The Principal Cyber Security Risk
Management / Technical Security Analyst reports to the Information Technology
Office (ITO) Business Engagement (BE)
Senior Manager within the Cyber Security
(CS) Directorate’s BE division. The position exercises significant
judgment in working with IT teams within the environment. The analyst serves as
the Cyber Security point of contact in support of IT portfolio of projects,
supplier security evaluations, participate in analysis of alternative workshops
and security consultation with regards to company policies and security good
practices from Bid Risk Reviews (BRRs) to Inflight Program Reviews (IPRs) .
In addition to primary
responsibilities identified below, the Principal Cyber Security Risk Management
Analyst will serve as a subject matter expert for network, server, data base
management and endpoint technical security requirements, assessing risk,
promoting standards and guidelines in information assurance / data management
or training in the IA governance , technical hardening and / or accreditation &
certification frameworks and Information Security program Security Plans,
STIGS, Center Internet Security baselines for Networking ,OSes, Application
and Database components, NIST standards for Risk Management and
Cybersecurity frameworks specifically
- Experience in the use of Service Now or service request
ticketing systems, and MS Word ,
Excel, Power Point and SharePoint,
- Experience using eGRC, SEIM, and Vulnerability Scanning tools
- Excellent written and oral communication skills
Work on Cyber Security Risk Management
and overall Cyber team to deliver quality risk assessment reports. This
requires having an in-depth working experience with an Information Security
Risk Assessment using industry standard approach.
- Produce the following quality deliverables for SAIC
- Written reports and verbal presentations.
- Present security recommendations for complex programs
& sourcing decisions.
- Perform system security evaluations on suppliers and
vendor products by following prescribed security evaluation criteria.
- Provide input to regularly scheduled platform and
project specific meetings
- Produce quality system security risk assessment
- Overall assistance in defining security requirements
and strategies for information management system and network architecture
design, optimization, and solution delivery.
- Assist platform owners and design teams in applying
the necessary security controls to mitigate associated risks
- Function as a technical functional analyst who can
navigate and communicate effectively with both technical and engineering
teams and at ease with business function leads.
- Assist in evaluating third-party supplier security
controls, third-party relationship management, and Security outsourcing
- Using Security Management Practices and internal
- Conduct risk analysis on existing and to-be
- Document and present findings.
- Apply threat modeling concepts.
- Serve as a security subject matter expert, providing
multi-disciplinary knowledge, skills, and experience in technical information
assurance and information security management network security and system
architecture and database management.
- Consult on current and upcoming projects covering all
levels of network architecture and information management systems impact
to the overall IT security and IT systems architecture.
- Provide security profiling analysis for a wide range of
network security technologies including, but not limited to: firewalls,
IPS/IDS, NAC, VPN, proxies, routers, and switches.
- Experience securing common services (i.e. DHCP, DNS,
Terminal, WINS, Routing, etc)
- Working knowledge of protocols, network topologies, and
perimeter security devices (proxies, IPS, IDS, Firewall and packet
analyzers), network security design, and Rights Management Services
- Ensure appropriate security provisioning during varying
phases of Software Development Life Cycle.
- Review business requirements and document security
requirements for the information systems.
- Ensure system changes and updates remain ITO security
- Ensure security standards are applied from design to
- Assist in conducting on-site physical security
- Conduct security risk assessment of supplier (3rd party
vendors) and provide recommendations for improving the vendor assessment
process. Support all facets of the vendor security program, including the
evaluation of vendors, development of recommendations to improve security
and mitigate security risks.
- Fundamental technical knowledge of Active Directory, Windows
and Linux OSes, firewalls, networks, Oracle, SQL, stored procedures,
scripts and reports.
- Expertise with NIST and ISO 27000 series, particularly
NIST SP 800-53, NIST SP 800-171 r1, ISO 27001/2.
- Working knowledge of Security Standards/Controls
specified under various IT governance and compliance models (NIST, ISO
27001&27002, ITIL, SOX, and DFARS/FARS). This includes: Applications
and Systems Development Security, Security Management Practices, Access
Control, Security Architecture and Modeling, Telecommunications, Network
Security, Cryptography (PKI), Operations Security, and Physical Security
- Demonstrate success leading and conducting senior level
security risk analysis. Specifically, threat modeling involving system
decomposition, threat and vulnerability discovery and mitigation.
- Education: Bachelor’s Degree in Information Systems,
Computer Science, Information Security or related IT field.
- 8-10 years relevant risk assessment, information
security / analytical experience.
Experience acting as a Subject
Matter Expert or team lead providing guidance to others
Strong communication skills; person
in this role must be able to successfully communicate with management
personnel, technical personnel and third parties
- Professional Security Industry Certifications such as
CISSP, CCNA, CCIE or other relevant industry certifications through such
accrediting bodies such as the DoD, ISC2, ISACA, SANS or Comp TIA.
- Proven ability to work with cross-functional teams.
- Self-starter, individual contributor; must perform with
limited or no supervision.
- Possesses proven initiative and developed listening
- Demonstrate timely task completion involving solid
organizational skills, task tracking, and follow-up, and productive peer
- Possess strong technical writing, verbal and
presentation skills especially with communicating to PMOs / senior
- Provide feedback on internal processes required to help
train and mentor other professionals as needed
- Worked with Secure Development Life Cycle and Work
experience in a mature risk management team with proven risk assessment
· Experience with reviewing systems vulnerabilities for risk and relevance.
· Experience in planning mitigations for systems vulnerabilities
- Extensive understanding of IAM technologies, concepts, policies, processes, best practices, and solutions.
- Knowledge of technology trends and developments in the areas of IAM, and knowledge and experience with formal security and control frameworks such as ISO 17799, COSO, ITIL, and NIST SP 800-53
- Ensure requirements gathered, processes defined, and use cases documented follow out of the box configuration vs. customization for relevant IAM technologies as much as possible.
- Participate Design deployment architectures.
- Participate in capacity planning and HW / SW specification recommendation efforts.
- Participate in all technology deployment activities ranging from design to architecture to configuration and custom development.
- Participate in and/or lead User Acceptance Testing and bug-related engineering efforts.
- Design, implement and educate on code deployment, code migration, and source control use.
- Provide knowledge transfer and post production support activities as necessary.
- Comprehensive understanding of Data Protection solutions and technologies including; Data Loss Prevention (DLP), data masking, tokenization, data classification, and data encryption.
- Experience with NIST SPs for SSPs, DFARs, Encryption and other International security and regulatory standards
- Project Management Skills
- Experience in the use of MS Project, MS, Visio, SCCM,FIM/ MIM and other Microsoft products, Archer and SPLUNK eGRC /SEIMs and other MVM / Nexus security tools