Senior Risk Analyst
We are looking for a strong senior analyst who will be providing support and may manage the implementation of comprehensive risk management strategies aligned with agency risk posture inclusive of specific programs: Information Security Continuous Monitoring (ISCM) including the Continuous Diagnostics and Mitigation (CDM) Program, High Value Assets, Federal Risk Authorization Management Program (FedRAMP) Cloud Sponsorship Program, and Security and Risk Data Analysis.
DUTIES AND RESPONSIBILITIES (ESSENTIAL FUNCTIONS)
- Review authorization packages to ensure completeness, validate whether security requirements are compliant, and the level of risk is within acceptable limits.
- Ensures that applicable IT security policies are implemented for the system and for those aspects of system-related physical security also under his/her purview.
- Ensures operational security posture consistent with current security policy is maintained.
- Writes comprehensive assessment, review, audit and investigation reports outlining methodology, analysis and recommendations.
- Coordinates with the information system owner to update the system security plan, manage and control changes to the system, and ensures that security impacts of proposed changes are evaluated by or reported to officials responsible for change control.
- Reports existing or potential security issues to the a and others, as appropriate.
- Ensures that system audit trails are regularly examined and anomalies reported as appropriate.
- Ensures documentation is developed and maintained detailing the IT hardware and software configuration and all security countermeasures that protect it.
- Completes mandatory, specialized information security training annually.
- Continually monitors and ensures that the system's security is reviewed and tested annually in accordance with policy; security controls are selected and tested annually; and the selection of controls to be tested includes POA&Ms closed in the past 12 months as well as, high volatile controls or those which are of greatest risk to the system. The Continuous Monitoring Test Plan is developed and updated annually. The results of testing are uploaded to the reporting system and POA&M updated accordingly.
- Ensures security baselines are maintained and validated at least annually. A report of the validation is provided for annual FISMA reporting. Ensures the system is in compliance with Departmental and DO security configuration management policies.
- BS/BA degree from accredited university
- Five or more years of risk analysis and system assessment work experience
- Must be eligible for Public Trust Clearance
- One or more certifications in information security (such as CISSP, CISA, Sec+, etc)
Specialized Knowledge/Skills Requirements
Core skills: At a minimum, we are looking for a Senior Risk Analyst with these core skills. Within this environment, you should possess the following.
- Experience in creating high-level and low-level designs for applications with technical and functional experience in domain of privacy, governance, enterprise risk management and regulatory compliance consulting.
- Experience with standards (such as ISO:9000, ISO:27001, ISO;20000, NIST, ITIL V3.0, etc) and Frameworks (such as COBIT, COSO, etc.)
- Experience and understanding of regulatory compliances like Sarbanes-Oxley, operational risk, etc.
- Implementation experience for automated governance, risk and compliance platforms such as RSA-Archer (preferred), MetricStream, IBM OpenPages, Agiliance, Oracle GRC.
- Experience in risk management, governance and audits (COBIT). This includes facilitation for audit readiness for client organizations.
- Open to learning and working in new domains and technology.
- Good written and spoken communication skills.