The majority of the day will be spent conducting risk assessments as a part of the SA&A team. You will use HP-Fortify to scan the software code for vulnerabilities. You will be making recommendations and remediation's to the POA&M. (Plan of Action and Milestone Process). Will collaborate with team and presenting findings to customer during a weekly meeting (in form of PowerPoint presentation).
1. 2-5 years’ experience in Information Security Role
2. Must have experience with the tool Fortify
3. Experience conducting risk assessments
4. 2-3 years’ experience with supporting Federal FISMA requirements
5. Understanding and experience executing NIST 800-37, NIST 800-39, and NIST 800-53
6. Ability to analyze information system configurations and technical specifications against security control standards and identify deficiencies and remediation strategies
7. Familiarity and experience with network security, vulnerability management, Assessment and Authorization (A&A), and Incident Response
8. Familiarity with network/server/application scanning tools such as Tenable Nessus, and NGS Squirrel
9. Strong analytical skills
10. Familiarity with static code analysis tools (i.e., Fortify and IBM AppScan)
11. BA or BS degree
12. 8500 compliant certifications
- Able to support the translating of vulnerability scan results into findings aligned to NIST SP 800-53 Revision 4 security controls
- Strong organizational skills and the ability to multi-task, set and follow priorities, and deliver timely products
- Comfortable speaking in front of technical and non-technical audience members
- Strong oral and written communication skills (technical writing skills preferred)
- High level of competence with MS Office products (Office suite, SharePoint, Project Server)
- Knowledge of emerging security policy, governance, and continuous monitoring technologies
- Understanding of security as it pertains to the following platforms: Windows, Oracle, SQL Server, Cisco IOS, Firewalls, and encryption technologies such as VPN, TLS, and SSL
- Understanding of FIPS 199 and FISCAM
- Degree in a STEM field of study preferred
- CISSP preferred
Additional Information: Customer facing role that requires strong communication skills and the ability to communicate concepts to non-technical users. Also, must be great at working within a team environment to accomplish goals. Want people that are very structured and process/detail oriented. Also, are thoughts detailed oriented, they come from backgrounds that made them detail oriented.
Employee Value Proposition
Lots of opportunity for advancement. Flexible work hours. Long term opportunity to grow with established company. Great team environment. Very collaborative and hands on leadership.
Non-Technical Skills: Communication. Organization. Deadline driven. Team mindset or servant mentality. Must be willing to help others.
Technical Environment: FISMA, NIST, SharePoint, NESSUS Scanning Tools, Fortify or IBM AppScan, Windows, Oracle, SQL Server, CISCO IOS, Firewalls, and encryption technologies such as VPN, TLS, and SSL
Role: Conduct technical security compliance reviews of large and complex organizational network infrastructure, applications, and platforms. Identify potential security issues in accordance with NIST SP 800-53 Rev 4 and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) using both manual and automated assessment methods. Ability to use vulnerability scanning tools and translate those results to report findings. Able to analyze system configuration settings against industry best practices and client-approved baselines to identify potential security issues.
Ability to review and evaluate security findings and make recommendations for remediation. Contribute to presentations and participate in debriefs to represent security interests. Understand FISMA requirements and propose actionable solutions necessary to assist client in meeting those requirements. Understand and be familiar with: Federal agency FISMA compliance requirements, NIST, emerging cyber security trends, challenges and solutions to the modernization of legacy systems, and industry best practices. Have knowledge into security implementations of information systems against NIST 800-53/53A Rev 4 security controls, testing system technical security configuration settings, reviewing Nessus scan results for compliance with industry standards, supporting secure code reviews, and architecting and designing security applications, as necessary.