Manages extensive security evaluations of major information systems and networks and the remediation of security control weaknesses, prepares evaluation reports, presents recommendations. Conducts trade off analyses of products for clients to determine optimal informant security solutions. Maintains a high level of familiarity with the major Federal Government Information Security policy guidances and directives. Works independently in an expert role at customer site or provides team leadership to a group of information security professionals.
The Customer maintains on-going awareness of Enterprise and Mission information systems, vulnerabilities, and threats to enhance mitigation solutions and risk decisions. This position will at times support activities in order to target, assess, exploit and report risks and vulnerabilities of organization systems in order to provide senior decision makers with actionable data to make strategic investment decisions. The engineer coordinates planning, scheduling, and testing of projects in the Certification and Accreditation (C&A) / Authorization & Accreditation (A&A) process. The engineer will produce actionable correspondence to provide insight for further analysis and response within the Sponsor's division and to external customers. The duties include examining the customer information systems to determine if vulnerabilities exist and, if they are found, what mitigating strategies can be applied. The end goal is to ensure the integrity of the information systems by identifying and mitigating potential avenues of exploitation, including system level attacks and user level attacks. Roles and responsibilities include but are not limited to: - Conduct hands-on security testing, analyze test results, document risk, and recommend countermeasures. Provide targeting insight to team members based upon active vulnerability assessments. - Provide documentation to Client which describes all identified system risks, planned test procedures taken and test results - Provide enhancement capabilities and SOPs to assessment operations for execution and implementation - Review and make recommendations on program-level documentation (e.g., requirements specification, system architecture, design documents, test plans and security plans) - Develop and document security evaluation test plan and procedures - Assist in researching, evaluating and developing relevant Information Security policies and guidance - Actively participate in or lead technical exchange meetings and application review boards, documenting actions items/results of these events - Brief management, as needed, on the status of action items and/or results of activities - Coordinate with other program elements conducting security testing - Identify mitigating countermeasures to identified threats, vulnerabilities and shortfalls - Identify needs for testing equipment and gaps in testing capabilities; conduct research on and evaluation of automated testing tools and provide summaries and reports to Client on the tool capabilities, in support of potential procurement by the Customer - Develop, assemble, and submit C&A/A&A testing results reports that document testing activity and results to support the creation of risk assessments and approval packages - Work with stakeholders as well as technical and analytical counterparts to define constraints, and develop requirements and concept of operations documentation. - Work with stakeholders to identify best-fit technical solutions for business unit needs. Identify technical risks and develop mitigation strategies. - Provide assistance to project or program teams. Provide conceptual design, prototype, and test cycles appropriate to a chosen technical solution. - Identify and manage dependencies with other systems and elements of the IT infrastructure. - Evaluate industry offering to identify products and technologies with the potential to support the design. - Record lessons learned, processes and procedures, and other pertinent quality topics in appropriate formats.
EDUCATION & EXPERIENCE:
Requires a bachelor's degree or equivalent and seven to nine years of related experience. Mandatory Skills
At least five years of demonstrated on-the-job experience with Linux, Windows and virtual platforms
At least two years of demonstrated on-the-job experience analyzing test results and suggesting mitigation plans for security problems
At least two years of demonstrated on-the-job experience creating systems and applications security test plans and performing hands-on security testing leveraging adversarial tactics
At least two years of demonstrated on-the-job experience performing network security analysis
At least two years of demonstrated on-the-job experience with network architectures and network management tools
At least two years of demonstrated on-the-job experience with vulnerability assessment tools and cyber security engineering
Demonstrated on-the-job experience performing technical tasks in pursuit of overall goals with minimal direction
Demonstrated on-the-job experience with risk management methodologies
Demonstrated on-the-job experience with system configuration, development and design specifically around enterprise and small organizational systems.
Security clearance required is TS/SCI w/Poly.
Normal demands associated with an office environment. Ability to work on computer for long periods, and communicate with individuals by telephone, email and face to face. Some travel may be required.