Title: Vulnerability Management Analyst & Security Controls Assessor
Location: Rockville, MD (50% remote after 90 days)
CyberData Technologies Inc. is currently seeking to hire an experienced Vulnerability Management Analyst & Security Controls Assessor for our federal client located in Rockville, MD. This is a hybrid job combining vulnerability management analysis and security controls assessments, which will involve a variety of assessment and analysis duties, including:
- Perform vulnerability assessment scans on a daily basis against:
- Host-based (various operating systems, virtual, networking components
- Web Applications (Apache, IIS, Nginx)
- Code Reviews (.NET, Java, Jscript, C++, etc.)
- Perform analysis of scan results to determine applicability on a daily basis.
- Provide remediation guidance to system owners and stakeholders on a daily basis.
- Use expertise to provide mitigation strategies to help remediate vulnerabilities on a daily basis.
- Continually maintain the health of vulnerability scanning tools and ensure they are operating as expected on a daily basis.
- Review scan results from various tools and incorporating those results in the System Assessment Report (SAR).
- Work with vulnerability scanning tool support engineers to identify, troubleshoot, and remediate issues on a daily basis.
- Perform compliance scans against defined HRSA baselines on a weekly basis or as needed.
- Provide process improvement recommendations for day-to-day operations.
- Provide recommendations to system owners and information system security officers (ISSOs) for remediating vulnerabilities.
- Provide technical guidance to the Risk Management (RM) Team and other stakeholders on a daily basis. Help the RM team review documents from customers and interactions with customers on their behalf.
- Provide insight on NIST 800-53 technical controls during assessments.
- Provide support to the Incident Response and Investigation Teams when called upon.
- Provide occasional training of vulnerability management tools to stakeholders.
- Write supporting documentation of vulnerability management processes and procedures.
- Work with the HRSA Risk Management team to determine risks to the system based on vulnerability results and compensating or mitigating controls in place.
- Help manage the risk management (RM) team in reviewing documents from customers and interactions with customers on behalf of the team.
- Perform security control assessments (full and annual assessments) and develop assessment-related documentation (e.g., SAP, SAR, POA&Ms).
- Review POA&M weaknesses prior to closure to ensure remediation.
- Perform tool upgrades, updates, and patches as necessary.
- Develop vulnerability reports and dashboards, in order to provide new insight into existing vulnerabilities.
- Implement various levels of automation among tools in the SOC s cyber security ecosystem and/or the HRSA IT Infrastructure to improve the effectiveness and efficiency of vulnerability management.
- Conduct baseline configuration compliance scanning and work with system administrators to correct configuration issues to ensure compliance with agency configuration requirements.
Skills & Experience:
- Minimum of five to seven years of experience in both vulnerability management as well as security control assessments
- Experience performing security control assessments against a wide variety of systems including cloud-hosted applications (i.e., SaaS, PaaS, IaaS), web applications and general support systems.
- Experience writing Security Assessment Reports (SARs) for documenting security assessment results
- Experience reviewing scan results from various tools and incorporating results in in the security assessment process.
- Experience providing recommendations to system owners and ISSOs for remediating vulnerabilities.
- Position requires technical knowledge in computer network theory, IT standards and protocols, as well as an understanding of the lifecycle of cyberspace threats, attack vectors, and methods of exploitation.
- Experience with vulnerability assessment and reporting including comprehensive understanding of Vulnerability Management methodologies and procedures.
- Experience implementing, managing or governing security technologies, including vulnerability scanning tools (nmap, openssl, Nessus, BigFix, or similar vulnerability scanning tools) is required.
- Experience with network and application security testing tools and scripting languages (WebInspect, Burp Suite, NetSparker, Paros, Perl and Python)
- Operating system concepts - experience with both Windows and Linux environments.
- Static code scanning experience preferred but not required.
- Strong technical, analytical, and interpersonal skills
- Ability to work in a team-oriented environment
- Must be self-driven and work independently, and able to mentor more junior members of the team.
- Must be performance driven, detailed, and results oriented
- Bachelor's degree in IT or related field
- Certified Ethical Hacker (CEH) desired
- Strong communication and interpersonal skills with the ability to act as a resource for, provide customer service in a courteous manner to, and work effectively with diverse groups of people at various levels within an organization. Writing skills sufficient to compose and edit a variety of documents using correct spelling, grammar, and punctuation, with the ability to pay close attention to detail and proofread work carefully.
- Strong organizational skills sufficient to prioritize work and complete assignments accurately, either independently or as part of a team, under pressure of competing deadlines and with frequent interruptions, working from own initiative and/or following directions, policies, or procedures. Independently establish priorities and coordinate and complete assignments within established timeframes.
- Ability to identify customer needs and use analytical and decision-making skills to offer options and resolve problems in a variety of contexts
- Ability to effectively communicate technical issues, identify technical gaps, and the root cause of systemic issues across HRSA
CyberData is an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.