Information System Security Officer
Veris Group - Washington, DC

This job posting is no longer available on Veris Group. Find similar jobs: Information System Security Officer jobs - Veris Group jobs

Looking for challenging work with customer impact? Join Veris Group, an industry-leading, award-winning cybersecurity company. We employ the most talented industry professionals to respond to our customers' most complex cyber challenges. Our rapid growth has been the result of an exciting entrepreneurial culture and attention to customer service. Take the next step to advance your career.

Information System Security Officers (ISSO) are responsible for providing cybersecurity support on a system by system basis. The candidate serves as the principal information security advisor to the System Owners and work directly with the customer’s information assurance division personnel on all aspects of system security, FISMA compliance, governance, and risk management. This support includes:

Information Assurance Support

Security Authorization

Risk Management

Security Control Audits

User and Account Security

System Lifecycle Management Support

Summary of Duties:
Proactively manage Security Authorizations schedules for all systems that are assigned

Ensure required controls from the DHS 4300A/B/C and NIST Special Publications (SP) are documented and operating as required and intended for the Information System (IS)

Maintain up-to-date system System Security Plans (SSP) and verify the implemented system security processes and controls are consistent with those documented in the SP.

Develop and maintain Security Authorization (SA) documents for each assigned system, to include:

Security Plan (SSP); Requirements Traceability Matrix (RTM); Contingency Plan (CP); FIPS-199; E-Authentication

Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA)

Key Control Testing

Risk Assessment

Waivers and Exceptions

Vulnerability Scan Requests

Provide support for Security Control Assessment (SCA) and security control testing.

Use the enterprise IA Compliance System (e.g., Xacta) to document the security of the information system.

Ensure customer Information Systems remain compliant with updated information security policies and procedures, including Secure Baseline Configuration Guides and the annual Information Security Performance Plans,

Perform risk assessments of proposed system specification, design, development, implementation, and modification of the IS

Execute and review vulnerability scans for their applicable systems and document, track, provide recommendations, and ensure that IS deficiencies are resolved.

Oversee timely patch management for each system component in accordance with the ISVM program

Maintain situational awareness of the current threat landscape affecting customer systems and components.

Initiate, track, and resolve Plans of Actions & Milestones (POA&Ms), within required time allowances, whenever security issues pertaining to the IS are identified

Update POA&Ms in mandated enterprise IA compliance tool

Proactively manage the POA&M and Vulnerability Management schedules for systems assigned

Create waivers/exceptions as required

Report the security status of the IS to the customer

Work with physical security personnel to ensure the physical protection of IS assets

Ensure system utilizes applicable enterprise security services in support of continuous monitoring and risk management

Provide support for any external or internal audits.

Report security and privacy anomalies/events/incidents as required by incident reporting procedures

At the request of the SOC, assisting in the investigation of security violations and incidents

Review applicable system audit logs (OS, Application, and Database) and ensure audit records are archived for future reference in accordance to system requirements, documented in the system’s audit policies and procedures

Ensure appropriate audit log collection for each system component as required by policy

Ensure security policies and safeguards are adhered to for all personnel having access to the IS

Ensure users have the requisite need-to-know and the appropriate clearance level (and special access level, if applicable) for accessing the system, prior to approving access

Verify new users have acknowledged receipt of and familiarity with the appropriate system security information and safeguards by signing the information system Rules of Behavior prior to being granted system access

Authorize user account provisioning using the ‘least privilege’ principle enabling users to conduct their work with the least system-level privileges required

Ensure termination activities are completed in a timely manner for users’ system accounts when users no longer require access to the information system

Ensure users complete requisite annual security awareness training

Attend security awareness and related training programs and distribute security awareness information to the system personnel and user community as appropriate

Maintain knowledge of the inventory of hardware and software within the program/development offices or field site facility

Monitor system development activities during the system development lifecycle to include security scan analysis and recommendations

Approve and oversee configuration management activities to ensure implemented changes do not compromise the security of the system

Maintain the IS in a secure state in accordance with the required protection level, properly authorized to operate and the security authorization package is accurately, thoroughly and continuously complete

Ensure system compliance with Secure Baseline Configuration Guides

Ensure compliance with all legal requirements concerning the use of commercial proprietary software, e.g., respecting copyrights and obtaining site licenses

Required Skills

Level I

Knowledge of NIST SP 800 series

Be able to obtain CISSP, CISM, or CAP or similar within 6 months of hire

Knowledge of DHS Information Security Policy Directives and Handbooks is preferred

Level II

Specialized knowledge of financial audit standards, classified system IA requirements, Privacy Act requirements, or Critical Infrastructure Protection

Knowledge of NIST SP 800 series

Possess CISSP, CISA, CEH or similar certification

Knowledge of DHS Information Security Policy Directives and Handbooks is preferred

Level III

Extensive knowledge of a variety of the IA field’s concepts, practices, and procedures to ensure the secure integration and operation of all systems

Extensive specialized knowledge of financial audit standards, classified system IA requirements, Privacy Act requirements, or Critical Infrastructure Protection

Knowledge of NIST SP 800 series

Possess CISSP, CISA, CEH or similar certification

Knowledge of DHS Information Security Policy Directives and Handbooks

Required Experience

Level I

Two years’ experience in the Information Assurance (IA) field; one of which must be FISMA-related

Bachelor’s Degree or a total of 6 years’ experience

Experience with evaluating system, network, or infrastructure security controls against requirements such as FISMA, FIPS, and NIST guidelines

Security Plan (SSP); Requirements Traceability Matrix (RTM); Contingency Plan (CP); FIPS-199; E-Authentication

Knowledge and experience with at least two of the four following criteria:

1. Vulnerability Scanning, assessment, and Analysis

2. Operating system and network knowledge (i.e., Local Area Networks [LAN] and Wide Area Networks (WAN])

3. Information security and assurance principles (e.g., Defense-in-depth) and associated supporting technologies

4. Application security, database security, and network security

Must have at least a Secret clearance

Level II

Four to six years’ experience in IA; two of which must be FISMA related

Bachelor’s Degree or a total of 8 to 11 years’ experience

Experience with evaluating system, network, or infrastructure security controls against requirements such as FISMA, FIPS, and NIST guidelines

Knowledge and experience with at least three of the four following criteria:

1. Vulnerability scanning, assessment, and analysis

2. Operating system and network knowledge (i.e., Local Area Networks [LAN] and Wide Area Networks [WAN])

3. Information security and assurance principles (e.g., Defense-in-depth) and associated supporting technologies

4. Application security, database security, and network security

Level III

At least seven years’ experience in IA; three of which must be FISMA related

Bachelor’s Degree or a total of 11 years’ experience

Experience with evaluating system, network, or infrastructure security controls against requirements such as FISMA, FIPS, and NIST guidelines

Knowledge and experience with at least three of the four following criteria:

1. Vulnerability scanning, assessment, and analysis
2. Operating system and network knowledge (i.e., Local Area Networks [LAN] and Wide Area Networks [WAN])
3. Information security and assurance principles (e.g., Defense-in-depth) and associated supporting technologies
4. Application security, database security, and network security

Veris Group - 13 months ago - save job