The Big Career Leap
Full Time,Contract - Corp To Corp,Contract - Independent
1 to 3 years
NIST, Risk Assessment
Depend on Exp.
Travel Not Required
Security Policy Working Group (SPWG)
The County’s Assistant Chief Administrative Officer has appointed a Security Policy Working Group (SPWG) consisting of senior and executive level managers to review information security policies to identify areas where policies may need to be updated / created and then formally documented
Policy categories to be reviewed will include the County’s Administrative Procedures (AP), and Computer Security Guidelines, in addition to, Federal, State and Local laws compliance.
To fully support the efforts of the SPWG the Enterprise Information Security Office (EISO) within the Department of Technology Services (DTS) needs an Expert Security Analyst (Consultant). The Consultant will work closely with the SPWG and report directly into the County’s Information Security Officer (CISO).
NIST Cybersecurity Framework
The ideal resource will have Subject Matter Expertise (SME) level knowledge in the National Institute of Standards and Technology’s (NIST) standards and more specifically the Cybersecurity Framework
The “Framework” is a prioritized, flexible, repeatable, performance-based cost effective approach to managing cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services
In addition to the frame work the candidate will be well versed in associated reference documents such as “SP 800-37” / SP 800-39” / “NIST SP 800-53”, “FIPS Publication 199” etc.
The candidate will have led and / or actively participated in teams who have utilized the framework to create new cyber security programs or improve existing ones. In absence of SME knowledge in NIST standards and / or the “Framework” SME knowledge in national / international standards /acts such as the “International Organization for Standardization” (ISO) or “COBIT” will suffice.
Federal Risk and Authorization Management Program (Fedramp)
The ideal Consultant will have Subject Matter Expertise (SME) level knowledge in the FedRamp Program standards and more specifically the “Security Assessment Framework (SAF)”.
The FedRamp program is a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
The SAF document details the security assessment process that Cloud Service Providers (CSPs) must use to achieve compliance with FedRamp.
The candidate will have demonstrated that he / she has led and / or actively participated in teams who have conducted security assessments utilizing the FedRamp program. Risk Assessment
The Consultant will have Subject Matter Expertise (SME) level knowledge in planning, conducting and reporting on information security risk assessments.
The candidate will have demonstrated strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one while, at the same time having the ability to effectively influence others to modify their opinions, plans or behaviors.
The candidate will be well versed in creating and maintaining risk registers in addition to creating regularly scheduled risk based status reports and escalating issues/ concerns as necessary. The candidate will be equally comfortable in lead or supportive roles with regards work assignment as it pertains to risk assessments.
The Consultant will have Subject Matter Expertise (SME) level knowledge in planning, conducting and reporting on information security policy reviews.
The candidate will have demonstrated the ability to develop information security policies, processes and procedures.
The candidate will also have demonstrated the ability to assess new security laws, policies or standards to determine program / department / organizational level impact.
The candidate will have demonstrated the ability to formally document new policy proposals in addition to updates to existing policies.
The candidate will have demonstrated the ability to translate pertinent security risk assessment findings into policies and categorize those policies into separate categories related to 1) County Administrative Procedures (AP), 2) County Computer Security Guidelines and 3) Federal / State / Local laws. Communications
The Consultant will have demonstrated the ability to communicate thoughts, concepts and processes clearly and concisely both verbally and in written format to senior / executive level management, legal experts, security experts and internal / external auditors. The candidate will have demonstrated the ability to communicate verbally in multiple diverse settings such as;
1) risk assessments
2) policy reviews
3) assigned meetings (e.g. status, work group, steering committee)
The candidate will have demonstrated the ability to utilize information security best practices to communicate in written format information pertaining to security risk assessments planning, policy reviews, gap analysis, status / progress reports and action plans.
Scope of Work:
1) Meeting Attendance
The Consultant will be responsible for attending all SPWG meetings as a representative of the EISO and be fully prepared to discuss relevant agenda items
2) Project Communications
The Consultant will be responsible for communicating the status / progress of risk assessments, policy reviews, gap analysis, planning sessions and issue resolution reviews to County’s CISO, EISO Security Architect / Program Manager, Senior / Executive level management, County Attorney representatives and / or internal auditors.
3) Work Products
The Consultant will be responsible for developing, delivering, and maintaining all work products in accordance with predefined deadlines that may include, but not be limited to, risk assessment and policy review plans / processes / procedures / findings, gap analysis templates / documents, risk registers, new policy and / or existing policy update proposals and status reports.
4) Policy Approvals
The Consultant will be responsible for proposing and championing the approval of new policies, in addition to existing policy updates as assigned by the CISO, SPWG and/or the EISO Security Architect / Program Manager.