IT Security Specialist/Risk Analyst

Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information. Must be clearable to the Top Secret level and DHS component EOD is required. Active Secret/Top Secret clearance is preferred.
- Develop, update, and maintain appropriate Security Authorization (SA) packages based on NIST standards for general support systems and major applications
- Recommend appropriate FIPS 199 impact level designations and identify appropriate security controls based on characterization of the general support system or major application
- Develop and maintain POA&Ms for all accepted risks upon completion of system SA.
- Integrate with a team of skilled information technology security professionals demonstrating competence in the application of the security authorization guidelines and procedures
- Work with RMS and Trusted Agent FISMA to develop SA related documentation and track POA&M and vulnerability status.
- Be the audit liaison for the government client and work with the government audit POC. Audit liaison will in brief the customer and ISSOs, provide support to the audit team by arranging interviews and provide requested documentation to the audit team. The Audit liaison will out brief the customer and provide audit reports and summaries. The Audit liaison will work with ISSOs to ensure that all findings are documented as POA&Ms in TAF within the required timeframes. - Participate in DHS Critical Control Reviews (CCRs) as scheduled and assist the DHS CCR team with interview schedules, document requests, and determining systems available for CCR reviews.
Requirements:
Must possess 2 years dedicated information assurance/cyber security/IT audit experience. B.S. Degree in a related field is required but may be substituted with 4 additional years of professional Information Assurance experience. CISSP or CISA preferred.
- Ability to and interest in providing support and guidance to System Owner's through the six phases of the Risk Management Framework (NIST 800-37) and monitoring of Security Authorization (SA) artifact compliance, annual self-assessment (NIST 800-53A) completion, vulnerability scans, annual contingency plan testing, POA&M management and continuous monitoring. Must possess experience with FISMA and understand FISMA requirements. DHS FISMA related requirements experience a plus.
- Ability to work effectively in a team management environment and participate in collaborative initiatives which foster the mutual exchange of knowledge and expertise.
- Must be able to multi-task, work independently and as part of a team, share workloads, and deal with sudden shifts in project priorities.
- Ability to communicate effectively orally and in writing to build and maintain customer satisfaction and express conclusions and recommendations in a clear, technically sound manner on matters associated with IT security.
- Experience with developing Security Controls Assessment (SCA) schedules, Security Assessment Plans and analyzing the results of SCA activites to evaluate the existence and effectiveness of 800-53 security controls
- Perform as the audit liaison for the government client and work with the government audit POC. Audit liaison will brief the customer and ISSOs, assist/counsel the customer and ISSO (s) in preparing for the audit, interface and provide support to the audit team by arranging interviews and provide requested documentation to the audit team. The Audit liaison will provide the exit briefing to the customer and provide audit reports and summaries.
Desired Skills:- Working knowledge of the Trusted Agent FISMA tool (TAF) and the Risk Management System (RMS).- Awareness and knowledge of current information security issues and the ability to interpret the requirements of relevant policies and standards set forth in NIST documentation, specifically, 800-37, 800-53A, FIPS-199/200, and 800-30.
- Knowledge of NIST in regards to how it applies to FISMA reporting.
- Above average skills in MS Excel, and MS Access (to include ability to write macros, and/or code)
- CAP (Certification and Accreditation Professional)
- CISA (Certified Information System Auditor) or CISSP (Certified Information System Security Professional)