Security Assessor

This is a remote position.

Job Description – Security Assessor

1. POSITION TITLE

Security Assessor

2. REPORTS TO

Lead Security Assessor\Technical Manager

3. DELEGATION OF DUTIES DURING ABSENCE

Lead Security Assessor\Technical Manager

4. SUMMARY

The Security Assessor will conduct security control assessments of the security and privacy controls implemented by an information system to determine the overall effectiveness of the controls and the vulnerability state of components, applications and databases residing within the system boundary. Following the NIST Cybersecurity Framework, Risk Management Framework and using NIST 800-53A, verifies the security status of existing information systems with an Authority to Operate (ATO) by performing appropriate assessments on any new system developed or deployed by the customer, and conducts audits of security controls to ensure continuous monitoring of systems assigned. Assesses systems that have previously been assessed and received an ATO and systems that have not yet been assessed and do not have an ATO.

5. RESPONSIBILITES

· Develop, document and review System Rules of Engagement (ROE), Security Assessment Plans (SAPs) and Security Assessment Reports (SARs).

· Develop associated schedules and resource plans to complete the assessments.

· Perform quality control on the assessment and associated deliverables.

· Participate as an individual contributor for complex system assessments.

· Develop practical and risk-based approaches for security control implementation and vulnerability remediation.

· Work closely with ISSOs (contractors and Government) and the technical team and ensure all appropriate A&A supporting documentation is provided prior to conducting the assessment.

· Review and provide feedback system boundaries, common controls, the security categorization of information systems, applicable security control baseline based on system categorization.

· Review and provide feedback system boundaries, common controls, the security categorization of information systems, applicable security control baseline based on system categorization.

· Conduct Security Assessment Kickoff briefings and SAR briefings.

· Review cyber/system/network security body of evidence and documentation for accuracy and completeness.

· Conduct security controls assessment of applicable security controls and privacy controls; assess implemented security controls and provide assurance that they are operating as intended.

· Analyze security control findings for information systems and applications to convey weaknesses.

· Document security assessment results accurately; read, understand, and convey vulnerabilities found during the assessments.

· Create security assessment results and document recommendations in a SAR for remediations and security control measures.

· Perform audits of each system and provide an authorization recommendation based on determination of risk to the customer.

· Audits will include unprivileged and privileged scans against each applicable system.

· Audits will include unprivileged and privileged database scans against each applicable database management system (DBMS).

· Perform quality control on the assessment and associated deliverables.

· Conduct Post Assessment Meetings with the customer.

· Provide Plan of Action and Milestones (POA&M) support to ensure mitigations are completed or the teams are working to mitigate all vulnerabilities in a timely fashion and within customer policy timelines.

· Develop and maintain a schedule for conducting reoccurring Continuous Monitoring and/or ongoing CDM efforts once the initial assessments are complete.

· Perform continuous monitoring to ensure implemented security controls remain functional throughout the lifecycle of the information system.

Requirements

​

6. MINIMUM EXPERIENCE AND SKILLS

· 1+ years of experience performing security testing and/or security control assessments.

· 1+ years of experience with developing and documenting the SAPs, and SARs.

· 1+ years of experience utilizing NIST 800-53 and 800-53A.

· Knowledge of the NIST Cybersecurity Framework, Risk Management Framework, FIPS, and other NIST A&A publications.

· Experience assessing and providing recommendation on the following: Privacy Impact Assessment, Risk Assessment, System Security Plan, Disaster Recovery / Contingency Plan, and Incident Response Plan.

· Knowledge of the Systems Development Life Cycle (SDLC) and its application in the

development of technology solutions.

· Knowledge and skills to perform and document the assessment.

· Understanding of tools such as Nessus, Web Inspect, Db Protect and Splunk.

· Familiar with the cloud environments (services/security) and FedRAMP A&A process.

· Effective verbal and written communication skills with ability to effectively communicate with all levels of users and teammates both written and verbally.

· Effective technical writing and documentation processing skills.

7. MINIMUM EDUCATION

· BS/BA degree in Information Technology or related cyber/cyber-security field.

· Experience may be substituted for education on a case-by-case basis.

8. CERTIFICATIONS

· Must possess one of the following certifications:

o Cisco Certified Network Associate Security (CCNA Security)

o Cisco Certified Network Associate Cyber Security Operations (CCNA Cyber Ops)

o Cybersecurity Analyst (CySA+)

o GIAC Certified Incident Handler (GCIH)

o GIAC Systems and Network Auditor (GSNA)

o GIAC Certified Intrusion Analyst (GCIA)

o Certified Information Systems Auditor (CISA)

o Certified Information System Security Professional or Associate (CISSP or Associate)

o Certified Secure Software Lifecycle Professional (CSSLP)

o Certified Information Systems Security Officer (CISSO)

o CyberSec First Responder (CFR)

o CompTIA Advanced Security Practitioner Continuing Education (CASP+) Continuing Education (CE)

o CompTIA Cloud+ (Cloud+)

o Global Industrial Cyber Security Professional (GICSP)

o Securing Cisco® Networks with Threat Detection Analysis (SCYBER)

o BCR Cyber Technical Proficiency Testing Activity (highly preferred)

o All professional certifications and CPE credits must be up to date