these loopholes and providing risk treatment and prioritization strategies to effectively address the cyber-related risks, threats and vulnerabilities, ensuring appropriate levels of protection, confidentiality, integrity and privacy in alignment with the security framework.
• DevSecOps - A set of practices that automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery, with an aim towards shortening the systems development life cycle and pas well as continuous delivery and a security first approach.
• Digital Forensics - Develop and manage digital forensic investigation and reporting plan which specifies the tools, methods, procedures, and practices to be used. This includes the collection, analysis, and preservation of digital evidence in line with standard procedures and reporting of findings for legal proceedings.
• Ethical Hacking - The act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers. Ethical hacking is also known as penetration testing, intrusion testing, or red teaming.
• Identity and Access Management (IAM) - Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities, ensuring that the right users have the appropriate access to technology resources.
• Incident Response Management - An organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident.
• Intrusion Detection & Analysis - The use of security analytics, including the outputs from intelligence analysis, predictive research, and root cause analysis in order to search for and detect potential breaches or identify recognized indicators and warnings. Also, monitoring and collating external vulnerability reports for organizational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes.
• Malware Analysis - Software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of types of malware exist, common categories include computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware.
• Penetration Testing - The practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.
• Root Cause Analysis - An iterative process, designed to investigate and categorize the root causes of events or failures that may have negative impacts to the overall performance of a system and establish a flexible and effective framework for the necessary corrective and preventive actions.
• Secure Software Development Lifecycle (SSDL) - Involves integrating security testing and other activities into an existing development process. Examples include writing security requirements alongside functional requirements and performing an architecture risk analysis during the design phase of the SDLC.
• Security Controls Management - Manages and maintains an information system that focus on the management of risk and the management of information systems security.
• Security Governance - The process of developing and disseminating corporate security policies, frameworks, and guidelines to ensure that day-to-day business operations are guarded and well protected against risks, threats, and vulnerabilities.
• Security Information & Event Management (SIEM) - A set of tools and services offering real-time visibility across an organization's information security systems, and event log management that consolidates data from numerous sources.
• Security Policy Management - The process of identifying, implementing, and managing the rules and procedures that all individuals must follow when accessing and using an organization's IT assets and resources.
• Threat Analysis & Modeling - Monitor intelligence-gathering and anticipate potential threats to an IT/OT system proactively. This involves the pre-emptive analysis of potential perpetrators, anomalous activities and evidence-based knowledge and inferences on perpetrators' motivations and tactics.
• Threat Hunting - Searches through networks, endpoints, and datasets to detect and isolate cyber threats that evade existing security solutions.
• Threat Intelligence Analysis - Enable and conduct analysis of malicious threats, to examine their characteristics, behaviors, capabilities, intent and interactions with the environment as well as the development of defense and mitigation strategies and techniques to effectively combat such threats.

Must be willing to travel as needed (less than 25%).

As an energy industry leader, our career opportunities fuel personal and professional growth.

Location:

Findlay OH Main Bldg

Additional locations:

San Antonio TX

Job Requisition ID:

00007746

Location Address:

539 S Main St

Education:

Employee Group:

Full time

Employee Subgroup:

Regular

Marathon Petroleum Company LP is an Equal Opportunity Employer and gives consideration for employment to qualified applicants without discrimination on the basis of race, color, religion, creed, sex, gender (including pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity, gender expression, reproductive health decision-making, age, mental or physical disability, medical condition or AIDS/HIV status, ancestry, national origin, genetic information, military, veteran status, marital status, citizenship or any other status protected by applicable federal, state, or local laws. If you would like more information about your EEO rights as an applicant, click here.

If you need a reasonable accommodation for any part of the application process at Marathon Petroleum LP, please contact our Human Resources Department at [email protected]. Please specify the reasonable accommodation you are requesting, along with the job posting number in which you may be interested. A Human Resources representative will review your request and contact you to discuss a reasonable accommodation. Marathon Petroleum offers a total rewards program which includes, but is not limited to, access to health, vision, and dental insurance, paid time off, 401k matching program, paid parental leave, and educational reimbursement. Detailed benefit information is available at https://mympcbenefits.com.The hired candidate will also be eligible for a discretionary company-sponsored annual bonus program.

Equal Opportunity Employer: Veteran / Disability

Responsibilities

• This is a position on the Cybersecurity and IT Compliance team within the Cybersecurity Governance, Risk, and Compliance organization
• The successful candidate will assist in providing guidance and recommendations to improve IT processes and the control environment
• This position works closely with business partners including IT, process owners and internal/external audit groups to ensure appropriate controls are in place to mitigate risks
• Conducts controls analysis of business process and systems and reports impact of changes and additions to security systems
• Assists with the resolution of routine multi-functional technical issues
• Prepares, performs and presents cybersecurity assessments and associated risks
• Evaluates the efficiency and effectiveness of Security processes and controls in place ensuring confidentiality, integrity, and availability of data/ information, under guidance of more senior colleagues
• Recommends and/or executes remediation and develops cost information for such mitigation measures
• Monitors networks, systems, and applications for signs of potential cybersecurity incidents
• Investigates and analyzes the nature and scope of cyber incidents
• Analyzes security protocols, compliance reviews, administers, and maintains security audits and reports of server access and activity; participates in disaster recovery planning per corporate guidelines
• Delivers and implements global security initiatives, policies, and compliance requirements
• Works with IT and security engineers to produce metrics related to cybersecurity
• Takes action through collaboration to improve metric results
• Executes cyber security-related consulting, guidance, and support to customers and stakeholders
• Effectively communicates emerging Information Technology/Operations Technology and cybersecurity technology trends as well as their impact on the security landscape
• Digital Forensics - Develop and manage digital forensic investigation and reporting plan which specifies the tools, methods, procedures, and practices to be used
• This includes the collection, analysis, and preservation of digital evidence in line with standard procedures and reporting of findings for legal proceedings
• Ethical Hacking - The act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers
• Intrusion Detection & Analysis - The use of security analytics, including the outputs from intelligence analysis, predictive research, and root cause analysis in order to search for and detect potential breaches or identify recognized indicators and warnings
• Also, monitoring and collating external vulnerability reports for organizational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes
• Malware Analysis - Software intentionally designed to cause damage to a computer, server, client, or computer network
• Secure Software Development Lifecycle (SSDL) - Involves integrating security testing and other activities into an existing development process
• Examples include writing security requirements alongside functional requirements and performing an architecture risk analysis during the design phase of the SDLC
• Security Controls Management - Manages and maintains an information system that focus on the management of risk and the management of information systems security
• Security Governance - The process of developing and disseminating corporate security policies, frameworks, and guidelines to ensure that day-to-day business operations are guarded and well protected against risks, threats, and vulnerabilities
• Security Information & Event Management (SIEM) - A set of tools and services offering real-time visibility across an organization's information security systems, and event log management that consolidates data from numerous sources
• Security Policy Management - The process of identifying, implementing, and managing the rules and procedures that all individuals must follow when accessing and using an organization's IT assets and resources
• Threat Analysis & Modeling - Monitor intelligence-gathering and anticipate potential threats to an IT/OT system proactively
• This involves the pre-emptive analysis of potential perpetrators, anomalous activities and evidence-based knowledge and inferences on perpetrators' motivations and tactics
• Threat Hunting - Searches through networks, endpoints, and datasets to detect and isolate cyber threats that evade existing security solutions
• Threat Intelligence Analysis - Enable and conduct analysis of malicious threats, to examine their characteristics, behaviors, capabilities, intent and interactions with the environment as well as the development of defense and mitigation strategies and techniques to effectively combat such threats

Qualifications

• Bachelor’s Degree in Information Technology, related field or equivalent experience
• Professional certification, e.g
• Cybersecurity Research - Applies technical knowledge of the latest data, developments, and trends in the cybersecurity world to identify cybersecurity vulnerabilities within an organization or industry
• Cybersecurity Risk Management - The process of developing cyber risk assessment and treatment techniques that can effectively pre-empt and identify significant security loopholes and weaknesses, demonstrating the business risks associated with these loopholes and providing risk treatment and prioritization strategies to effectively address the cyber-related risks, threats and vulnerabilities, ensuring appropriate levels of protection, confidentiality, integrity and privacy in alignment with the security framework
• Ethical hacking is also known as penetration testing, intrusion testing, or red teaming
• Identity and Access Management (IAM) - Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities, ensuring that the right users have the appropriate access to technology resources
• Penetration Testing - The practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit
• Must be willing to travel as needed (less than 25%)

Educational Requirements

• Bachelors Degree

Benefits

• Marathon Petroleum offers a total rewards program which includes, but is not limited to, access to health, vision, and dental insurance, paid time off, 401k matching program, paid parental leave, and educational reimbursement
• Detailed benefit information is available at https://mympcbenefits.com.The hired candidate will also be eligible for a discretionary company-sponsored annual bonus program