Security Control Assessor

Job Description

ECS is seeking a Security Control Assessor with 5+ years of Cybersecurity experience, to work Remotely. Please Note: This position is contingent upon contract award.

Salary Range: $90,000 - $115,000

General Description of Benefits

Required Skills

• Strong written and verbal communication skills.
• Strong communication ability across all levels of management.
• Experience in planning and completing assessments independently and or with a team of security control assessors
• Three (3)+ years' experience supporting security assessment teams is required.
• Experience in presenting control requirements and deficiencies to both technical and non-technical audiences.
• Experience performing detailed, full-scope technical security control testing for each of the component types, including development of security and privacy assessment plans is required.
• Ability to analyze information system configurations and technical specifications against NIST SP 800-53 and other overlays
• Possesses a strong understanding of the NIST Special Publication 800-53 security and privacy controls, the NIST Cybersecurity Framework and other information security and privacy laws and regulations.
• Experience with development and writing of risk-based assessments and documentation.
• Experience with Power automate, Power BI, & Microsoft Project Online.
• Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
• Experience with cloud technology offerings from AWS and Azure and assessing systems hosted within those environments.
• Experience performing assessment in accordance with the policies, procedures, and standards of the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and Treasury.
• Certifications/Licenses:
  • Bachelor's degree or higher in Computer Science's, MIS/IT, Engineering, Information Security/IA, or related discipline to work requirement
  • Five (5)+ years of Information Security experience required.
  • Two (2)+ years of experience with the use of eGRC tools.

Desired Skills

• Experience in the review and updates to existing information security policy, standards, and procedures based on federal and departmental regulations.
• Experience assessing of existing and new FISMA systems, including subsystems in the respective system boundary, and communication the results and potential implications of identified control weaknesses.
• In depth knowledge in the review and analysis of Assessment & Authorization (A&A) packages to include System Security Plans (SSP), Risk Assessments, Information System Contingency Plans (ISCP), Back-up Standard Operating Procedures (SOP), Incident Response Plans (IRP), Configuration Management Plans, (CMP), Hardware/Software lists, Network Diagrams, Data Flows, System Change Requests/Proposals, Vulnerability scan reports, test reports, and Plan of Actions & Milestones (POA&Ms) for completeness, accuracy.
• Creation and management of test cases for security assessment testing and performance of security testing at the control-requirement level for unique component of systems within an authorization boundary (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.).
• Development and execution of a security and privacy assessment plan in accordance with NIST SP 800-53A.
• First-hand experience documenting and providing findings and recommendations that are concise, system-specific, and actionable.
• Experience in analyzing security reports to determine residual risk or false positives before assigning findings.
• Preferred Certifications: Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Risk and Information Systems Control (CRISC), or Certified Information Security Auditor (CISA).

ECS is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law.All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

ECS is a leading mid-sized provider of technology services to the United States Federal Government. We are focused on people, values and purpose. Every day, our 3300+ employees focus on providing their technical talent to support the Federal Agencies and Departments of the US Government to serve, protect and defend the American People.