The Role
We are seeking an Associate Systems Engineer to support the security and modernization of laboratory and operational technology (OT) environments across global sites.
This individual will work directly within the Lab Solutions team to execute a portfolio of active security workstreams β including Non-Attributable Account (NAA) remediation, software download restrictions, vulnerability remediation, and USB data transfer controls β while supporting the broader goal of bringing lab OT posture in line with enterprise security standards.
This is a highly technical, execution-focused role requiring strong hands-on skills in Active Directory, endpoint security, network architecture, and lab instrument environments.
The successful candidate will be comfortable working across both IT and OT boundaries, engaging directly with Business System Owners, lab scientists, vendors, and global site partners to deliver change in a complex, multi-site environment responsibilities: -
1. NAA (Non-Attributable Account) Remediation
Support the design, testing, and execution of the Non-Attributable Account (NAA) remediation program across RC4-dependent and non-RC4-dependent account types.
Assist in building, maintaining, and activating host allow/deny lists within the Lab Organizational Unit (OU) in Active Directory.
Coordinate with InfoSec and AD teams to execute password reset mechanisms and validate outcomes across pilot and full-rollout phases.
Engage Business System Owners and lab staff to identify NAA usage patterns, confirm active engagements, and support transition to properly managed service accounts.
Support deployment and configuration of Transparent Screen Lock and BeyondTrust (password management and remote access) as replacement mechanisms for NAA- dependent workflows.
2. Software Governance & Controls
Assist in defining and implementing a policy-based software allowlist across lab workstations and instrument PCs in the Lab OU.
Identify currently installed unauthorized or unlicensed software across lab endpoints and support remediation planning.
Develop and maintain a formal exception request process for legitimate scientific software deployment needs.
3. Vulnerability Management
Support CrowdStrike EDR sensor deployment and gap closure across lab endpoints, coordinating with InfoSec and site partners.
Identify and remediate open or misconfigured file shares presenting lateral movement and data exfiltration risk.
Contribute to OS patching cadence and compliance tracking for lab workstations and instrument PCs.
Assist in end-of-life operating system identification, remediation planning, and isolation strategies across lab infrastructure.
Support server-level vulnerability triage and remediation in coordination with the infrastructure team.
4. USB & Data Transfer Controls
Assess current USB usage patterns across lab sites and instrument workflows.
Assist in defining and implementing a tiered USB restriction policy (block, monitor, allow-by-exception) that protects the environment without impeding legitimate scientific workflows.
Manage the formal USB exception process for vendor-mediated access scenarios.
5. Cross-Site & Operational Support
Serve as a hands-on technical resource for site partners across and other global lab locations.
Maintain accurate documentation of system configurations, allow/deny lists, service account inventories, and workstream progress.
Contribute to demand intake and ServiceNow-based request management for new service account and access requests.
Participate in hypercare periods following major changes, providing rapid response to connectivity or authentication issues.
Communicate clearly with both technical and non-technical stakeholders, including lab scientists, Business System Owners, and senior leadership.
Essential skills/knowledge/experience:
Identity & Access Management
Proficiency in Active Directory administration: OU structure, Group Policy Objects (GPOs), user/service account management, and authentication protocols including RC4/NTLM/Kerberos.
Understanding of allow/deny list enforcement mechanisms within AD and Lab OU environments.
Experience with service account lifecycle management and privileged access controls.
Understanding of enterprise Identity Management tools (Sailpoint)
Endpoint & OT Security
Working knowledge of endpoint detection and response (EDR) platforms, particularly CrowdStrike Falcon.
Understanding of OT/lab network architecture, including isolated or semi-isolated lab network segments, instrument connectivity, and associated security risks.
Familiarity with USB restriction and software control policies on Windows endpoints.
Knowledge of vulnerability management concepts: OS patching, EOL systems, open file shares, and network-level exposure.
Lab & Instrument Environment Familiarity
Understanding of how lab instruments authenticate to networks and the dependencies that exist between shared accounts and instrument operation.
Familiarity with Transparent Screen Lock (TSL) or similar technologies for instrument session management.
Awareness of lab data systems such as NuGenesis (SDMS), Empower (Waters), or similar scientific data and chromatography platforms is a plus.
Awareness of working in Biopharma Laboratory Environments
Awareness of GxP and Information Security compliance constraints
Familiarity with ITIL ITSM principles
Tools & Platforms
ServiceNow or equivalent ITSM platform for demand intake and ticket management.
BeyondTrust or equivalent privileged access management and remote support tooling.
Microsoft Windows Server and Windows 10/11 administration.
Familiarity with network monitoring and log analysis tools.
Proficiency in PowerShell preferred.
Desirable skills/knowledge/experience:
Strong analytical skills and attention to detail β comfortable working with large datasets (login logs, AD exports, host inventories) to draw meaningful conclusions.
Clear written and verbal communication skills; able to explain technical concepts to non-technical lab staff and Business System Owners.
Organized and execution-oriented β this role involves managing multiple concurrent workstreams with defined deadlines.
Comfortable operating in a fast-moving, ambiguous environment where priorities may shift based on security findings.
Collaborative and service-minded β the lab community depends on this role to keep instruments running securely.