VariQ has an exciting opportunity for a highly qualified System Security Analyst in Washington, DC.
Salary: Dependent upon experience
Security Clearance: ability to attain a public trust require
Available: within 30 days
Perform the day-to-day management of the work and oversee the effort as an Information System Security Officer (ISSO) representative.
Develop and maintain all supporting documentation such as the FIPS199 Security Categorization, Security Plan, , Security Impact Assessment, Plans of Action & Milestones (POA&M), Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), IT Contingency Plans, E-Authentication Risk Assessment, , ATO Letters and other specific documentation that are included in the A&A package.
Identify and/or track system interconnections and develop and maintain associated Interconnection Security Agreements (ISA) that adhere to Agency and NIST requirements.
Facilitate the Federal Information Security Modernization Act (FISMA) activities for all systems.
Adhere to the Risk Management Framework cycle for all information systems and ensure that Authorization to Operate statuses do not lapse.
Work closely with the Chief Information Security Officer (CISO) and Project Managers for related IT security compliance and testing requirements.
Ensure that the Automated Information Systems (AIS) are operated, used, maintained, and disposed of in accordance with internal security policies and practices.
Attend weekly Change Advisory Board (CAB) meetings for assigned Automated Information Systems; ensuring system changes are reviewed and implemented properly, reporting discrepancies to the CISO.
Review and analyze proposed changes to AIS and perform Security Impact Assessments (SIA) on proposed AIS changes to identify risks, scope of changes, security requirements, required security activities and overall recommendation.
Ensure that the AIS are authorized based upon NIST guidance utilizing the templates.
Enforcing security policies and safeguards on all personnel having access to the AIS for which the ISSO has responsibility.
Perform user account access reviews on a periodic bases defined by Agency policy to enforce agency access control policies.
Ensure audit trails are reviewed periodically in accordance with policy and the Security Authorization documentation (e.g., weekly or daily).
Initiate protective or corrective measures if a security problem is discovered.
Determine when time-sensitive system patches identified by US-CERT and/or FS-ISAC shall be quickly implemented to protect systems.
Immediately report security incidents in accordance with Policies and Procedures to the CISO when an AIS is compromised or a suspected compromise has occurred.
Work proactively with government and other contractor staff to ensure that all areas of non-compliance are documented in a well-formed Plan of Action and Milestones (POA&M) and managed to a timely and satisfactory completion.
Evaluate known vulnerabilities to ascertain if additional safeguards are needed.
Maintain a plan for site security improvements and progress towards meeting the
authorization/reauthorization of their respective AIS.
Performs all ISSO duties as directed by Baseline Security Requirements (BLSR) policy.
Implement the NIST Risk Management Framework (RMF) requirements.
Perform continuous A&A activities on systems following OMB, FISMA, NIST RMF and contract specific requirements and guidelines.
Monitor measures to correct deficiencies identified in audits or inspections.
The System Security Analysts shall support the ISSO in carrying out their roles and responsibilities for ensuring the documentation and security of the AIS. The System Security Analyst shall meet the following minimum qualifications:
Preferred skills; Certified Information Systems Security Professional (CISSP), or Certified Authorization Professional (CAP).
5+ years IT Security experience, preferably in an ISSO or ISSM role.
Excellent written and verbal communications skills including the ability to communicate effectively with internal stakeholders.
Experience with NIST 800 series.
Ability to implement information security requirements for IT systems through the Risk Management Framework (RMF).