The contractor shall support and participate in IT system penetration tests of Department Component
systems. These tests include basic authorized independent vulnerability scans of Component systems
using tools such as Tenable Nessus, to more in-depth authorized penetration testing of a system's
vulnerabilities using tools such as Metasploit and Core Impact. Contractor support activities include, but
are not limited to:
Planning the system testing with the Component, including developing an understanding of the system being tested.
Developing the Rules of Engagement and Test Plan document for the testing.
Conducting the testing.
Compiling, aggregating and analyzing the test results.
Developing the final briefing presentation, which details the test results and key findings.
Conducting the results/close-out meeting with the Component.
The contractor shall also support the ITSS Information Security Technologies (IST) Team in managing and supporting the enterprise security tools licensed by the Department. These include existing tools and those that might be acquired in the future. Existing tools include IBM's BigFix, McAfee Vulnerability Manager (Foundstone), Tenable's Nessus, Application Security's DbProtect and Cenzic Hailstorm.
Contractor support activities include, but are not limited to:
Having significant experience with the entire enterprise tool set, including how to deploy, use, interpret results from and troubleshoot the specific tools. Many of these tools are also used in the penetration test engagements.
Supporting the Department's Components with any questions they may have relating to the implementation, use and troubleshooting of the tools.
Researching and suggesting additional tools to evaluate for possible future acquisition.
The contractor shall also support the IST Team in reviewing the security design of the developing mobile and wireless infrastructure and assessing the security of new mobile technologies. A major area of focus includes identifying potential vulnerabilities. Contractor support activities include, but are not limited to:
Conducting reviews of the existing and proposed mobile technology architecture. Conducting reviews of a possible Wi-Fi architecture.
Researching new mobile technologies and identifying possible risks.
Conducting penetration tests of the mobile device management (MDM) and mobile application management (MAM) systems.
The contractor shall also support the IST Team in managing and supporting the Department's enterprise
security configuration management. Contractor support activities include, but are not limited to:
Working with the Department Components in implementing software settings to comply with the Department configuration management policy.
Supporting the update of the Department configuration management policy, as appropriate.
Education / Experience:
BA/BS + 2-5 yrs experience
- 22 months ago - save job