The Cybersecurity Assessment and Authorization Analyst provides support to the Department of Health and Human Services, Indian Health Service (IHS). This position is responsible for executing and assisting in the completion of security certifications and for providing support in the development and implementation of a program to manage all aspects of compliance with government regulations
ESSENTIAL DUTIES AND RESPONSIBILITIES
Essential duties and responsibilities include the following. Other duties may be assigned.
Responsible for the integration of CNI Core Competencies into daily functions, including: commitment to integrity, knowledge/quality of work, supporting financial goals of the company, initiative/motivation, cooperation/relationships, problem analysis/discretion, accomplishing goals through organization, positive oral/written communication skills, leadership abilities, commitment to Affirmative Action, reliability/dependability, flexibility and ownership/accountability of actions taken.
Assists in developing and implementing a program for tracking and reporting Federal Information Security Management Act (FISMA) compliance activities, including annual contingency plan tests, annual privacy impact assessments, quarterly Plan of Action and Milestones (POA&Ms) updates and user access reviews.
Assists system owners in developing security authorization packages that are fully compliant with National Institute of Standards and Technology (NIST) guidelines.
Reviews and updates the system security categorization and risk assessments for each system annually or upon significant change.
Annually reviews and updates the security and contingency plan for each system and makes recommendations to address significant deficiencies.
Evaluates the implementation of security controls as required by NIST. Prepares security authorization packages using approved customer templates.
Conducts annual security controls effectiveness testing. Documents findings and advises and monitors remediation efforts on all systems.
Annually reviews and assesses external partner and affiliate infrastructure to maintain the acceptable risk level set by the customers Authorizing Official (AO).
Assists in meeting mandates, directives, reporting, and other security-related processes with respect to Federal regulations such as FISMA; Health Insurance Portability and Accountability Act (HIPAA); Office of Management and Budget (OMB) mandates; Homeland Security Presidential Directives (HSPD); Federal Information Processing Standards (FIPS) and NIST guidance implementation, oversight and compliance.
Conducts significant research, evaluation, recommendation, and documentation development such as security assessment reports, methodologies, briefings, and presentations.
Conducts risk assessments on customer systems and network and documents in accordance with NIST, Risk Management Guide for Information Technology Systems.
Reviews and updates risk assessments when significant changes occur to systems/network.
Ensures customer information and information systems are adequately protected from unauthorized access, use, disclosure, disruption, modification or destruction. Briefs and provides documented results to staff. Briefs include, at a minimum, areas of conformance to directives, corrective recommendations for deficiencies, and POA&M explanations to correct deficiencies.
Analyzes major IT systems, from a security perspective, during the initial phases of system development and throughout the systems development lifecycle.
Reviews standard security configurations to assure compliance with federal directives and industry best practices. If standard security configurations are not established, assists in developing and implementing them on an as needed basis.
Conducts onsite information security audits.
Assists with self-assessments or reviews and provides assistance on security processes. Prepares a written report with recommendations to be presented to local management officials.
Based on audit results, develops and manages mitigation strategies that lead to the elimination of vulnerabilities and improved audit scores.
Performs penetration testing to test resources and validate current security controls protecting systems and applications. Prepares recommendations to correct vulnerabilities.
Provides security subject matter expertise in the development process of clinical applications to ensure compliance with Meaningful Use/HIPAA requirements.
Responsible for aiding in own self-development by being available and receptive to all training made available by the company.
Plans daily activities within the guidelines of company policy, job description and supervisor’s instruction in such a way as to maximize personal output.
Responsible for keeping own immediate work area in a neat and orderly condition to ensure safety of self and co-workers. Will report any unsafe conditions and/or practices to the appropriate supervisor and human resources. Will immediately correct any unsafe conditions to the best of own ability.
Bachelor's degree in Computer Science or a related field of study and a minimum of four (4) years relevant experience, or equivalent combination of education / experience. Must have at least one year of information security experience and one year of certification and accreditation (C&A) compliance / Security Assurance (SA) experience (preferably NIST based). Experience administering large, complex networks. Experience with current and emerging technologies that involves implementing, administering, performing tests and analyzing all elements of network systems, systems security, and design assurance. Ten years of experience may be substituted in lieu of degree.
JOB SPECIFIC KNOWLEDGE / SKILLS / ABILITIES
Working knowledge and understanding of OMB, FISMA, FIPS, HIPPA and other federal regulations and requirements associated with Information Security
Specialized knowledge and advanced skills in the tools, concepts, practices and procedures of security incident management, threat intelligence and continuous monitoring
Knowledgeable of security-related processes with respect to Federal risk and compliance regulations best practices
Ability to read, analyze, develop and interpret common information systems security documents
Expert computer skills with advanced proficiency in a Windows and Linux based computer environment
Excellent critical thinking skills with ability to identify, analyze and resolve problems / complex issues
Excellent verbal and written communications skills with ability to prepare quality reports and effectively communicate / interact with a wide variety of technical and non-technical audiences (i.e., customers, team members, management and federal staff)
Exceptional customer service skills with ability to respond to requests in a professional, helpful and timely manner
Highly organized with ability to effectively manage multiple projects and priorities
Ability to work in a fast-paced environment and to learn and apply new knowledge and techniques related to incident response and continuous monitoring capabilities
Ability to effectively work both independently and in a team environment for the successful achievement of goals
CERTIFICATES, LICENSES, REGISTRATION
CISSP, SANS GIAC, Security+, Network+, Linux+, MCSE, CCNA or SSCP certifications preferred
Ability to calculate figures and amounts such as discounts, interest, commissions, proportions, percentages, area, circumference and volume. Ability to apply concepts of basic algebra and geometry.
Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables.
Ability to read, analyze and interpret common scientific and technical journals, financial reports, and legal documents. Ability to respond to common inquiries or complaints from customers, regulatory agencies, or members of the business community. Ability to write speeches and articles for publication that conform to prescribed style and format. Ability to effectively present information to top management, public groups, and/or boards of directors.