Cyber Risk Lead- Security Control Assessor - Senior

Pyramid Systems, Inc.

$104K — $106K *
US-AnywhereRemote in United States
Information Technology
5 - 7 years of experience
Job Overview by Ladders

Qualifications

  • 5-7 years of experience in Information Security Governance, Risk, and Compliance roles.
  • Proficient in writing technical risk management reports.
  • Strong analytical and organizational abilities.
  • Expertise in vendor risk assessment and due diligence processes.
  • Familiarity with cybersecurity frameworks like ISO27001 and NIST standards.
  • Experience with third-party risk management from a cyber perspective.
  • Certification in relevant fields (CISSP, CISA, CTPRP, or CTPRA) is necessary.

Responsibilities

  • Conduct comprehensive assessments of IT system security controls.
  • Identify security architecture gaps and recommend improvements.
  • Analyze risks related to changes in applications or systems.
  • Plan and perform security authorization reviews for technology systems.
  • Contribute to documentation for Risk Management Framework activities.
  • Ensure compliance of security requirements for acquisitions and service providers.
  • Monitor and ensure compliance with security policies during operations.

Benefits

  • Opportunities for professional development and training.
  • Flexible working hours and potential for remote work.
  • Comprehensive health and wellness programs.
  • Retirement savings plan with employer match.
  • Work in a collaborative and innovative team environment.
Full Job Description
Overview

At least five (5) years of experience working in Information Security Governance Risk and Compliance role, which demonstrates experience at a minimum:

  • Expertise in writing technical and risk management reports.
  • Strong analytical, problem-solving, and organizational skills.
  • Subject matter expertise in assessing and mitigating risks associated with vendor relationship, vendor risk assessments and control evaluations, and performing risk-based due diligence.
  • Technical understanding of the cybersecurity landscape and working knowledge of common information security and privacy controls, guidelines and standards (e.g., ISO27001, SOC 1/2, NIST SP 800-53, NIST SP 800-171).
  • At least three (3) years of experience working with third-party risk management, which demonstrates experience at a minimum:

  • Experience in third-party risk from a cyber perspective
  • Developing and implementing supportable and sustainable processes to manage third-party cyber risks Hold and provide proof in submittal package of one of the following certifications: Certified Information Systems Security Professional (CISSP) certification, Certified Information Systems Auditor (CISA), Certified Third-party Risk Professional Certification (CTPRP), or Certified Third-party Risk Assessor (CTPRA).
  • Responsibilities
    • Security Control Assessor (SP-RSK-002): Conducts independent comprehensive assessments of the management, operational, and technical security/privacy controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).
    • Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
    • Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
    • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
    • Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
    • Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
    • Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and
    • Verify and update security documentation reflecting the application/system security design features.
    • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
    • Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
    • Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
    • Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections,
    • Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals.
    • Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current
    • Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
    • Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
    • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
    • Assess the effectiveness of security controls.
    • Assess all the configuration management (change configuration/release management) processes.
    • Establish acceptable limits for the software application, network, or system.
    • Review Accreditation Packages (e.g., NIST Risk Mgt Framework)
    • Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
    • Skill in analyzing traffic to identify network devices.
    • Skill in applying confidentiality, integrity, and availability principles.
    • Skill in applying secure coding techniques.Skill in applying security controls.Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
    • Skill in assessing security systems designs
    • Skill in conducting application vulnerability assessments.
    • Skill in conducting reviews of systems.
    • Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
    • Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the
    • Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.
    • Skill in identifying the devices that work at each level of protocol models.
    • Skill in information prioritization as it relates to operations.
    • Skill in integrating and applying policies that meet system security objectives.
    • Skill in interfacing with customers.
    • Skill in interpreting compiled and interpretive programming languages.
    • Skill in interpreting metadata and content as applied by collection systems.
    • Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.
    • Skill in interpreting vulnerability scanner results to identify vulnerabilities.
    • Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
    • Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
    • Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events.
    • Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
    • Skill in performing impact/risk assessments.
    • Skill in performing target system analysis.
    • Skill in preparing and presenting briefings.
    • Skill in preparing plans and related correspondence.
    • Skill in preparing Test & Evaluation reports.
    • Skill in prioritizing target language material.
    • Skill in processing collected data for follow-on analysis.
    • Skill in providing analysis to aid writing phased after action reports.
    • Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
    • Skill in reviewing and editing assessment products.
    • Skill in reviewing and editing plans.
    • Skill in reviewing logs to identify evidence of past intrusions.
    • Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).
    • Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).
    • Skill in technical writing.
    • Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
    • Skill in using manpower and personnel IT systems.
    • Skill in using security event correlation tools.
    • Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
    • Skill in utilizing feedback to improve processes, products, and services.
    • Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises).
    • Skill to access information on current assets available, usage.
    • Skill to access the databases where plans/directives/guidance are maintained.
    • Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance.
    • Skill to analyze target or threat sources of strength and morale.
    • Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed.
    • Skill to evaluate requests for information to determine if response information exists.
    • Skill to extract information from available tools and applications associated with collection requirements and collection operations management.
    • Ability to analyze test data.
    • Ability to answer questions in a clear and concise manner.
    • Ability to apply collaborative skills and strategies.
    • Ability to apply critical reading/thinking skills.
    • Ability to ask clarifying questions.
    • Ability to collect, verify, and validate test data.
    • Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
    • Ability to communicate effectively when writing.
    • Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
    • Ability to design valid and reliable assessments.
    • Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target.
    • Ability to dissect a problem and examine the interrelationships between data that may appear unrelated.
    • Ability to effectively collaborate via virtual teams.
    • Ability to ensure security practices are followed throughout the acquisition process.
    • Ability to evaluate information for reliability, validity, and relevance.
    • Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
    • Ability to exercise judgment when policies are not well-defined.
    • Ability to facilitate small group discussions.
    • Ability to focus research efforts to meet the customer’s decision-making needs.
    • Ability to function effectively in a dynamic, fast-paced environment.
    • Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise.
    • Ability to identify basic common coding flaws at a high level.
    • Ability to identify external partners with common cyber operations interests.
    • Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
    • Ability to identify/describe techniques/methods for conducting technical exploitation of the target.
    • Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
    • Ability to interpret and translate customer requirements into operational action.
    • Ability to interpret and understand complex and rapidly evolving concepts.
    • Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
    • Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.
    • Ability to prepare and present briefings.
    • Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
    • Ability to produce technical documentation.
    • Ability to recognize and mitigate cognitive biases which may affect analysis.
    • Ability to relate strategy, business, and technology in the context of organizational dynamics.
    • Ability to think critically.
    • Ability to translate data and test results into evaluative conclusions.
    • Ability to understand objectives and effects.
    • Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
    • Ability to understand the basic concepts and issues related to cyber and its organizational impact.
    • Ability to utilize multiple intelligence sources across all intelligence disciplines.
    • Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
    • Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
    • Ability to understand the basic concepts and issues related to cyber and its organizational impact.
    • Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
    • Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
    • Knowledge of an organization's information classification program and procedures for information compromise.
    • Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
    • Knowledge of business continuity and disaster recovery continuity of operations plans.
    • Knowledge of controls related to the use, processing, storage, and transmission of data.
    • Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
    • Knowledge of cryptography and cryptographic key management concepts
    • Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedure

    Similar Jobs

    More Jobs at Pyramid Systems, Inc.

    More Information Technology Jobs

    Find similar Cyber Risk Lead- Security Control Assessor - Senior jobs: