Information Security Analyst III in Frederick, MD

Description

Information Security Analyst III

Job ID: req1583
Employee Type: exempt full-time
Facility: Frederick: Ft Detrick
Location: PO Box B, Frederick, MD 21702 USA

The Frederick National Laboratory is a Federally Funded Research and Development Center (FFRDC) sponsored by the National Cancer Institute (NCI) and operated by Leidos Biomedical Research, Inc.  The lab addresses some of the most urgent and intractable problems in the biomedical sciences in cancer and AIDS, drug development and first-in-human clinical trials, applications of nanotechnology in medicine, and rapid response to emerging threats of infectious diseases.

Our core values of accountability, compassion, collaboration, dedication, integrity, and versatility serve as a guidepost for how we do our work every day in serving the public's interest.  

Position Overview:

PROGRAM DESCRIPTION

 The Information Security and Compliance Office (ISCO) is a part of the Enterprise Information Technology (EIT) Directorate within Leidos Biomed.  The ISCO provides IT security auditing, engineering, and incident response support for the Frederick National Laboratory for Cancer Research (FNLCR) and the National Cancer Institute – Frederick.  The mission of the Information Systems Program is to develop an enterprise-level, consolidated information technology infrastructure that provides exceptional IT capabilities to the Frederick National Labs for Cancer Research (NCI-Frederick/FNLCR) in support of basic, translational, and clinical cancer and AIDS research.  ISCO supports the life cycle of information security for the scientific mission and administrative functions of the NCI-Frederick/FNLCR, to ensure the availability of information systems, protect the integrity of information, and protect the confidentiality of intellectual property and patient data. 

KEY ROLES/RESPONSIBILITIES

The information security controls assessor will be responsible for assessing the security controls on National Cancer Institute at Frederick information systems for compliance with HHS/NIH policy and NIST and OMB guidance; and making recommendations on how to address identified weaknesses. This includes reviewing documentation, interviewing system administrators and examining system configurations to ensure controls are in place, configured properly, and functioning effectively; and producing test reports and briefing system owners, managers and authorizing officials on assessment results. The assessor will also assist in closing plans of actions and milestones closure by reviewing artifacts or re-testing controls for compliance, as necessary. The assessor will also assist in performing periodic tests of network security to ensure systems' security controls are functioning effectively in-between scheduled audits. The assessor will also provide guidance to system owners, administrators and developers on NIH security requirements and current leading practice for system security.

BASIC QUALIFICATIONS

• Possession of a bachelor's degree from an accredited college or university according to the Council for Higher Education Accreditation. (Additional qualifying experience may be substituted for the required education). Foreign degrees must be evaluated for U.S. equivalency
• A minimum of six (6) years progressively responsible job related experience.  Experience must include functioning as an analyst or equivalent for compliance auditing, information security, information systems, or related
• Work independently and make decisions regarding complex issues with appropriate consultation of peers, cross-functional teams, and supervisors
• Must be able to analyze complex information, synthesize disparate data sources, and communicate effectively
• Must be able to develop technical reports and non-technical summaries and; express information in a clear, concise, and organized manner, both verbally and in writing
• Must be detail-oriented with the ability to prioritize multiple tasks/projects
• Familiarity with NIST guidance, including SP 800-53 Rev. 4, the Risk Management Framework (SP 800-37 and SP 800-39)
• Experience in assessing information systems for compliance with security control requirements (e.g., NIST SP 800-53)
• Familiarity with Linux and Windows operating systems
• Familiarity with basic networking concepts and protocols
• Familiarity with performing network scans and testing for vulnerabilities
• Must be able to obtain and maintain a clearance

PREFFERED QUALIFICATIONS

• Windows or Linux system administration experience
• Experience with nmap, scripting (Python, Bash, PowerShell, etc.), Burp Suite
• Familiarity with penetration testing methodologies
• Experience performing network or web application penetration tests

EXPECTED COMPETENCIES

•  Demonstrate working knowledge of networking, storage and virtualization technologies
• Demonstrate working knowledge of standards and guidelines for Information Security published by the National Institute of Standards and Technology (NIST)
• Working knowledge and expertise required for assessing the information security aspects of information systems for compliance with regulations and directives of FISMA, and the Office of Management and Budget (OMB)
• Experience working in a scientific and/or federal environment
• Working knowledge of Windows and Linux systems
• Possess ISC2 Certified Authorization Professional (CAP) or obtain within 6 months of hire