Security Specialist

CNSI   •  

Olympia, WA

Industry: Professional, Scientific & Technical Services


5 - 7 years

Posted 128 days ago

This job is no longer available.


The Security Specialist serves as the Subject Matter Expert and Primary Point of Contact (POC) for CNSI and its Customers regarding the development, implementation, and maintenance of data security policies and procedures related to NIST SP 800 Series, FISMA, HIPAA, ISO 2700, FedRAMP, and other applicable State and Federal laws, rules, regulations, and guidelines. The Security Specialist is also responsible for all tasks related to audit preparations and for leading assigned, cross-functional teams through all processes and procedures related to data security audits.

Subject Matter Expertise

  • Function as a Subject Matter Expert regarding Information Assurance and Data Security Compliance laws, rules and regulations including, but not limited to, the NIST SP 800 series, FISMA guidelines, FedRAMP, ISO 27001 and HIPAA.

  • Obtain a thorough understanding of CNSI policies and procedures pertaining to data security standards to make informed decisions regarding applicable data security policies and procedures.

  • Stay up-to-date of existing laws and regulations affecting CNSI’s current policies and procedures and monitor for any new laws or regulations which could potentially affect CNSI and/or their customers.

Process Management

  • Create the ‘path to success’ and lead cross-functional teams through successful NIST SP 800 Series, FISMA or FedRAMP Security Assessment Process Audits and/or successful HIPAA Compliance Audit Processes leading to an Authority to Operate (ATO) Certificate.

  • Act as the primary POC in various assessments including, but not limited to, Risk Assessments, Security Assessments and Privacy Impact Assessments.

  • Participate in planning, scheduling, and preliminary analysis for all internal and external audits.

  • Create and monitor audit roadmaps including planning for and scheduling of all required audit activities.

  • Coordinate audit preparation activities for all affected parties including notification of audit scope, objectives, approach, timeline and deliverables


  • Train and educate teams and other stakeholders regarding applicable regulatory requirements and responsibilities.

  • Identify and inform control owners regarding the applicable controls based upon the audit requirements

  • Work with control owners to identify and document security controls based upon regulatory source and to identify the appropriate artifacts to show the controls are being met.

  • Work with control owners to update security controls based upon regulatory source updates and/or additions to CNSI’s regulatory requirements. Ensure documentation remains current, adequate testing is performed, results are evaluated and discussed with owners.

  • Team with the customer’s security representatives or ISO to ensure all requirements are met, all audit preparations are completed, and all steps are taken to ensure a successful audit.

Document Management

  • Create and maintain data security compliance documentation including policies, procedures, plans, and standards pertaining to HIPAA, NIST SP 800-53 controls, FedRAMP and FISMA.
  • Design, develop, and maintain security deliverables/artifacts including, but not limited to, System Security Plans, Risk Assessment Plans, Security Assessments, Privacy Impact Assessments, and Physical Security Plans.
  • Identify, document, and map technology processes, and internal controls of applicable technology infrastructure and operational areas per the scope of the audit project
  • Keep existing policies and procedures aligned with audit and security requirements
  • Identify and recommend changes, supplements, or updates to existing information security policies and procedures to mitigate key security risks
  • Develop and maintain an artifacts library, a document library and an inventory for audit reports.

Risk Mitigation and Issue Management

  • Responsible for understanding the issue management process and managing issues related to applicable areas and security controls. Communicate with owners and approve remediation plans. Retest items as remediation plans are implemented.
  • When new issues are identified, work with Control Owners to ensure the new finding is accurate and the remediation date is acceptable. Work with Issue Owners through the process of closing issues.
  • Review, monitor, and report Plan of Action and Milestones (POA&M) status to all stakeholders and follow up with appropriate personnel to ensure POA&Ms are remediated and reported in a timely manner
  • Recommend changes to controls, testing, or remediation based on audit findings.
  • Evaluate risk associated with each boundary component and ensure controls are adequate to cover potential exposure.


  • Bachelor's degree in Information Assurance, Information Systems, Security Compliance, IT Security, or a related field.
  • Thorough understanding and working knowledge of NIST FISMA guidelines
  • Strong working knowledge of HIPAA information assurance and audit requirements
  • 6+ years of management experience and the ability to lead cross-functional teams
  • 6+ years of experience in a healthcare compliance organization and/or a security operations environment
  • 4+ years of experience in developing, writing, and editing IT security documentation.
  • Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or an equivalent certification
  • Ability to translate regulatory requirements into practical and actionable elements and the ability to communicate this information orally and in writing.
  • 4+ years Health IT experience.
  • Ability to successfully multi-task, prioritize multiple requests, and complete difficult assignments within deadlines which may have short lead times
  • Understanding of risk assessment and risk management concepts.
  • Strong working knowledge of MS Suite
  • Good understanding of continuous monitoring and continuous authorization concepts.
  • Strong understanding of protection of PII and PHI concepts.
  • Ability to present audit findings and recommendations in a manner that will be understood and accepted by all responsible parties
  • Ability to quickly acquire and apply knowledge of changing technologies implemented is essential
  • Possess the tenacity to pursue difficult and sensitive issues to acceptable conclusion

Following skills would be a “PLUS”:

  • Certification in Healthcare Compliance (CHC) and Healthcare Privacy Compliance (CHPC) or similar field, a plus.

  • FedRAMP experience, a plus.

  • Experience successfully leading a cross-functional technical team to a successful FedRAMP or FISMA Certificate and Authority to Operate (ATO), a plus.

  • Medicaid or Medicare Health IT experience, a plus.

  • AWS or Oracle Cloud Experience with understanding of Cloud industry technologies and IaaS, PaaS, SaaS platforms, a plus.