ConvoCourses

Cyber Security Compliance and IT Jobs

information assurance jobs

Security Specialist in Raleigh NC

by Leave a Comment

Short Description:
Contract resource with senior Information Security Analyst skillset, with focus on Identity and Access Management (I&AM), risk analysis, and information security policy, standards and procedure development.
Complete Description:
The Department of Transportation is seeking a short-term contractor to implement and maintain information security best practices within the NCDOT environment related to Identity and Access Management (I&AM) as well as other information security risk assessments, analysis and consultation for various IT systems.  Identity and Access Management (I&AM) is responsible for designing, developing and supporting a suite of agency wide shared services that primarily focus on identity, authentication, authorization, request management, provisioning, and certification.  The staff is part of the IT Information Security Office (ISO), with end-to-end responsibility for the agency-wide information security policy and standards.  The candidate should be an information security analyst with extensive information security operational experience, that also understands enterprise architecture, policy, standards and procedure and can consult with support, implementation and architecture teams.
Responsibilities will include:
  • Working with project & team managers and stakeholders to produce high quality and detailed identity and access management business requirements as they related to information security
  • Develop and enforce policies for identity and access management (I&AM) team for claims based authentication
  • Define the information security policy, standards and process/procedures as required for utilizing an identity management system including:  role mining, attestation, account provisioning, cloud/federated access provisioning, and others.
  • Develop  security policies and procedures for Roles Based Access Controls in claims based architecture
  • Develop security policies and procedures for claims based architecture for Active Directory and Sharepoint
  • Actively participate in assessment, planning, architecture, and design activities
  • Design, document, and implement security controls for Identity and Access Management
  • BizTalk, UDDI, web services, and claims based authentication experience
  • Design, document, and put security governance in place for external claims based authentication
The position will be responsible for documentation of security standards, security patterns, processes and procedures related to securing of web services and interoperability of all systems for the 3C and Data Services project.  The individual will educate application development teams on those standards and processes from an information security perspective.

NCDOT – Info Security Specialist- 3C North Carolina

by Leave a Comment

22ndstaffing.com

Work Location:                                                                   4101 Capital Blvd, Raleigh NC 27604
Interview Type:                                                                  Either Phone or In Person
Short Description:
Contract resource with senior Information Security Analyst skillset, with focus on Identity and Access Management (I&AM), risk analysis, and information security policy, standards and procedure development.
Complete Description:
The Department of Transportation is seeking a short-term contractor to implement and maintain information security best practices within the NCDOT environment related to Identity and Access Management (I&AM) as well as other information security risk assessments, analysis and consultation for various IT systems.  Identity and Access Management (I&AM) is responsible for designing, developing and supporting a suite of agency wide shared services that primarily focus on identity, authentication, authorization, request management, provisioning, and certification.  The staff is part of the IT Information Security Office (ISO), with end-to-end responsibility for the agency-wide information security policy and standards.  The candidate should be an information security analyst with extensive information security operational experience, that also understands enterprise architecture, policy, standards and procedure and can consult with support, implementation and architecture teams.
Responsibilities will include:
  • Working with project & team managers and stakeholders to produce high quality and detailed identity and access management business requirements as they related to information security
  • Develop and enforce policies for identity and access management (I&AM) team for claims based authentication
  • Define the information security policy, standards and process/procedures as required for utilizing an identity management system including:  role mining, attestation, account provisioning, cloud/federated access provisioning, and others.
  • Develop  security policies and procedures for Roles Based Access Controls in claims based architecture
  • Develop security policies and procedures for claims based architecture for Active Directory and Sharepoint
  • Actively participate in assessment, planning, architecture, and design activities
  • Design, document, and implement security controls for Identity and Access Management
  • BizTalk, UDDI, web services, and claims based authentication experience
  • Design, document, and put security governance in place for external claims based authentication
The position will be responsible for documentation of security standards, security patterns, processes and procedures related to securing of web services and interoperability of all systems for the 3C and Data Services project.  The individual will educate application development teams on those standards and processes from an information security perspective.
Questions:
Questions
Questions
Answers
Question 1
Absences greater than two weeks MUST be approved by CAI management in advance, and contact information must be provided to CAI so that the resource can be reached during his or her absence. The Client has the right to dismiss the resource if he or she does not return to work by the agreed upon date. Do you accept this requirement?
Question 2
All work must be completed on site. Do you accept this requirement?
Question 3
Please list candidate’s email address HERE that will be used when submitting E-RTR.
Question 4
Please indicate how soon this candidate is available to start work. Vendors are encouraged to submit candidates that are available for the duration of the assignment.
Question 5
Vendor must disclose to the agency if the candidate will be subcontracted at the time of submission. Do you accept this requirement?
Question 6
Vendor must notify the agency if any portion of the requirements listed in this task order are to be outsourced to other countries. Do you accept this requirement?
Question 7
This role is not new to the Department. There has been someone working in the role in the past. However, this is a new requirement for those services and it is open for competition.

