Sr. ISSO

About the Role:

The information system security officer (ISSO) is responsible for the cybersecurity of a program, organization, system, or enclave. The ISSO ensures that the security and privacy posture is maintained for an organizational system and works in close collaboration with the FDIC system owner. The ISSO serves as a principal advisor on all matters, technical and otherwise, involving the security and privacy controls for the system and has the knowledge and expertise to manage the security and privacy aspects of an organizational system.

‍

Role Responsibilities:

• Identify the security and privacy requirements allocated to a system and to the organization.

• Identify the characteristics of a system.

• Contribute to determining the boundary of a system.

• Collaborate with the System Owner to categorize the system and document the security categorization results as part of system requirements.

• Identify stakeholders who have a security and/or privacy interest in the development, implementation, operation, or sustainment of a system.

• Identify the stakeholder protection needs and stakeholder security and privacy requirements.

• Identify the types of information to be processed, stored, or transmitted by a system.

• Identify stakeholder assets that require protection.

• Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis.

• Select the security and privacy controls for a system and document the functional description of the planned control implementations in a security/privacy plan.

• Develop a strategy for monitoring security and privacy control effectiveness; coordinate the system-level strategy with the organization and mission/business process-level monitoring strategy.

• Develop, review, and approve a plan to assess the security and privacy controls in a system and the organization.

• Document changes to planned security and privacy control implementation and establish the configuration baseline for a system.

• Respond to system risk posture based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in a plan of action and milestones (POA&M).

• Prepare a plan of action and milestones based on the findings and recommendations of a security assessment report excluding any remediation actions taken.

• Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process.

• Review the security and privacy status of a system (including the effectiveness of security and privacy controls) on an ongoing basis to determine whether the risk remains acceptable.

• Report the security status of a system (including the effectiveness of security and privacy controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy.

• Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.

• Ensure that security improvement actions are evaluated, validated, and implemented as required.

‍

Required Qualifications:

• Bachelor's degree in Computer Science, Information Systems, or related degree or an additional three (3) years of relevant experience.

• 7+ years of relevant cyber security experience.

• One of the following certifications are required: CASP, GPEN, GMON, GISP, GSEC, GSLC, CISM, CISA, CAP, CCSP, SSCP, CISSP, CISSP-ISSMP.

• Skill in creating policies that reflect system security and privacy objectives.

• Skill in applying confidentiality, integrity, and availability principles.

• Skill in assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).

• Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

• Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system

• Skill in technical writing.

• Skill in writing about facts and ideas in a clear, convincing, and organized manner.

• Skill in evaluating the trustworthiness of the supplier and/or product.

‍

Clearance and Location Requirements:

• Ability to obtain a Public Trust clearance is required.

• This position is currently fully remote.

‍