Security Control Assessor

About The Position

Requirements

• Bachelor’s degree and 8+ years of experience, or Master’s and 6+ years of experience, or PhD and 3+ years of experience.
• A degree should be in one of the following fields: Computer Science, Cybersecurity, Data Science, Information Systems, Mathematics, Software Engineering, or Information Technology.
• In lieu of a degree in one of these fields of study, candidate must possess an additional 4 years of relevant experience or specialized training and one of the following active certifications: GMON, Security X/CASP+, CCSP, CISSO, Cloud+, CSSLP, FITSP-D, GCSA, GSEC, CCNP Enterprise, CISM, CISSP-ISSAP, CISSP-ISSEP, GCIA, GDSA, or GICSP.
• Active TS clearance with SCI eligibility.
• Active IAT Level II certification.
• Must have knowledge of enterprise solutions across multiple cloud operating environments (JWICS, SIPRNET, NIPRNET, and commercial Internet).
• Must have eMASS, ACAS, and ISC2 Certified Cloud Computing Professional (CCSP) or CompTIA Cloud+ experience.
• Must have knowledge in the following areas: Knowledge of computer networking and/or cloud computing concepts and protocols, and network security methodologies.
• Knowledge of cyber threats and vulnerabilities in a virtualized environment.
• Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.
• Knowledge of risk management framework processes (e.g., methods for assessing and mitigating risk).
• Knowledge of specific operational impacts of cybersecurity lapses.
• Knowledge of industry methods for evaluating, implementing, and disseminating Information Technology (IT) security assessment, monitoring, detection, and remediation tools and procedures using standards-based concepts and capabilities.
• Knowledge of cyber defense and vulnerability assessment tools, including opensource tools, and their capabilities.
• Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data in a cloud environment.
• Knowledge of IT and cloud computing security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• Knowledge of network and/or cloud computing environment security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
• Knowledge of penetration testing principles, tools, and techniques..
• Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return oriented attacks, malicious code).
• Knowledge of the Security Assessment and Authorization process.
• Skill in determining how a security and/or cloud computing security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• Skill in discerning the protection needs (i.e., security controls) of information systems and networks and those relating to cloud computing.
• Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard IT) for safety, performance, and reliability.
• Knowledge of new and emerging IT and cybersecurity technologies and/or those technologies specific to cloud computing.

Responsibilities

• Conduct assessments and facilitate risk mitigation planning.
• Provide Assessment and Authorization (A&A) for the ARCYBER cloud infrastructure.
• Execute a security control assessment plan and update the System Security Plan.
• Review vulnerability scans and remediation.
• Implement risk management programs by utilizing NIST, FISMA, HIPAA, and PII -- and document solutions.
• Monitor the privacy landscape regarding all data (privacy, protection, classification, and residency).
• Assist clients with identifying gaps within existing privacy programs and designing solutions to help address those challenges.
• Scan, test, and validate systems/networks/applications to obtain/maintain an ATO under NIST/FISMA guidelines.