Security and Privacy Control Assessor Lead
- Job Title
- Security and Privacy Control Assessor Lead
- Job ID
- Work From Home
- Remote, DC
- Other Location
Iron Vine Security is a rapidly growing information security and information technology company in Washington, DC. We are looking to hire a Security Control and Assessor Lead to support a full range of cyber security services on a long-term contract in Washington DC. The position is full time/permanent and will support a US Government civilian agency. The position is available immediately upon finding a qualified candidate with the appropriate background clearance.
· Strong written and verbal communication skills.
· Experience in planning assessments and be a senior member in a team of security control assessors.
· Three (3) years of experience managing security assessment teams is required.
· Experience in presenting control requirements and deficiencies to both technical and non-technical audiences.
· Six (6) years of experience performing detailed, full-scope technical security control testing for each of the component types, including development of security and privacy assessment plans is required.
· Ability to act as a liaison between client site personnel and assessment team
· Ability to analyze information system configurations and technical specifications against NIST SP 800-53 and other overlays.
· Possesses a strong understanding of the NIST Special Publication 800-53 security and privacy controls, the NIST Cybersecurity Framework and other information security and privacy laws and regulations.
· Experience with development and writing of risk-based documentation.
· Strong communication ability across all levels of management.
· Bachelor’s degree or higher.
· Eight (8) years of Information Security experience.
· Two (2) years of experience with the use of eGRC tools is required. Experience with ServiceNow.
· Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Risk and Information Systems Control (CRISC), or Certified Information Security Auditor (CISA).
Additional Experience Preferred:
· Experience performing Certification and Accreditation (C&A) activities, including risk assessments, Security Plans, Security Controls Assessments (SCA), Certification and Accreditation documents.
· Experience working with Qualys Enterprise, Archer, Nessus, HCL AppScan, and technical outputs of the Kali Linux suite.
· Experience performing assessment in accordance with the policies, procedures, and standards of the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the OCC.
· Review and update existing information security policy, standards, and procedures based on federal and departmental regulations.
· Perform independent security and privacy control assessments on behalf of the client CSO in support of Security Assessment & Authorization (SA&A).
· Plan and conduct assessments of existing and new OCC FISMA systems, including subsystems in the respective system boundary, and communicate the results and potential implications of identified control weaknesses.
· Create and maintain test cases for security assessment testing and perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.).
· Develop and execute a security and privacy assessment plan in accordance with NIST SP 800-53A, as amended, requirements, for each security assessment project. SA&A activities shall include support for RMF steps 4-6
· Document and provide findings and recommendations that are concise, system-specific, and actionable.
· Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings. Develop an assessment schedule, which is part of the Integrated Master Project Schedule which will be reviewed and approved by CA&C federal staff.