Title: Cyber Risk Analyst (NIST 800 series)
Location: 100% Remote (Client Based at Lemont, IL-60439)
Duration: 12 Months Contract with Potential of Extension
NOTE: Must be a US Citizen.
Job Description:
The Cyber Risk Analyst will play an important role in identifying and communicating areas of concern and risks to the business. This engagement will free up other cybersecurity resources to work in other critical areas. The ideal candidate will need to:
- Possess a working level expertise with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the NIST 800-53 series of control families and approaches.
- Perform detailed analysis and a cyber risk assessment of Cloud Service Providers (CSPs).
- Engage with vendors to review controls, certifications, and risks in support of the associated business need and the laboratory’s risk tolerance.
- Partner with the CSPO in the development of risk assessment and reporting processes within the Laboratory’s Governance, Risk and Compliance (GRC) tool, Talatek TiGRIS.
- Partner with others from within the CSPO team and Laboratory IT environment to perform risk-based assessments of NIST 800-53 control validation and gap analysis.
- Collaborate with the CSPO to present outcomes of risk analysis work using presentation methods to CSPO and other lab audiences (IT admins, Deputy CIO, CISO)
- Maintain assessment and assessment results in identified repositories, e.g., the Lab’s GRC tool, Talatek TiGRIS, MS Excel, Box or Box+
- Assist in the performance of the laboratory’s Divisional Site Assist Visit (DSAV) self-assessment and continuous monitoring strategy, assessing the cyber security controls and their implementation in various programmatic spaces.
Objectives:
The ideal candidate will have:
- A fundamental understanding of IT Risk management and the NIST 800 series framework.
- Experience with government environments.
- Experience working closely with cyber security leadership and peers along with IT system/process owners to capture artifacts for control testing.
- Technical understanding of systems and technologies to inform audits and assessments.
- Ability to translate results into business-oriented, task-focused presentations.
- The ideal candidate will support the projects and tasks associated with Cybersecurity Risk Assessment and Compliance.
- Ability to support urgency and timeliness expectations, assuring risk assessments are completed to support DOE Authority to Operate and Authority to Use deadlines.
Required Qualifications/Skills:
- Considerable knowledge of Risk Management and Risk Management Framework (RMF) requirements
- Working level knowledge of the NIST 800 Rev 5 series framework
- Considerable knowledge/experience of assessing controls.
- Knowledge of industry-standard and organizationally accepted analysis principles and methods.
- Experience in working with Governance Risk Compliance systems.
- Experience presenting reports and outcomes to leadership, tracking to closure, and creating buy-in to risk management.
- Experience and skill in conducting audits or reviews of technical systems.
- Experience assessing vendor risk.
- Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
- Ability to skillfully communicate through various methods. This includes written documentation. The audience will be leaders and executives. Finalists may be asked to complete a brief, job-relevant writing exercise.
- Ability to work autonomously as a contributing member of a small technical team
- Experience working in a government environment.
- Experience working in a distributed IT environment.
- Basic knowledge of cyber security concepts.
- Working knowledge of networking administration.
- Working knowledge of system administration.
- Ability to qualify for HSPD-12 card for use in two-factor authentication.
- Able to effectively interact with user organizations to validate controls.
- Able to effectively disseminate knowledge to current staff.