OverviewAt least five (5) years of experience working in Information Security Governance Risk and Compliance role, which demonstrates experience at a minimum:
Expertise in writing technical and risk management reports.
Strong analytical, problem-solving, and organizational skills.
Subject matter expertise in assessing and mitigating risks associated with vendor relationship, vendor risk assessments and control evaluations, and performing risk-based due diligence.
Technical understanding of the cybersecurity landscape and working knowledge of common information security and privacy controls, guidelines and standards (e.g., ISO27001, SOC 1/2, NIST SP 800-53, NIST SP 800-171).
At least three (3) years of experience working with third-party risk management, which demonstrates experience at a minimum:
Experience in third-party risk from a cyber perspective
Developing and implementing supportable and sustainable processes to manage third-party cyber risks Hold and provide proof in submittal package of one of the following certifications: Certified Information Systems Security Professional (CISSP) certification, Certified Information Systems Auditor (CISA), Certified Third-party Risk Professional Certification (CTPRP), or Certified Third-party Risk Assessor (CTPRA).
Responsibilities
- Security Control Assessor (SP-RSK-002): Conducts independent comprehensive assessments of the management, operational, and technical security/privacy controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).
- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
- Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
- Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
- Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
- Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
- Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and
- Verify and update security documentation reflecting the application/system security design features.
- Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
- Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
- Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections,
- Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals.
- Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current
- Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
- Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
- Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
- Assess the effectiveness of security controls.
- Assess all the configuration management (change configuration/release management) processes.
- Establish acceptable limits for the software application, network, or system.
- Review Accreditation Packages (e.g., NIST Risk Mgt Framework)
- Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
- Skill in analyzing traffic to identify network devices.
- Skill in applying confidentiality, integrity, and availability principles.
- Skill in applying secure coding techniques.Skill in applying security controls.Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
- Skill in assessing security systems designs
- Skill in conducting application vulnerability assessments.
- Skill in conducting reviews of systems.
- Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
- Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the
- Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.
- Skill in identifying the devices that work at each level of protocol models.
- Skill in information prioritization as it relates to operations.
- Skill in integrating and applying policies that meet system security objectives.
- Skill in interfacing with customers.
- Skill in interpreting compiled and interpretive programming languages.
- Skill in interpreting metadata and content as applied by collection systems.
- Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.
- Skill in interpreting vulnerability scanner results to identify vulnerabilities.
- Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
- Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
- Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events.
- Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
- Skill in performing impact/risk assessments.
- Skill in performing target system analysis.
- Skill in preparing and presenting briefings.
- Skill in preparing plans and related correspondence.
- Skill in preparing Test & Evaluation reports.
- Skill in prioritizing target language material.
- Skill in processing collected data for follow-on analysis.
- Skill in providing analysis to aid writing phased after action reports.
- Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
- Skill in reviewing and editing assessment products.
- Skill in reviewing and editing plans.
- Skill in reviewing logs to identify evidence of past intrusions.
- Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).
- Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).
- Skill in technical writing.
- Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
- Skill in using manpower and personnel IT systems.
- Skill in using security event correlation tools.
- Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
- Skill in utilizing feedback to improve processes, products, and services.
- Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises).
- Skill to access information on current assets available, usage.
- Skill to access the databases where plans/directives/guidance are maintained.
- Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance.
- Skill to analyze target or threat sources of strength and morale.
- Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed.
- Skill to evaluate requests for information to determine if response information exists.
- Skill to extract information from available tools and applications associated with collection requirements and collection operations management.
- Ability to analyze test data.
- Ability to answer questions in a clear and concise manner.
- Ability to apply collaborative skills and strategies.
- Ability to apply critical reading/thinking skills.
- Ability to ask clarifying questions.
- Ability to collect, verify, and validate test data.
- Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
- Ability to communicate effectively when writing.
- Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
- Ability to design valid and reliable assessments.
- Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target.
- Ability to dissect a problem and examine the interrelationships between data that may appear unrelated.
- Ability to effectively collaborate via virtual teams.
- Ability to ensure security practices are followed throughout the acquisition process.
- Ability to evaluate information for reliability, validity, and relevance.
- Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
- Ability to exercise judgment when policies are not well-defined.
- Ability to facilitate small group discussions.
- Ability to focus research efforts to meet the customer’s decision-making needs.
- Ability to function effectively in a dynamic, fast-paced environment.
- Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise.
- Ability to identify basic common coding flaws at a high level.
- Ability to identify external partners with common cyber operations interests.
- Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
- Ability to identify/describe techniques/methods for conducting technical exploitation of the target.
- Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
- Ability to interpret and translate customer requirements into operational action.
- Ability to interpret and understand complex and rapidly evolving concepts.
- Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
- Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.
- Ability to prepare and present briefings.
- Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
- Ability to produce technical documentation.
- Ability to recognize and mitigate cognitive biases which may affect analysis.
- Ability to relate strategy, business, and technology in the context of organizational dynamics.
- Ability to think critically.
- Ability to translate data and test results into evaluative conclusions.
- Ability to understand objectives and effects.
- Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
- Ability to understand the basic concepts and issues related to cyber and its organizational impact.
- Ability to utilize multiple intelligence sources across all intelligence disciplines.
- Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
- Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
- Ability to understand the basic concepts and issues related to cyber and its organizational impact.
- Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
- Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
- Knowledge of an organization's information classification program and procedures for information compromise.
- Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
- Knowledge of business continuity and disaster recovery continuity of operations plans.
- Knowledge of controls related to the use, processing, storage, and transmission of data.
- Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
- Knowledge of cryptography and cryptographic key management concepts
- Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedure