Job Description

1             Job Description

The Principal SW Security Engineer is responsible for Singular Medical’s systems and components cybersecurity:

·         vulnerability identification and quantification;

·         treat identification and quantification;

·         risk assessment in conjunction with the system risk assessment;

·         risk mitigation through design and user documentation;

·         implementation guidelines and standards for hardware, software, and firmware;

·         test design and execution;

·         environment monitoring and subsequent update of the threat assessment and subsequent impact on risk;

·         vendor management;

·         industry and government standards and regulations;

·         communicate with regulators;

·         Design History File (DHF);

·         issue press releases and otherwise communicate with media;

·         and reporting.

The candidate reports to the Director of Software Engineering and may have one or more direct reports that may include engineers, project managers, and supervisors.

The candidate may utilize the services of consultants, contractors, and cybersecurity organizations to supplement areas of knowledge, skills, and capabilities. Responsibilities include objectives, management, documentation, management, and records of such activities.

The candidate conducts independent reviews of cybersecurity materials including the detailed design, vulnerability assessment, and threat model.

The candidate reviews contracts pertaining to purchased subsystems that have a potential maintenance component to ensure that cybersecurity elements are properly addressed, i.e., operating system purchase and maintenance agreement.

2             Education and Experience

2.1        Education

The candidate shall have, at minimum, a B.S. in a technical field such as mathematics, statistics, physics, electrical engineering, and/or software engineering. Similar post graduate work is desirable but not required.

Additional education and training should include coursework on various aspects of cybersecurity, system engineering, and business practices.

The candidate should have basic knowledge of statistics, computer modeling and simulation, microprocessors and firmware development, networked communications (via radio and wired), and documentation and reporting.

The candidate’s education shall be from an institution who is accredited by an agency recognized by the U.S. Department of Education. If the candidate does not have a U.S. education, the institution shall be similarly accredited by the equivalent organization in China, Europe, or Australia.

2.2        Experience

It is desired for the candidate to have a minimum of four Experience Years in the following areas:

·         Firmware development at the hardware level of popular microcontrollers preferably using the ARM architecture. Use of Integrated Development Environments (IDE), simulators, debuggers, logic analyzers, oscilloscopes, and other test equipment.

·         Work in engineering development environment where formal processes and procedures must be followed. Experience with a medical device, automotive, or critical infrastructure development is desirable but not required.

·         Work in a development team where communication and coordination are required across teams.

·         Solve problems by pulling from different disciplines to producing effective and potentially unique solutions.

·         Work as part of a team identifying cybersecurity vulnerabilities and mitigations.

·         Familiarity with servers, networks, Linux, and Windows based systems. Security activities are desirable.

3             Skills

The candidate is required to have a diverse set of skills since many aspects of product development may impact or influence the cybersecurity of the product. This list is not inclusive. It is expected that the candidate will grow into these and other skills over time.

3.1        Good Engineering Practices

Good cybersecurity practices begin with good engineering practices. For example, see The software engineering standard (PSS-05-0) of the European Space Agency (ESA), The MIL-STD-498 standard for software development of the US Department of Defense, and https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf 

The [TITLE] produces and reviews coding and development standards for the cybersecurity components of the system.

The [TITLE] performs system engineering activities as required and coordinates the design and implementation across the domains.

Communicate the importance of using industry standard coding guidelines. For example: https://stroustrup.com/JSF-AV-rules.pdf.

Recommend using coding style guides. For example: https://google.github.io/styleguide/javaguide.html.

3.2        Risk Management Practices

The candidate is expected to participate in the risk management process by contributing the cybersecurity component and conducting reviews alongside the other disciplines.

3.3        Embedded Development

The candidate will need to understand embedded microcontroller systems to properly identify and assess cybersecurity vulnerabilities. Mitigations must also be effectively communicated with those involved in the embedded system development.

3.3.1  Machine-to-Machine Communications

The candidate should be familiar with communication between:

·         processors via internal busses such as SPI, I2C, and serial;

·         subsystems via a networked interface such as TCP/IP;

·         subsystems using custom and standard radio solutions such as Bluetooth; and

·         field-deployed subsystems and either hosted or cloud-based servers.