IT Security (Cybersecurity) Assessor

cyber, IT security, audit, assessment, SA&A, compliance, risk management
Full Time
Negotiable
Telecommuting not available Travel not required

Job Description

IT Security (Cybersecurity) Assessor

B&M is hiring entry and mid-level IT Security Assessors for IT security testing, risk and vulnerability analysis, and consulting engagements on a Federal project. The IT Security Assessor will plan and conduct IT security assessments and testing of technical, management, and operational controls of Federal IT security and privacy programs and systems. These positions require an understanding of security principles, how they apply to system architectures, and the various testing methods utilized to ascertain the effectiveness of those controls. The candidate who fills the position will work in a team environment with an experienced Project Manager. This person will be assigned risk and vulnerability assessments under the direction of the Project Manager, and be expected to develop client-ready deliverables.

The candidate may perform any or all of the following: conduct IT security testing (risk and vulnerability analysis) of complex operational systems and facilities; define and describe risk exposure based on threats and exploit paths, while factoring in mitigating controls; provide recommendations for remediating detected vulnerabilities and compliance gaps; conducts independent testing of corrective actions to validate risk/vulnerability resolution. The candidate, with guidance from the Technical Project Manager, is expected to be able to evaluate technical controls related to areas such as, but not limited to, the adequacy of encryption controls implemented across a variety of platforms to protect sensitive data in transit and at rest; the architecture, configuration, and use of antivirus and malware detection and management solutions; audit log generation, aggregation, and analysis; and authentication solution configuration and management.

Responsibilities:

  • Familiar with OMB Circular A-130 and NIST requirements, particularly NIST SP 800-37 Revision 2 and SP 800-53 Revision 5
  • Able to plan, conduct, and document IT security testing in accordance with NIST SP 800-53A Revision 5
  • Facilitates and conducts Security Control Assessments (SCA) and possibly additional advanced-level Continuous Monitoring Activities within internally hosted and cloud-based environments
  • Ensures cyber security policies are adhered to and that required controls are implemented
  • Validates respective information system security plans to ensure NIST control requirements are met
  • Develops resultant SCA documentation, including but not limited to the Security Assessment Report
  • Initiates recommendations associated with the findings on how to improve the customer’s security posture in accordance with NIST controls
  • Reviews the controls that support the Requirements Traceability Matrix (RTM) and the details of the System Security Plan (SSP) to determine completeness and accuracy
  • Follows and abides by the SCA Standard Operating Procedure (SOP) that is provided by the client
  • Provides Security Assessment Results to meet client requirements and standards, which will include at a minimum the following documents: SAR, RTM, and a detailed technical results document as stipulated by the client upon Security Assessment completion
  • Assists with the interpretation and analysis of Security Assessment Results upon completion of each Security Assessment and/or as requested to assist with post-assessment questions, to assess the vulnerability and risk to the system and to the customer or other connected systems
  • Able to lead small, less complex system assessments independently
  • Able to assist team members with proper artifact collection to the client’s examples of artifacts that will satisfy assessment requirements
  • Be proficient at testing, analyzing and interpreting Security Assessment Results for all systems, including but not limited to the following platforms:
    • Microsoft Server 2008/2012/Other, UNIX/Linux, Microsoft SQL Server, Oracle DBMS, Sybase DBMS, Windows 7, IIS, Mobile Device Management solutions, Routers/Switches/Firewalls, Printers/Faxes/Multi-Function Devices, .Net and Java custom-developed applications

Tools:

Familiarity with the following tools is preferred, but is not required: Archer GRC, Qualys, Tenable, CoreImpact, DbProtect, Nessus, IBM AppScan, Symantec Endpoint Protection, Symantec DLP, FireEye ATP, McAfee SIEM, McAfee IDS/IPS, ForeScout, MS Excel pivot tables.

Entry-Level Requirements:

  • Bachelor’s Degree in IT Security
  • 1-2 years of control assessment (SA&A) experience or a Master’s in IT Security with no experience
  • Experience in performing IT security testing, IT control assessments/audits, and/or IT Security Testing and Evaluation (ST&E) preferred
  • Knowledge of Federal information security standards and methodologies preferred, including FISMA requirements, OMB standards and guidelines, and NIST Federal Information Processing Standards (FIPS) Publications and Special Publications (NIST FIPS 199, NIST FIPS 200, NIST SP 800-37, NIST SP 800-53/A, etc.)
  • Ability to apply information security principles to enterprise applications, operating systems, and networks
  • Excellent written and verbal communication skills
  • CISSP Certification preferred, but not required

Mid-Level Requirements:

  • Bachelor’s Degree
  • 4+ years of Security control assessment (SA&A) experience
  • Experience in performing IT security testing, IT control assessments/audits, and/or IT Security Testing and Evaluation (ST&E) preferred
  • Knowledge of Federal information security standards and methodologies preferred, including FISMA requirements, OMB standards and guidelines, and NIST Federal Information Processing Standards (FIPS) Publications and Special Publications (NIST FIPS 199, NIST FIPS 200, NIST SP 800-37, NIST SP 800-53/A, etc.)
  • Ability to apply information security principles to enterprise applications, operating systems, and networks
  • Excellent written and verbal communication skills
  • One or more of the following certifications is required CISSP, CEH, CISA, CISM, CAP

 


Citizenship Requirements:

U.S. Citizens only. Applicants selected will be subject to a government security investigation and must be able to pass a Federal background check for a public trust clearance.

Posted By

Alexandra Memmott

Dice Id : 90669661
Position Id : 684355
Have a Job? Post it

Similar Positions

Security Analyst (US Citizen ONLY)
  • Apptech Group LLC
  • Washington, DC
Primary Assessor M&O
  • Axxum Technologies LLC
  • Washington, DC
Junior Information Security Systems Officer (ISSO)
  • Piper Companies
  • Falls Church, VA
Cybersecurity Analyst III
  • VariQ Corporation
  • Washington, DC
Information Security Specialist
  • International Software Systems, Inc
  • Greenbelt, MD
Information Systems Security Manager (ISSM)
  • Devis (Development InfoStructure Inc.)
  • Arlington, VA
Information System Security Specialist (Secret)
  • By Light Professional IT Services, Inc.
  • Fort Meade, MD
IT Security Specialist
  • CYBERNETIC
  • Bethesda, MD
Assessment and Authorization Analyst, Junior
  • Booz Allen Hamilton
  • Arlington, VA
Information Systems Security Officer (ISSO)
  • ManTech International
  • Hanover, MD
Security Control Assessor_DoD
  • Prism, Inc.
  • Washington, DC
Information System Security Analyst
  • Interra Information Tech
  • Washington, DC