The information system security officer (ISSO) is responsible for the cybersecurity of a program, organization, system, or enclave. The ISSO ensures that the security and privacy posture is maintained for an organizational system and works in close collaboration with the FDIC system owner. The ISSO serves as a principal advisor on all matters, technical and otherwise, involving the security and privacy controls for the system and has the knowledge and expertise to manage the security and privacy aspects of an organizational system.
- Identify the security and privacy requirements allocated to a system and to the organization.
- Collaborate with the System Owner to categorize the system and document the security categorization results as part of system requirements.
- Identify stakeholders who have a security and/or privacy interest in the development, implementation, operation, or sustainment of a system.
- Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis.
- Select the security and privacy controls for a system and document the functional description of the planned control implementations in a security/privacy
- Develop a strategy for monitoring security and privacy control effectiveness; coordinate the system-level strategy with the organization and mission/business process-level monitoring strategy.
- Develop, review, and approve a plan to assess the security and privacy controls in a system and the organization.
- Document changes to planned security and privacy control implementation and establish the configuration baseline for a system.
- Respond to system risk posture based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in a plan of action and milestones (POA&M).
- Prepare a plan of action and milestones based on the findings and recommendations of a security assessment report excluding any remediation actions taken.
- Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process.
- Review the security and privacy status of a system (including the effectiveness of security and privacy controls) on an ongoing basis to determine whether the risk remains acceptable.
- Report the security status of a system (including the effectiveness of security and privacy controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy.
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Ensure that security improvement actions are evaluated, validated, and implemented as required.
- Bachelors Degree in a related IT field.
- 7+ years of relevant cyber security experience in a Senior Position.
- Required Certification
- Certified Information Systems Security Professional (CISSP)