A large federal government agency is in the process of implement an innovate strategy to modernize its global network and enterprise services to achieve the following objectives:
Enable support for mobile devices and cloud services
Empower customers to leverage cloud services while conforming to standards, best practices, and required security controls
Streamline user access to resources and information from multiple devices anywhere in the world
Your role is to assist the agency to design, implement and document the security controls of the system to enable the agency to achieve initial authorization. Subsequently, you will support iterations of new capabilities and cloud services via change management and continuous monitoring. You will also assist customer of the network to leverage the security controls provided so they can rapidly deploy their applications.
Assist the agency to devise the risk management and security authorization strategy for this integrated, cloud-based system that will be implemented in iterations.
Design common security controls and control inheritance guidelines to support a component-based application of the security architecture.
Develop and document system security authorization boundaries for the underlying common services and the applications they support.
Develop and mature the security controls matrix that consolidates all applicable security controls and associated control type, control owners, implementation and status.
Develop System Security Plans working with the engineering and operations teams to identify strategies for control implementation.
Develop system-specific policy, process and procedures ranging from access control, vulnerability management and key management.
Develop other security-related documents required for authorization such as categorization, contingency plans, incident response plans and privacy impact assessments
Assist in the independent assessment of security controls, developing mitigation strategies and developing POA&Ms.
Prepare materials for security authorization decision
Support continuous monitoring of the system through attendance at change management meetings, identifying impacts to security, performing assessment and communicating impact to security posture with recommendations and ongoing security control assessments and updates to key documentation.
At least seven (7) years of professional experience performing information assurance, ISSO or security operations duties in support of federal government agencies.
Active DOD/DSS SECRET security clearance or higher
Experience through all phases of NIST SP 800-37
Experience developing System Security Plans, determining and documenting security control implementation across all families of NIST SP 800-53 Rev 4
CISSP, CAP, CCSK or CISA certification
Strong grasp of cloud computing SaaS, PaaS and IaaS fundamentals with experience developing security plans or conducting assessments of cloud solutions.
Experience with Google Apps, Amazon Web Services (AWS), ServiceNow or Microsoft Azure