risk management analyst

by Leave a Comment

Risk Management Analyst is a title that in many cases deals explicitly with market shares and stock analysis.

In relation to Information Security and DIARMF, a Risk Management Analyst is an IT security professionals that mitigates the vulnerabilities of on organizations assets, identifies threats and risk of an organization.  Financial organizations are fond of using the term “risk” to describe system security engineering and system security analysts jobs.

Variations of the risk management analyst are:

    • IT Risk Management Analyst
    • Enterprise Risk Management Analyst
    • IT Vendor Risk Management Analyst

The IT Risk Management position is very similar or exactly the same as IT Risk Analyst.

IT Risk Management Analyst Job Description

The IT Risk Management Analyst is responsible for maintaining organizations IT risk management program.  That means the IT Risk Management Analyst must identifying, evaluating and reporting on information technology security risks.

The IT Analyst will work system administrators, project managers and other teams and to implement practices that meet organizational policies, standards and expectations for information risk management.

IT Risk Management Analyst is responsible for advising the Chief Information Security Officer (CISO), the IT Leadership, and other key stakeholders. 

 

security engineer

by 1 Comment

System Security Engineer is a critical job in the cyberspace workforce.  As information technology has become a centerpiece for our lives, the security of IT has been more and more in demand.  A security engineer is expected to have a working understanding of IT enough to be able to strike a balance between operational functionality and application security controls.

System Security Engineer (ISSE, CSSE, SSE I/S Security Engineer) actually can mean anything.. So you actually need to read the job description.  But in this post, I am referring to SSE from the perspective Risk Management and DIARMF.

DIARMF Select balance
DIARMF
blog.eircomforbusiness.com/profile/Andy (andy O’Kelly, eircomforbusiness.com)

And Risk Management SSE needs to be savvy enough with the operational needs and security needs to balance the risk.  While a security engineer does not take risks of the organization they work for, they do consult the decision makers that do take risks.

Many security engineers are not hands on.  Meaning they might not touch the servers or configure routers, but they must know enough to orchestrate the over all security of the organization or system they are assigned to.

System Security Engineering Tasks

I have been in system security engineer positions where I did have hands-on tasks working directly with the system administrators and I have had some where I rarely even seen the systems that I wrote system security plans for.

System Security Engineers do consultation where they are working directly with information owners, project managers, information system security managers or technical security practitioners to come up with the most cost effective strategy for applying security controls with a certain level of effort within a certain time constraint.   A good security engineer understands all these factors and make sure the decision makers are well informed.  As an SSE the last thing you want to do is a prima madonna and attempt to put security beyond the scope of the operational mission.  And don’t be a hero, even if you really care about the mission you must ALWAYS remember the risk is not yours to bear and neither is the decision of what security controls (if any) will be applied.

Tasks of a system security engineer  

System security engineers do system security related documentation such as system security plans, plan of action and milestones, security assessment reports and other supporting documentation.

A day in the life of a system security engineer might consist of attending configuration management meetings, meeting with system administrators to address new challenges, writing authorization packages, coordinating with other units to complete an authorization package, reading the latest change to a regulation or organizational standard, WRITING an organizational standard and in some cases they are actually doing security administration on some system.

CYBER System Security Engineer (CSSE)

With Dod 8140 and the cyber-ization of the every goddamn thing! I believe the new term will be CYBER System Security Engineer (CSSE) and in the past it was commonly refer to as an Information System Security Engineer (ISSE).

As stated above and SSE can be just about anything computer security related.  I have been a SSE and done nothing put paperwork but also been an SSE and done mostly installations of system security controls.  My former co-worker just got a position as an Information System Security Engineer (I/SE) and he will be doing all ArcSight admin stuff.

dod 8570 chart

by 3 Comments

The dod 8570 chart is designed to provide guidance for government agencies (mainly in defense) to categorize and identify certification of personnel conducting Information Assurance (IA) functions.

Defense Information Assurance workforce is broken up into category, specialty, level, and function to for better protection of confidentiality, integrity and availability of DoD information, information systems, and networks.

Information Assurance Profiles DoD 8570:

 

dod 8570 chart
dod 8570 chart – http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html
IA Management Level I IAM Level I personnel are responsible for the implementation and operation of an Information System (IS) within their CE. Personnel ensure that IA related IS are functional and secure within the CE.
IA Management Level II IAM Level II personnel are responsible for the IA program of an IS within the NE. Personnel in these positions perform a variety of security related tasks, including the development and implementation of system information security standards and procedures. They ensure that IS are functional and secure within the NE.
IA Management Level III IAM Level III personnel are responsible for ensuring that all enclave IS are functional and secure. They determine the enclaves’ long term IA systems needs and acquisition requirements to accomplish operational objectives. They also develop and implement information security standards and procedures through the certification and accreditation process.
IA Technical Level I IAT Level I personnel make the CE less vulnerable by correcting flaws and implementing IAT controls in the hardware or software installed within their operational systems.
IA Technical Level II IAT Level II personnel provide network environment (NE) and advanced level CE support. They pay special attention to intrusion detection, finding and fixing unprotected vulnerabilities, and ensuring that remote access points are well secured. These positions focus on threats and vulnerabilities and improve the security of systems. IAT Level II personnel have mastery of the functions of the IAT Level I position.
IA Technical Level III PIAT Level III personnel focus on the enclave environment and support, monitor, test, and troubleshoot hardware and software IA problems pertaining to the CE, NE, and enclave environments. IAT Level III personnel have mastery of the functions of both the IAT Level I and Level II positions.
CND-SP Analyst (CND-A) CND-A personnel use data collected from a variety of CND tools (including intrusion detection system alerts, firewall and network traffic logs, and host system logs) to analyze events that occur with their environment.
CND-SP Infrastructure Support (CND-IS) CND-IS personnel test, implement, deploy, maintain, and administer the infrastructure systems which are required to effectively manage the CND-SP network and resources. This may include, but is not limited to routers, firewalls, intrusion detection/prevention systems, and other CND tools as deployed within the NE or enclave.
CND-SP Incident Responder (CND-IR) CND-IR personnel investigate and analyze all response activities related to cyber incidents within the NE or Enclave. These tasks include, but are not limited to: creating and maintaining incident tracking information; planning, coordinating, and directing recovery activities; and incident analysis tasks, including examining all available information and supporting evidence or artifacts related to an incident or event.
CND-SP Auditor (CND-AU) CND-AU personnel perform assessments of systems and networks within the NE or enclave and identify where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance audits) and active evaluations (penetration tests and/or vulnerability assessments).
CND-SP Manager (CND-SPM) CND-SPMs oversee the CND-SP operations within their organization. CND-SPMs are responsible for producing guidance for their NE or enclave, assisting with risk assessments and risk management for organizations within their NE or enclave, and are responsible for managing the technical classifications within their organization.
IASAE I Applies knowledge of IA policy, procedures, and structure to design, develop, and implement CE system(s), system components, or system architectures.
IASAE II Applies knowledge of IA policy, procedures, and workforce structure to design, develop, and implement a secure NE.
IASAE III Responsible for the design, development, implementation, and/or integration of a DoD IA architecture, system or system component for use within CE, NE, and enclave environments
General User A user who is granted use of Government Information Systems (IS) and access to Government networks. This is not an IA position.
Power User Personnel with limited administrative privileges to their PC only. This is not an IA position.

DoD 8570 Chart is being replaced soon with DoDD 8140, Cyberspace workforce which will have 7 high level categories under a National Initiative for Cybersecurity Education framework:

Security Provision, Maintain and Operate, Protect & Defend, Analyze, operate & collect, Oversight & Development and Investigate.

These categories are broken down further into a sum total of 31 tasks.  It was supposed to be released in 2013, but there is actually no telling when it will come out.