IT Security Policy Analyst - 1
Job DescriptionMindPoint Group is seeking a IT Security Policy Analysts who will be directly responsible for ensuring our government client staff have a positive and productive working relationship with other government client Components and or external agencies as applicable. The Information Security Policy Analyst is responsible for knowing all applicable federal mandates, how and where these mandates tie into government agency orders, policies, instructions, standards, handbooks and guides, as well as the impact of the security requirements on Component systems and mission. The Information Security Policy Analyst will oversee Component IT security activities and compliance, and provide hands-on assistance as appropriate to ensure Component success. In addition, the Information Security Policy Analyst is directly involved in supporting Components in various audit activities and also serve as the liaison between the auditors, Components, and the Department. The Information Security Policy Analyst supports Components with coordinating interviews and reviews Prepared-by-Client (PBC) deliverables for accuracy with audit request. Tasking includes:Establish and maintain positive and productive working relationships between headquarters and other client Components Support preparation activities for and the meeting of IT governance organizations consisting of high ranking officials from the Office of the CIO and Department Components who meet regularly to address specific IT security issues Support and assess individual IT commodity areas (eg, email, telecommunications, and mobility) in the Department and at the Components to: Identify and gain efficiencies (including supporting cost/benefit and return on investment (ROI) analyses) Ensure proper governance and investments alignment with the client IT Architecture and Security Architecture Draft, review, and comment as directed by the government POC on Department policy and instruction documents. Draft, review, and comment as directed by the government POC on translating federal requirements into Department policies and requirements, including, but not limited to: NIST publications, OMB guidance and requirements, FISMA and CNSS. Complete Security Authorization packages, to include system security plans, security assessment reports, POAM summaries and a continuous monitoring plan/assessment schedule, and present executive briefing to the government client management. The work is fully completed, reviewed, checked, and edited before presenting to the government client management. Ensure security risk assessments are conducted as appropriate on any system upgrades, software/hardware changes, etc. Provide hands-on Component assistance as necessary. Conduct formal Office of the Chief Information Officer system oversight review, provide feedback and document findings in CSAM. Provide hands-on assistance to Components to correct weaknesses as necessary. Ensure Component system inventory is accurate for FISMA reporting. Provide hands-on assistance to Components as necessary. Ensure Component hardware and software inventory and documentation is accurate and current. Provide hands-on assistance to Components as necessary. Ensure Component security authorization boundaries are properly defined and captured in the system security plans, and that all interconnection agreements are in place and current. Provide hands-on assistance to Components as necessary. Ensure Component system security authorization controls contain accurate implementation statements (formerly compliance descriptions) and assessments results, and that appropriate artifacts are uploaded in CSAM to support finding. Provide hands-on assistance as appropriate. Ensure Component systems offer appropriate controls for inheritance and the inheriting systems inherit only what's appropriate. Provide hands-on assistance to Components as necessary. Support Components with annual recertification of accounts - ensure new accounts have appropriate forms (and signed by appropriate approving authority) and any inactive accounts are deactivated within 90 days of last login. Provide hands-on assistance to Components as necessary. Ensure Component system scanning takes place in accordance with the Department's plans and schedule. Provide hands-on assistance to Components as necessary. Ensure Component systems have secure configuration baselines set and documented, and any deviations approved by the authorizing official. Ensure all audit Notification of Finding and Recommendation are entered into CSAM as a POAM. Ensure Component system POAMs have appropriate milestones, accurate description of the weaknesses and remediation, task owners, estimated cost to completion and realistic due dates. Provide hands-on assistance to Components as necessary. Ensure all systems update their annual incident response and contingency plans, conduct the appropriate training, document the appropriate POCs, and document the after action plans. All artifacts are uploaded into CSAM by the Department's due date. Provide hands-on assistance to Components as necessary. Ensure Components reach their CSAT and IT Professional training completion targets on time. Provide hands-on assistance to Components as necessary. Support Component to ensure clean audit results. Provide weekly summaries to the government client management (or Component management as the case may be) on accomplishments and any noteworthy items. Functional Responsibilities: The candidate may perform any or all of the following: Oversees and manages day-to-day operation of Information Systems. Optimize system operation and resource utilization, and performs system capacity planning/analysis while maintaining the security posture. Performs system security analyses on client networks and systems; provides guidance, training, research, and recommendations on client networks and AIS; performs security audits, evaluations, and risk assessments of complex operational systems and facilities and provides recommendations for remediating detected vulnerabilities; conduct security and internal control reviews of sensitive systems. The candidate conducts specific technical reviews to support non-standard operational requirements and systems; design, develop, and maintain unique security tools and techniques for conducting security assessments; provide advanced technical computer and communications security assistance; provide expert assistance and recommendations in the field of Information Assurance and Cybersecurity. Conducts security assessments, security authorizations , and evaluations of applications and systems processing sensitive or classified information; develop requirements and specifications for reviewing and approving procurement requests, major systems development activities, telecommunications and teleprocessing hardware and software, and hardware and software encryption techniques on the basis of security concerns; and assesses technology to ensure that security vulnerabilities are identified and remediated.QualificationsMinimum 6 years of general work experience and 3 years of relevant experience in functional responsibility. Active Top Secret clearance requiredBachelor's Degree, or an equivalent combination of formal education, experience (eight years of experience in Functional Responsibility area may be substituted for a Bachelor's Degree). A Master's Degree may be substituted for 4 years of general work experience. Candidates should be well-versed in risk management and must have experience working with SDLC, and performing security tasks throughout. Experience and working understanding of FISMA compliance, experience conducting all phases of Certification and Accreditation (C&A) and creating documentation in accordance with NIST guidance. Understanding and experience with CSAM is a PLUS. Candidate should have strong analytical and organizational skills. Candidate should have concise writing skills, excellent MS Word skills as well as other MS Office Applications. Personnel shall be well versed with NIST publications, OMB circulars and memoranda, and CNSS publications and their requirements and impact on system security.