Cybersecurity Governance Analyst

Cybersecurity Governance Analyst

Duties and responsibilities:

i)Responsible for developing, implementing, and maintaining cybersecurity policies, standards, and procedures to ensure compliance with regulatory requirements and industry best practices. This role involves coordinating remediation efforts for identified security gaps, tracking compliance with cybersecurity frameworks, and managing cybersecurity documentation and reporting. The Cybersecurity Governance Analyst also facilitates cybersecurity training and awareness programs and provides project management support for cybersecurity initiatives across the organization:

(1) Support development and support deployment and governance of cybersecurity program.

(2) Apply Risk Management Framework (NIST SP800-37), Cybersecurity Framework (NIST CSF), and security controls (NIST SP800-53) to enterprise operations in a practical and cost-effective manner.

(3) Develop cybersecurity training content and materials and lead workshops and training sessions for cybersecurity and business professionals.

(4) Develop organizational structures to foster enterprise-wide cybersecurity cooperation and risk management.

(5) Support enterprise assessment initiatives and compliance efforts to ensure compliance with PCI DSS, TSA, FRA, and other requirements and standards.

(6) Develop cybersecurity policies, technical standards, and tabletop exercise scenarios to enhance organizational security posture and readiness. There may be other systems and tools added during the term of this Contract, for which the assigned personnel will provide the services defined hereunder. Such documents will include but not be limited to. the following: research; concepts of operations; design plans; deployment plans; operational plans; maintenance plans; training plans; usage policies and support documentation; etc.

1. ii) Support initiatives of the Cybersecurity Governance Working Group (CSGWG) which serves as a steering committee for the development and delivery of Client cybersecurity initiatives, projects, and policies. Support program policies, prioritization, activities, and risk management decisions. Research reports of departments impacted by cyber and information security decisions and provide guidance to remediate as required for IT services, systems, and data.

iii) Support a Cybersecurity Risk Management Framework program by communicating to stakeholders what is needed to protect information processed on agency IT systems and conveyed or used in the acquisition and provision of IT related services, especially when using Protected Information (as defined in the Handbook). Participate in initiatives to ensure necessary protection measures are applied to all system and data as needed to identify, manage, prioritize risk, and ensure risk acceptance has been established, as per the NIST 800-53 R4 series. Participate in initiatives to ensure needed tools are acquired, provided, and implemented to properly assess the security of systems.

1. iv) Support the remediation of prior findings in IT Asset Management, IT Patching, and IT Access Control, including least privileges, to ensure compliance with the NIST standards in the deployment of new tools or the enhancement of existing tools, and participate in initiatives to ensure that the system migration, configuration, testing, operation, and maintenance is in line with agency polices and standards.
2. v) Support, as necessary, the design, engineering, deployment, operation, and maintenance of the tools listed in subsections A, above. Tasks will include, but not be limited to, reviewing the Authority's technical infrastructure to support these tools, reviewing configurations, policies, procedures, business processes, operational documentation and upgrades necessary to implement and maintain them.
3. vi) Help standardize security deployment and operating procedures with respect to the use of these tools. Tasks will include, but not be limited to, developing, and delivering staff training on the use of these tools, developing incident-reporting procedures, and updating relevant documentation.

vii) Review and analyze marketplace technology to help further develop the Program.

viii) Help staff in various departments of the Client identify systems according to the classifications issued by NIST.

1. ix) Help manage and track activities related to the Client s efforts to ensure that its use of technologies - and its policies, processes, and procedures comply with the NIST standards and guidelines.
2. x) Help track and coordinate activities related to the Client's efforts to ensure that its industrial control systems comply with NIST security practices.
3. xi) Help organize and consolidate risk assessments on different technologies used by the Client, to help determine and prioritize remediation plans.

xii) Draft policies, standards, and guidelines related to cybersecurity.

xiii) Help develop and collect metrics for determining the status of cybersecurity related initiatives.

xiv) Provide technical expertise and hands-on assistance with day-to-day operations of the security solutions-for individuals working in the Agency's Technology Department.

Required Background:

1. Bachelor s degree in Computer Science, Information Systems, Cybersecurity, or related field.
2. Formal training or certifications, as referenced in the Scope of Work, in technology and cybersecurity domains with a focus on risk concepts, ideally with applied experience in a government entity.
3. Minimum of ten (10) years of progressively responsible experience in the Information Technology Security or Cybersecurity field.
4. Experience with industry standards such as NIST 800, ISO 27001, and SANS Critical Security Controls.
5. Strong understanding of cybersecurity principles, concepts, and best practices.
6. Proficiency in cybersecurity governance, including developing policies, procedures, and standards.
7. Experience in conducting risk assessments and compliance audits based on industry standards and regulations.
8. Familiarity with governance frameworks such as COBIT, ITIL, and COSO.
9. Ability to collaborate with stakeholders to identify and mitigate cybersecurity risks.
10. Strong communication and presentation skills, with the ability to convey complex cybersecurity concepts to non-technical audiences.
11. Experience in project management, including the ability to manage multiple initiatives simultaneously and drive projects to successful completion.
12. Commitment to continuous learning and staying abreast of emerging cybersecurity trends and regulatory requirements.
13. Experience in assisting with the management of staff for administrative items, project management, QC/QA of work products, report writing, and other related matters. as needed.