Overview VariQ has an exciting opportunity for a highly qualified Information Systems Security Officer (Senior) located in Arlington, VA. The information system security officer (ISSO) is responsible for the cybersecurity of a program, organization, system, or enclave. The ISSO ensures that the security and privacy posture is maintained for an organizational system and works in close collaboration with the FDIC system owner. The ISSO serves as a principal advisor on all matters, technical and otherwise, involving the security and privacy controls for the system and has the knowledge and expertise to manage the security and privacy aspects of an organizational system Additional Information Location Arlington, VA Salary Dependent upon experience Available upon award, currently in the proposal stage Responsibilities Identify the security and privacy requirements allocated to a system and to the organization. Identify the characteristics of a system. Contribute to determining the boundary of a system. Collaborate with the System Owner to categorize the system and document the security categorization results as part of system requirements. Identify stakeholders who have a security andor privacy interest in the development, implementation, operation, or sustainment of a system. Identify the stakeholder protection needs and stakeholder security and privacy requirements. Identify the types of information to be processed, stored, or transmitted by a system. Identify stakeholder assets that require protection. Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis. Select the security and privacy controls for a system and document the functional description of the planned control implementations in a securityprivacy plan. Develop a strategy for monitoring security and privacy control effectiveness coordinate the system-level strategy with the organization and missionbusiness process-level monitoring strategy. Develop, review, and approve a plan to assess the security and privacy controls in a system and the organization. Document changes to planned security and privacy control implementation and establish the configuration baseline for a system. Respond to system risk posture based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in a plan of action and milestones (POAM). Prepare a plan of action and milestones based on the findings and recommendations of a security assessment report excluding any remediation actions taken. Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process. Review the security and privacy status of a system (including the effectiveness of security and privacy controls) on an ongoing basis to determine whether the risk remains acceptable. Report the security status of a system (including the effectiveness of security and privacy controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy. Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. Ensure that security improvement actions are evaluated, validated, and implemented as required. Qualifications Skills Skill in creating policies that reflect system security and privacy objectives. Skill in applying confidentiality, integrity, and availability principles. Skill in assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (eg, CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system Skill in technical writing. Skill in writing about facts and ideas in a clear, convincing, and organized manner. Skill in evaluating the trustworthiness of the supplier andor product Required Abilities Ability to answer questions in a clear and concise manner. Ability to ask clarifying questions. Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, andor visual means. Ability to communicate effectively when writing. Ability to prepare and present briefings. Ability to produce technical documentation. Ability to design valid and reliable assessments. Ability to operate common network tools (eg, ping, traceroute, nslookup). Ability to operate different electronic communication systems and methods (eg, e-mail, VOIP, IM, web forums, Direct Video Broadcasts). Ability to apply critical readingthinking skills. Ability to evaluate information for reliability, validity, and relevance. Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts both internal and external to the organization to leverage analytical and technical expertise. Ability to think critically. Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance. Ability to understand technology, management, and leadership issues related to organization processes and problem solving. Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. Ability to integrate information security requirements into the acquisition process using applicable baseline security controls as one of the sources for security requirements ensuring a robust software quality control process and establishing multiple sources (eg, delivery routes, for critical system elements). Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. Required Knowledge Knowledge of an organization's information classification program and procedures for information compromise. Knowledge of applicable laws, statutes (eg, in Titles 10, 18, 32, 50 in US Code), Presidential Directives, executive branch guidelines, andor administrativecriminal legal guidelines and procedures. Knowledge of Application Security Risks (eg Open Web Application Security Project Top 10 list) Knowledge of authentication, authorization, and access control methods. Knowledge of computer algorithms. Knowledge of controls related to the use, processing, storage, and transmission of data. Knowledge of critical information technology (IT) procurement requirements. Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. Knowledge of current and emerging threatsthreat vectors. Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. Knowledge of cyber defense and information security policies, procedures, and regulations. Knowledge of cyber defense and vulnerability assessment tools and their capabilities. Knowledge of enterprise incident response program, roles, and responsibilities. Knowledge of how traffic flows across the network (eg, Transmission Control Protocol TCP and Internet Protocol IP, Open System Interconnection Model OSI, Information Technology Infrastructure Library, current version ITIL). Knowledge of incident categories, incident responses, and timelines for responses. Knowledge of incident response and handling methodologies. Knowledge of industry-standard and organizationally accepted analysis principles and methods. Knowledge of information security program management and project management principles and techniques. Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions. Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures. Knowledge of measures or indicators of system performance and availability. Knowledge of network protocols such as TCPIP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. Knowledge of network security architecture concepts including topology, protocols, components, and principles (eg, application of defense-in-depth). Knowledge of network systems management principles, models, methods (eg, end-to-end systems performance monitoring), and tools. Knowledge of network traffic analysis methods. Knowledge of new and emerging information technology (IT) and cybersecurity technologies. Knowledge of organization's risk tolerance andor risk management approach. Knowledge of Payment Card Industry (PCI) data security standards. Knowledge of penetration testing principles, tools, and techniques. Knowledge of Personally Identifiable Information (PII) data security standards. Knowledge of resource management principles and techniques. Knowledge of server administration and systems engineering theories, concepts, and methods. Knowledge of server and client operating systems. Knowledge of system administration, network, and operating system hardening techniques. Knowledge of system and application security threats and vulnerabilities (eg, buffer overflow, mobile code, cross-site scripting, Procedural LanguageStructured Query Language PLSQL and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). Knowledge of system life cycle management principles, including software security and usability. Knowledge of system software and organizational design standards, policies, and authorized approaches (eg, International Organization for Standardization ISO guidelines) relating to system design. Knowledge of technology integration processes. Knowledge of the organization's enterprise information technology (IT) goals and objectives. Preferred Experience and Certifications This requires 8-10 years of relevant cyber security experience and is a Senior Position. Relevant Certifications CompTIA Advanced Security Practitioner (CASP) CompTIA Security+ EC Council EC-Council Certified Ethical Hacker (CEH) FISMA Certified FISMA Compliance Practitioner (CFCP) GIAC Certified Penetration Tester (GPEN) GIAC Certified Windows Security Administrator (GCWN) GIAC Critical Controls Certification (GCCC) GIAC Systems and Network Auditor (GSNA) ISACA Certified Information Systems Auditor (CISA) ISC2 Certified Authorization Professional (CAP) ISC2 Certified Information Systems Security Professional (CISSP) ISC2 Systems Security Certified Practitioner (SSCP) Other Duties Please note this job description is not designed to cover a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice. Physical Demands and Work Environment The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this position. Reasonable accommodations may be made to enable individuals with disabilities to perform the functions. While performing the duties of this position, the employee is regularly required to talk or hear. The employee frequently is required to use hands or fingers, handle or feel objects, tools, or controls. The employee is occasionally required to stand walk sit and reach with hands and arms. The employee must occasionally lift andor move up to 25 pounds. Specific vision abilities required by this position include close vision, distance vision, and the ability to adjust focus. The noise level in the work environment is usually low to moderate Note This job description in no way states or implies that these are the only duties to be performed by the employee(s) incumbent in this position. Employees will be required to follow any other job-related instructions and to perform any other job-related duties requested by any person authorized to give instructions or assignments. All duties and responsibilities are essential functions and requirements and are subject to possible modification to reasonably accommodate individuals with disabilities. To perform this job successfully, the incumbents will possess the skills, aptitudes, and abilities to perform each duty proficiently. Some requirements may exclude individuals who pose a direct threat or significant risk to the health or safety of themselves or others. The requirements listed in this document are the minimum levels of knowledge, skills, or abilities. This document does not create an employment contract, implied or otherwise, other than an "at will" relationship. VariQ is an Equal OpportunityAffirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability, protected veteran status, or any other protected class. We consider diversity and inclusiveness to be core to our culture, and central to our commitment to fostering an empowering and supportive workplace.