Security Policy/Audit Analyst

  • Apertus Partners
  • Greenbelt, MD, Greenbelt, Maryland, United States
  • Dec 05, 2018
Contractor Information Technology

Job Description

Apertus Partners is seeking a Security Policy / Audit Analyst. The ideal contractor resource will have Subject Matter Expertise (SME) level knowledge in the National Institute of Standards and Technology's (NIST) standards and more specifically the Cybersecurity Framework. The "Framework" is a prioritized, flexible, repeatable, performance-based cost effective approach to managing cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. In addition to the frame work the candidate will be well versed in associated reference documents such as "SP 800-37" / SP 800-39" / "NIST SP 800-53", "FIPS Publication 199" etc. The candidate will have led and / or actively participated in teams who have utilized the framework to create new cyber security programs or improve existing ones. In absence of SME knowledge in NIST standards and / or the "Framework" SME knowledge in national / international standards /acts such as the "International Organization for Standardization" (ISO) or "COBIT" will suffice.

Federal Risk and Authorization Management Program (Fedramp)

The ideal contractor resource will have Subject Matter Expertise (SME) level knowledge in the FedRamp Program standards and more specifically the "Security Assessment Framework (SAF)". The FedRamp program is a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The SAF document details the security assessment process that Cloud Service Providers (CSPs) must use to achieve compliance with FedRamp. The candidate will have demonstrated that he / she has led and / or actively participated in teams who have conducted security assessments utilizing the FedRamp program.

Risk Assessment

The ideal contractor resource will have Subject Matter Expertise (SME) level knowledge in planning, conducting and reporting on information security risk assessments. The candidate will have demonstrated strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one while, at the same time having the ability to effectively influence others to modify their opinions, plans or behaviors. The candidate will be well versed in creating and maintaining risk registers in addition to creating regularly scheduled risk based status reports and escalating issues/ concerns as necessary. The candidate will be equally comfortable in lead or supportive roles with regards work assignment as it pertains to risk assessments.

Policy

The ideal contractor resource will have Subject Matter Expertise (SME) level knowledge in planning, conducting and reporting on information security policy reviews. The candidate will have demonstrated the ability to develop information security policies, processes and procedures. The candidate will also have demonstrated the ability to assess new security laws, policies or standards to determine program / department / organizational level impact. The candidate will have demonstrated the ability to formally document new policy proposals in addition to updates to existing policies. The candidate will have demonstrated the ability to translate pertinent security risk assessment findings into policies and categorize those policies into separate categories related to 1) County Administrative Procedures (AP), 2) County Computer Security Guidelines and 3) Federal / State / Local laws.

Communications

The ideal contractor resource will have demonstrated the ability to communicate thoughts, concepts and processes clearly and concisely both verbally and in written format to senior / executive level management, legal experts, security experts and internal / external auditors. The candidate will have demonstrated the ability to communicate verbally in multiple diverse settings such as; 1) risk assessments, 2) policy reviews, and 3) assigned meetings (e.g. status, work group, steering committee). The candidate will have demonstrated the ability to utilize information security best practices to communicate in written format information pertaining to security risk assessments planning, policy reviews, gap analysis, status / progress reports and action plans.

 

Scope of Work:

Meeting Attendance

The contractor resource will be responsible for attending all SPWG meetings as a representative of the EISO and be fully prepared to discuss relevant agenda items

Project Communications

The contractor resource will be responsible for communicating the status / progress of risk assessments, policy reviews, gap analysis, planning sessions and issue resolution reviews to County's CISO, EISO Security Architect / Program Manager, Senior / Executive level management, County Attorney representatives and / or internal auditors.

Work Products

The contractor resource will be responsible for developing, delivering, and maintaining all work products in accordance with predefined deadlines that may include, but not be limited to, risk assessment and policy review plans / processes / procedures / findings, gap analysis templates / documents, risk registers, new policy and / or existing policy update proposals and status reports.

 

Policy Approvals

The contractor resource will be responsible for proposing and championing the approval of new policies, in addition to existing policy updates as assigned by the CISO, SPWG and/or the EISO Security Architect / Program Manager.