Sr. Security Control Assessor

Role Description:

• Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.

• Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.

• Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

• Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.

• Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

• Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.

• Verify and update security documentation reflecting the application/system security design features.

• Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.

• Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

• Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.

• Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections,etc.

• Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that

are consistent with the organization's mission and goals.

• Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.

• Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.

• Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).

• Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.

• Assess the effectiveness of security controls.

• Assess all the configuration management (change configuration/release management) processes.

• Establish acceptable limits for the software application, network, or system.

• Review Accreditation Packages (e.g., NIST Risk Mgt Framework).

‍

Required Qualifications & Education:

• (7) + years of relevant cyber-security experience and an advanced degree in a technical/cyber-related field. Direct experience or directly relevant certifications may substitute for the academic credentials.

• At least five (5) years of experience working in Information Security Governance Risk and Compliance role, which demonstrates experience at a minimum:

o Expertise in writing technical and risk management reports.

o Strong analytical, problem-solving, and organizational skills.

o Subject matter expertise in assessing and mitigating risks associated with vendor relationship, vendor risk assessments and control evaluations, and performing risk-based due diligence.

o Technical understanding of the cybersecurity landscape and working knowledge of common information security and privacy controls, guidelines and standards (e.g., ISO27001, SOC 1/2, NIST SP 800-53, NIST SP 800-171).

• At least three (3) years of experience working with third-party risk management, which demonstrates experience at a minimum:

o Experience in third-party risk from a cyber perspective

o Developing and implementing supportable and sustainable processes to manage third-party cyber risks

• Hold and provide proof of one of the following certifications: Certified Information Systems Security Professional (CISSP) certification, Certified Information Systems Auditor (CISA), Certified Third-party Risk Professional Certification (CTPRP), Certified Information Security Manager (CISM), or Certified Third party Risk Assessor (CTPRA)

‍

Clearance and Location Requirements:

• Ability to obtain a Public Trust clearance is required.

• This position is currently fully remote.