Senior Security Analyst

CSI is looking for a Senior Security Analyst to join our team supporting our government client. This position requires on-site support 1 day/week (Tuesday or Thursday) at our federal client's HQ located in Camp Springs, MD.

The successful candidate will assist the client with ensuring that all aspects of the Risk Management / Continuous Monitoring Program are operating as intended and make process improvement recommendations to drive efficiencies within the organization. The individual will act as a liaison between various groups within the client organization including but not limited to the Security Control Assessment Team (SCA), Risk Management and Internal Controls (RMIC) Group, and System development & Maintenance Team as well as other groups within the Information Security Division.

Responsibilities Include:

• Using automated tools, identify presence and use of any unapproved technology components in the common operating environment to ensure compliance with the client's enterprise architecture and applicable reference models.
• Work closely with the client's Audit Team to identify areas for process improvement.
• Understand and incorporate lessons learned from internal and external audits across the enterprise's portfolio of IT systems by working closely with the client's Audit Team.
• Validate results of control testing conducted by Information System Security Officers (ISSO) in support of annual self-assessment requirements for IT systems within the required testing frequencies as part of the Continuous Monitoring Program.
• Review artifacts submitted as evidence of control testing results as a part of the self-assessment testing conducted by the ISSOs to validate reported test results.
• Review, validate, and track false positives and known deviations in scan results reported by the ISSOs to provide assurance that IT system operation meets specified security control implementation requirements as specified in the NIST SP800-53 and supporting DHS guidance.
• Review documentation submitted in support of requesting a waiver for compliance with specified security requirements per the NIST SP 800-53 and provide recommendations to client for approval and acceptance of associated risk.
• Review and assess system changes to determine the level of independent security assessment required in support of the Security Impact Analysis process for the enterprise portfolio of systems.
• Coordinate with the SCA team on testing of common controls, the client's RMIC Group for A-123 and external assessments, as well as the schedule for testing applications due to major changes.
• Perform quality assurance reviews of security documentation as needed to ensure content meets the intended requirements and is suitable to determine the security posture and associated risk of an IT system.
• Participate in process improvement initiatives to mature the client's internal business processes in areas including, but not limited to, vulnerability remediation, patch remediation efforts, STIG compliance, and standard OS images.
• Develop and maintain documentation relating to internal security processes and procedures, including related training materials.
• Develop briefings and presentations for Government PM and Executive Management.
• Gather data in support of Data Calls and develop a written summary describing the results.
• Perform other duties as assigned by the Government.
• Ability to work efficiently and effectively in a dynamic and fast-paced environment.
• Determine the clearest and most logical way to present information and instructions for greatest reader comprehension and write and edit technical information accordingly.
• Meet with SMEs to ensure that specialized topics are appropriately addressed and discussed.

Required Skills, Qualifications and Experience:

• Must be a US Citizen with suitable eligibility for Public Trust position.
• Bachelor's degree in information technology or related field.
• Minimum of 5 years of experience evaluating IT systems using NIST SP 800-53 in the federal government.
• Must reside within a commutable distance to Camp Springs, MD in order to work a hybrid onsite schedule of 1 day/week (Tuesdays or Thursdays).
• Previous experience using one or more of the following tools: tenable.io, Nexus IQ Server, Splunk Enterprise v 7.3 and higher, DoJ CSAM, JIRA/ Confluence, CloudCheckr, PrismaCloud
• Working knowledge of the NIST SP 800-37 Risk Management Framework.
• In depth knowledge of the NIST SP 800-53 and direct experience applying the NIST SP 800-53 to document and evaluate IT system compliance with specified control requirements.
• Previous experience as an IT Project Manager and/or possess the necessary IT background to accurately assess system changes and categorize them as a major versus minor change.
• Demonstrates the ability to assess overall risk to an IT system and the data it stores, processes, or transmits, based on the type of IT system changes being implemented.
• Ability to work independently and possess a solid understanding of cyber security concepts.
• Ability to communicate clearly and effectively via written and verbal communication in both formal and informal situations.
• Ability to clearly communicate complex technical concepts to Information Technology Project Managers, Database Administrators, Application Developers, and Security Compliance Analysts, as well as non-technical POCs such as Branch Chiefs and Business System Owners.
• Ability to adapt to frequent changes in priorities, follow project schedules, meet established deadlines, and proactively communicate risks and issues to the Contractor PM and/or Federal Leads.
• Ability to adapt to an Agile environment and provide quality, professional deliverables in a short timeframe with little to no guidance from the Government.
• Possess good listening skills and the ability to detect explicit and implicit needs and wants of the client.
• Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints.
• Possess strong analytical and critical thinking skills with the ability to apply them to the client/ contract workspace.
• Must have previous client-engagement experience.

Desired Skills, Qualifications, and Experience:

• Previous experience supporting Department of Homeland Security federal clients preferred.
• CISSP preferred, but not required.
• Other security-related certification(s) such as CISA, CISM, and/or similar preferred, but not required.
• May be asked to lead a team of up to 3 Security Analysts in coordinating workload, identifying dependencies, escalating risks, etc.

Cyber Security Innovations (CSI) is an equal opportunity employer committed to diversity and inclusion in the workplace. We prohibit discrimination and harassment of any kind based on race, color, sex, religion, sexual orientation, national origin, disability, genetic information, pregnancy, or any other protected characteristic as outlined by federal, state, or local laws. As a veteran-friendly employer, we encourage military veterans to apply.

This policy applies to all employment practices within our organization, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, compensation, benefits, training, and apprenticeship. CSI makes hiring decisions based solely on qualifications, merit, and business needs at the time.

CSI participates in the E-Verify Employment Verification Program.