Security Assessment & Risk Analyst
The Security Assessment & Risk Analyst is a Mid-Level position requiring the following abilities:
We’d like to hear from you.
Talatek looks for motivated people with information security backgrounds interested in growing with an entrepreneurial company. E-mail your cover letter and résumé to HR@TalaTek.com.
- Manage SA&A tasks for both FISMA and FedRAMP based assessments, and have in depth knowledge of all documents required by both the FedRAMP and FISMA SA&A processes.
- Assess and analyze risk, and create formally documented risk assessments based on NIST standards to ensure IA (Information Assurance) design sufficiently mitigates IA risks
- Define and plan procedures relating to securing technology as well as coordinate with other team members, client resources to effectively complete project requirements
- Identify, document and report security issues and concerns to officials and be able to document these issues in both FISMA and FedRAMP Security Assessment Reports (SARs)
- Manage and mitigate POA&Ms and necessary milestones to resolve IT and program security issues, and identify key areas where resource expenditure will most highly benefit client
- Review and optimize technical solutions and processes to monitor the security of the client’s infrastructure [firewalls, servers, applications, anti-spam/anti-spyware tools, forensic integrity checking, encryption, key management tools, etc.] and ensure they are as up-to-date, and technically secure as possible.
- Support the technical security architect role, updating design documents and instructional materials for non-security focused teams, detailing technical solutions and processes for security incident monitoring, audit and logging procedures for enhancing the client’s infrastructure security [firewalls, servers, applications, anti-spam/anti-spyware tools, forensic integrity checking, encryption, key management tools, etc.]
- Support and provide in-depth understanding of the FedRAMP 3PAO processes and procedures, both from a support role as well as from an outside audit role, and be able to speak to these processes and procedures to potential clients
The Security Assessor/Auditor will:
- Perform SA&A and FedRAMP 3PAO assessments and independent audits and document results in the necessary documentation
- Build annual Continuous Monitoring Plans and present them to clients
- Analyze controls according to Continuous Monitoring plans developed for government and non-government client, and Security Assessment Plans developed for CSPs during the FedRAMP process.
- Obtain and analyze evidence or confirmation of practice for controls being assessed and organize evidence in order to demonstrate control was thoroughly reviewed.
- Document assessment results regarding implementation/compliance status for various security controls in necessary FISMA and FedRAMP documentation
- Record assessment results and continuous monitoring efforts in TalaTek designed GRC tool to support on-demand risk metrics for clients, as necessary.
- Read and answer all work e-mails within one working day
- Provide onsite (Client) support and attend meetings as needed
- Respond to outside audit requests and findings in support of various clients
- Supply documents requested by auditor as necessary
- Conduct on-site visits to Client site(s), for
- Security control and documentation review
- Site inspections (PE Control family review)
- Create White Papers on security topics as needed for TalaTek/Client
- Develop and implement new processes based on changes to TalaTek, client and/or NIST and FedRAMP requirements
Expectations – The successful candidate will:
- Work independently with minimal supervision
- Know how to seek out guidance/assistance from appropriate resources when necessary
- Apply great attention to detail when reviewing, updating, comparing documents and deliverables
- Be capable of communicating complex issues efficiently and effectively to peers, TalaTek leadership and clients
- Keep abreast of the latest technologies
- Multitask effectively
- Capitalize on strengths and identify areas of opportunities for improvement
Requirements — Security Assessment & Risk Analyst candidate will, at minimum, have:
- CISSP, CAP, CISA or equivalent certification and continuing related professional development (or within 6-months of hire)
- Bachelor’s Degree in Computer Science, Information Systems, Engineering, or equivalent 4 – 6 years of experience in Information Security. Four (4) years of additional overall experience can be substituted for the Bachelor’s Degree.
- Possess proficient written and verbal communication skills in order to effectively interact with clients, project team, and TalaTek leadership
Ongoing Training requirements of the Security Assessment & Risk Analyst:
- Ongoing research and training associated with being informed and aware of up-to-date security best-practices and relevant publications (i.e. NIST, FedRAMP, National Vulnerability Database, etc.)
- Maintain Continuing Professional Education (CPE) requirements associated with security and/or project management certifications
- Potential for additional training requirements will be determined on a candidate-by-candidate basis and based on the results on ongoing observation and skills assessments – training determinations to be discussed between TalaTek leadership and the candidate during annual skills assessments.
- Training and information resources, include:
- National Institute of Science and Technology (http://csrc.nist.gov/publications/PubsSPs.html)
- FedRAMP (http://cloud.cio.gov/fedramp)
- International Information Systems Security Certification Consortium (https://www.isc2.org/aboutus/default.aspx)
- Information Systems Audit and Control Association (https://www.isaca.org/Pages/default.aspx)
- International Council of E-Commerce Consultants (EC-Council) (http://www.eccouncil.org/)
- Project Management Institute (http://www.pmi.org/en.aspx)
- Cloud Security Alliance (https://cloudsecurityalliance.org/)