Missing Link Security OCC Information Systems Security Officer in Washington DC, District Of Columbia
Risk Management Framework
Identify information types collected, processed, maintained, used, shared, disseminated, transmitted, and/or stored by or through the information system.
Using SP 800-60 and FIPS 199, evaluate the information types related to the data and document this information in the Security Categorization Worksheet.
Determine which information types, if any, contain privacy data and/or financial data.
For each information type identified, determine the security impact that might result from the unauthorized disclosure, modification, and/or loss of the information (Confidentiality, Integrity, and Availability [CIA]) and adjust the default CIA impact levels as necessary.
Using the impact results of the information types, apply the high watermark concept to derive the appropriate categorization level of the system.
Using FIPS 200, select/tailor the applicable security controls to the information system.
Document the selected security controls in the SSP.
Develop supplemental security documentation, such as Configuration Management Plans (CMP) and Contingency Plans (CPs).
Implement the security controls outlined in the SSP.
Participate in information-system authorization briefings and associated meetings to review the assessment results.
Support the development of Plans of Action and Milestones (PoA&Ms), documenting corrective action plans for remediation of identified security control deficiencies.
Review and validate the Security Authorization Package (SAP), which includes, the SSP, Risk Assessment Report (RAR), Security Assessment Report (SAR), PoA&M Status Report, Privacy Threshold Assessment (PTA), Privacy Impact Analysis (PIA), E-Authentication Threshold Analysis (ETA), E-Authentication Risk Assessment (ERA), Request for Authorization to Operate, and Authorization Decision Letter.
Address questions from System Owners, Authorizing Officials, and other information-system stakeholders about the SAP.
Develop/update the SSP and other relevant security documentation such as the CMP, CP, Baseline Configuration, PoA&M Status Reports, ETA, ERA, and Memoranda of Understanding/Interconnection Security Agreements (MOUs/ISAs).
Maintain and update all security-related documentation during the Continuous Monitoring period. This shall include, but is not limited to, the CMP, CP, Baseline Configuration, SSP, PoA&M Report, PTA, PIA, ETA, ERA, Memoranda of Understanding/Interconnection Security Agreements (MOUs/ISAs), and any system-specific policies and procedures.
Develop and maintain system-specific information security policies and procedures.
Work with external parties to develop the content of MOUs and ISAs for all external system interconnections for systems within his/her portfolio.
Participate in and/or support the annual Contingency Plan testing effort and document the results in the Testing, Training, and Exercise (TT&E) After-Action Report (AAR).
Information Security Continuous Monitoring
Submit scan requests and analyze vulnerability and compliance reports for servers, databases, and web applications on a regular basis. (The minimum frequency would be monthly, and the maximum frequency would be weekly.) Additional ad-hoc scans may be necessary to support remediation validation efforts.
Support the management of PoA&Ms by remediating weaknesses and findings, working with support personnel and vendors to develop fixes, and provide PoA&M status updates to management.
Perform reviews of system activities and account management activities for information systems and databases to ensure that processes and controls related to access management are in place. The frequency of review is dependent on multiple factors (such as control volatility or impact); the minimum frequency will be monthly, and maximum frequency will be daily. but will range from daily to monthly occurrences. These reviews include:
Review lists of accounts for inactive users and identify whether users are authorized to access the system.
Review user privilege assignments and authorization of modifications.
Review and report violations of separation-of-duties principles.
Review remote-access methods and identify whetherall such methods are authorized.
Review event logs and audit reports to identify any suspicious, unauthorized, or illegal activity and report such activity to relevant personnel per defined incident handling policy, procedures, and requirements.
Support and provide information for various audits and assessments when requested (e.g., the Annual Assessment, FISMA Audit, FISCAM/Financial Statement Audit, and A-123 Audit). ISSOs shall work with system developers and administrators to gather requested evidence, review and submit data calls, and respond to requests for information related to system security controls.
System Development Life Cycle
Serve as the security subject-matter expert for the system and support the incorporation of security into information systems throughout the entire System Development Life Cycle (SDLC) process.
Review the systems within his/her portfolio to identify and eliminate unnecessary ports, protocols, or services. Reviews will occur at least annually but could occur as frequently as monthly.
Maintain the information-system component inventory in a repository along with applicable configuration item (CI) information for each system component. The number of system components will vary per system boundary.
Complete a Security Impact Analysis (SIA) for proposed system changes by documenting the change, requesting scans, analyzing scan reports, performing a self-assessment of impacted security controls, and documenting any deficiencies and findings as a result of the change.
Support the documentation and implementation of all technical, operational, and management controls in accordance with NIST guidance and FISMA requirements for all designated systems within his/her portfolio.
Support the development, documentation, and maintenance of a current, secure baseline configuration of the system and its components.
Serve as the principal contact for coordination, implementation, and communication of OCC security policies for the information systems within his/her portfolio.
Provide security guidance and subject-matter expertise to the SO and system administrators.
Inform management, staff, and stakeholders involved in the development of IT systems and applications about applicable information-security policies, guidelines, standards, requirements, and procedures.
Support coordination between the SO and OCC Incident Response Team in managing incident response events and investigations.
Seven (7) years of experience in Information Security, of which at least five (5) years must be experience acting as an ISSO for a Federal agency. Must possess, in good standing, at least one of the following certifications:
Certified Information System Security Professional (CISSP)
Certified Information Security Manager (CISM)
GIAC Security Leadership Certification (GSLC).
Keyword: OCC Information Systems Security Officer
From: Missing Link Security