As a ISSO Journeyman, you will engage and collaborate with the operations and development teams to deliver secure, quality, innovative, and highly scalable web-based application to end client. ISSO Journeyman will support ISSO Lead, PM, and operations or developer teams with various cloud application service provider's security compliance (Vulnerabilities or Security Benchmarks) requirements per FedRAMP and NIST guidance within a fast-paced application development environment.
The ideal ISSO Journeyman will have prior experience working with various team or engineers, developers, and systems administrators on Agile best practices, processes, and tools. This role will assist in improvement of adoption and continued improvement of agile, software engineering, and DevOps cyber security practices.
· Serve as the liaison between ISSO Master, PM, and the Information System Security Manager (ISSM) on all matters
· Assist in developing security control selection guidance consistent with the organization's risk management strategy
· Assist in documentation of Agency common controls
· Acquire/develop and maintain tools, templates, or checklists to support the security control selection process and the development of system security plans
· Assist and assess the implementation of continuous monitoring (CM)
· Involve in implementation and management of “AC-2; ACCESS CONTROL; Account Management” and review Agency accounts for compliance.
· Work closely with the system administrators to ensure the System automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies Agency designated personnel.
· Monitor the use of System users/services accounts and Review/analyze audit records.
· Response to any Audit Processing Failures according to Agency and NIST guidance.
· Assist in developing any required quality manual, quality procedures, and standard operating procedures (SOPs) for the entire staff during implementation.
· Facilitate the planning, execution, monitoring, and testing of security controls against FedRAMP or NIST security requirements for the systems and supporting applications, maintain the security compliance score required by Agency in both patch management and STIGs implementations
· Document approved changes to the system, component, or service and the potential security impacts of such changes; and track security flaws and flaw resolution within the system, component, or service and report findings to SAIC and Agency designated officials
· Implement the use of AppDetective, Nessus, WebInspect, or any other Agency required core impact vulnerability assessment tools for incorporation into security assessment report (SAR) findings and analysis
· Implement automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the Agency
· Develop or maintain the contingency plan for the Agency and Coordinates contingency planning activities with incident handling activities
· Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing
· Communicate contingency plan changes and Protect the contingency plan from unauthorized disclosure and modification
· Develop/update, document, and disseminates an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance teams
· Develop, disseminate and maintain the Incident Response (IR) Policy and Procedures
· Develop or update (at least annually) the Agency security Plan (SP/SSP)
· Assist in implementation of “PS-4; PERSONNEL SECURITY”; Personnel Termination; such as, disables information system access, terminates/revokes any authenticators/credentials associated with the individual
· Document attempts to obtain system component, or information system service documentation when such documentation is either unavailable or nonexistent
· Develop, disseminate and maintain Agency communications protection policy that addresses purpose, scope, roles, and responsibilities
· Ensure the implementation of “SI-4 (5); SYSTEM AND INFORMATION INTEGRITY”; Information System Monitoring - Enhancement: System Generated Alerts, system sends alerts to the designated personnel when compromise or potential compromise occurs
· Ensure the information system detects network services that have not been authorized or approved by Agency.
· Assist in implementing “SYSTEM AND INFORMATION INTEGRITY; Security Alerts, Advisories, and Directives” - Receive information system security alerts, advisories, and directives from US-CERTS or other Agency directed sources;
· Document if Agency generates internal security alerts and Ensure Agency generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries
· Ensure Agency implements necessary technical measures to protect its memory from any unauthorized code execution
· Actively participate in strategic planning sessions to identify new initiatives aimed at meeting the SAIC IT strategic goals, Agency's Management Agenda, and directorate level goals and objectives