Security Analyst / Information Systems Security Officer (ISSO)

About The Position

Requirements

• Bachelor's degree in computer science, information systems, or another related field.
• 4+ years of experience performing or supporting the responsibilities of an ISSO in a US Government environment.
• 4+ years of experience in National Institute of Standards (NIST) cybersecurity standards and best practices.
• Experience with any/all of the following relevant tools: Government-provided resourcing tool (used to execute and on-site review), eMASS (for control reviews), Requirement Tracking System (RTS) (to submit actions for review/signature), PPSM database, Whitelist Tool, DoD Information Technology Portfolio Repository (DITPR), and RMF Knowledge Service.
• Active Secret clearance required

Nice To Haves

• Certified Information Systems Auditor (CISA) or Security+ certification
• Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• CompTIA Security +
• Knowledge of US Government security regulations and methodologies: FISMA, FedRAMP, and NIST special publications.

Responsibilities

• Responsible for continuous monitoring activities for systems, including monitoring for security threats, performing access reviews, reviewing and developing mitigation for vulnerability assessment reports, and proposing enhancements for system security.
• Support security operations centers (or similar capabilities) in supporting system reviews and potential incident investigations.
• Maintain knowledge of the security architecture and the business purpose of systems.
• Document and maintain knowledge of all relevant NIST 800-53 controls for each IT system for which the ISSO is responsible.
• Update SSPs semi-annually and document any changes.
• Certify the accuracy of continuous monitoring information for assigned systems.
• Advise on proposed architecture or configuration changes using the established change and configuration management process.
• Certify software planned to be introduced to the production environment is evaluated and provide guidance regarding the potential for the software to introduce risk into the environment.
• Support the agency on periodic internal and external audits, including support for the execution of identified corrective action plans as needed.
• Evaluate and advise on all access requests for privileged accounts to IT systems.
• Support and produce any artifacts that are required for Ongoing Authorization and the NIST Cyber Security Framework (CSF).
• Perform certification assessments for assigned programs to include review of change requests; review of ports, protocols, and services; whitelist requests; self-assessments results; statements of compliance; scan and STIG reviews; systems security plans; cybersecurity control evidence and artifacts; and on-site review results.
• Conduct security architecture reviews to ensure that the program's architecture is in compliance with STIG requirements and best practices. This technical analysis will be considered in the risk analysis and documented/included in the certification recommendation.
• Develop customized checklists based on the security architecture, special-purpose equipment, type accredited deployment guides, Unified Capabilities Approved Product List deployment guides, and required ancillary equipment.
• Analyze Plans of Action and Milestones (POA&M) and mitigation plans for unresolved findings to determine residual risk. This shall include reviewing and analyzing submitted POA&Ms with detailed technical justification and references for mitigations and determining if the proposed solution is adequate mitigation for approval. This technical analysis shall be documented/included in the statement of residual risk.
• Conduct a Risk Assessment to analyze threats to and vulnerabilities of an information system and the potential impact that the loss of information or capabilities of a system would have on the user communities and the mission of the organization. The resulting analysis is used as a basis for identifying appropriate and cost-effective countermeasures and to determine residual risk.

Benefits

• Treat employees with fairness and respect regardless of their position, sexual identity, race, or tenure.
• Communicate the importance of our mission and our employees’ contributions to it, ensuring they understand how their job role contributes to the greater good.
• Openly promote and communicate our ideas for change and adaptability.
• Strive to achieve results as an organization.
• Hold employees accountable to their commitments and provide incentives that encourage positive and productive behaviors.
• Value the talents and contributions of our employees as the key factor for our success.
• Create an environment where people can engage at all levels.
• Encourage people to take risks and allow them to make mistakes.