Information System Security Manager (ISSM)

Location
Alexandria, Virginia
Posted
Apr 24, 2017
Closes
Jun 13, 2017
Hours
Full Time

Overview

The Information Systems Security Manager (ISSM) supports IDA's classified and unclassified information systems; represents IDA with cognizant US Government accrediting agencies, provides technical leadership for up to three Information System Security Officers (ISSOs); collaborates closely with IDA researchers, IT, and US Government accrediting agencies to identify appropriate security control baselines and ensure they are implemented prior to being introduced into a production environment, and reviews and authorizes proposed changes to ensure they are done in a controlled and documented fashion; develops an information systems security, education, training, and awareness program; manages and coordinates information security monitoring, inspections and classified spill or data loss incident response; lead IDA efforts manage inspections of IDA unclassified and classified systems by US Government agencies.

Responsibilities

  • Responsible for IDA industrial security information systems security programs.
  • Serves as Information Systems Security Manager (ISSM) for IDA classified and unclassified systems.
  • Makes sound decisions and manages all aspects of information systems security as it applies to systems that are accredited by DOD and Intelligence Community agencies.
  • Develops, implements and manages a formal information systems security program.
    1. Ensures ISSO's, IT staff, and users follow established information security policies and procedures to protect, operate, maintain, and dispose of systems and data in accordance with security policies and practices as outlined in the assessment and authorization document packages.
  • Develops, reviews, maintains and oversees all information Systems Security Plans (SSPs) Assessment and Authorization in accordance with DoD mandated policies.
  • Coordinates with the Facility Security Officer/Senior Insider Threat Security Official to ensure insider threat detection and awareness is addressed.
    • Represents IDA with cognizant US Government agencies responsible for classified computing
  • Develops and maintains relationships with many DOD and Intelligence Community agencies for the purpose of obtaining and maintaining authority to operate (ATO) on IDA classified systems.
    • Engages in continuous dialog with US Government Agencies to provide changes in IDA’s  security posture and learn of new government systems security requirements
  • Works with US Government Security Control Assessors (SCAs) and Authorizing Officials (AOs) to develop a comprehensive Risk Management Framework (RMF) package including System Security Plans (SSPs), Information Continuous Security Monitoring Plans, and a Body of Evidence to support system authorization.
  • Conducts risk assessments to identify potential threats, gauge the likelihood of exploitation based on mitigating factors, and determine the residual risk level for individual systems.
    • Collaborates closely with IDA researchers, IT, and US Government accrediting agencies to identify appropriate security control baselines
  • Advises IT on required security configurations and assists with the development of technical security enhancements.
  • As a voting member of the IDA Change Management Board, review proposals for changes to hardware and software on classified information systems.  Assesses the security impact of proposed modifications to each Information System.
  • Reviews and ensures implementation of bulletins and advisories that impact the security posture of information systems covered by SSPs.
  • Oversees collection and continuous monitoring of security related information from classified systems.
    • Performs a technical assessment of a system’s implemented security configuration to ensure compliance before the system moves to a production environment.
    • Conducts reviews and technical inspections to ensure compliance with IDA and US Government policies, and to identify vulnerabilities or security weaknesses. Recommends corrective actions and ensures proper vulnerability reporting.
    • Ensures the ISSOs regularly audits all systems under purview to validate proper use, and that all documentation (i.e., training records, system baselines, etc.) is kept current.
  • Manages and coordinates security compliance incident response, such as classified spills.
  • Ensures procedures are developed and followed for responding to security compliance incidents and investigating and reporting security violations and incidents as appropriate.
    • Lead IDA efforts manage inspections of IDA unclassified and classified systems by US Government agencies
  • Manage inspection process while DOD inspectors are at IDA.
  • Leads periodic cyber self-inspections to assess systems based on DISA STIGs, NISPOM Chapter 8, or DJSIG/JSIG requirements using the following vulnerability scanning tools: Security Content Automation Protocol Scans, STIG Viewer, ACAS, and Retina
  • Trains IT staff and ISSOs on how to use vulnerability scanning tools, determines which systems will be assessed.
  • Ensure a Plan of Action and Milestone (PO&M) is maintained for all security related vulnerabilities and continually update SCA’s and AO’s as to the current status of planned activities for correcting vulnerabilities associated with required security controls.
  • Leads an annual internal Command Cyber Readiness Inspection of the IDA SIPRNet as a part of this effort.
    • Analyzes results and prepares final management report with recommendations and any required action plans.
  • Develops an information systems security education, training, and awareness program. 
    • Ensures all ISSMs, ISSOs, security personnel, IT staff, and users receive the required technical and security training, and appropriate briefings.
    • Performs other duties as assigned.

    Qualifications

    1. U.S. Citizenship is required.
    2. Bachelor’s degree in an IT-related or similar relevant field or equivalent experience.
    3. Minimum four years’ experience in Information Technology or in an Information System Security Officer/Manager role.  At least two years of the four must be in an ISSO/ISSM role .
    4. Experience supporting various computer hardware platforms and multiple operating systems, both stand-alone and network configurations
    5. Working knowledge of operating systems security features and settings (i.e., Windows, Linux)
    6. Working knowledge of security configuration requirements for individual applications (i.e., Microsoft Office, Web Browsers, Network Devices, etc.) and Physical Security.
    7. Candidate must have the following Information Assurance certifications or security training or obtain the certificates within 6 months of hire:
      • RMF Training as specified in the DSS Assessment and Authorization Process Manual
      • DOD 8570.01-M certification at IAM level 3, such as CISM, CISSP, or GSLC
    8. Customer service skills, including good interpersonal skills and the ability to communicate effectively with all levels of employees, and a professional demeanor. 
    9. Ability to obtain and maintain Top Secret/SCI clearance.