|Reference # : ||17-04113
||Title : ||Security Control Assessor 2|
|Position Type : ||Contract|
|Experience Level : ||7 Years
||Start Date / End Date : ||07/03/2017 / 06/30/2018
| Description |
|Note: See Additional Position Information document for specified requirements for the advertised position. .
Position Overview: Summary: This position is located in the Cyber Security Organization within the Information Technology (IT) department. The Security Control Assessor serves as a hands-on auditor who performs non-intrusive penetration testing and testing of Information Technology (IT) security controls. In support of the Bonneville Power Administration (BPA) IT Risk Management program, under the BPA Office of Information Assurance and Cyber Security.
Education & Experience Requirements:
Education: Bachelor of Science in Computer Science or a related technical discipline is highly preferred. Candidates lacking an applicable bachelor's degree require additional years of applicable experience.
? Experience: Experience or demonstrated capabiity must include:
- Experience evaluating the adequacy and existence of IT security controls.
- Having properly documented evidence of testing and evaluation activities sufficient for a third-party reviewer to arrive at the conclusion the Security control Assessor has reached in the work.
? Level 2 requires 5 - 9+ years of experience (9+ years of experience is required without a Bachelor's degree).
Typical Tasks may include but are not limited to:
? Plan, implement, upgrade or monitor security measures for the protection of computer networks and information.
? Encrypt data transmissions & erect firewalls to conceal confidential information as it is being transmitted and to keep out tainted digital transfers.
? Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure and to meet emergency data processing needs.
? Review violations of computer security procedures & discuss procedures with violators to ensure violations are not repeated.
? Monitor use of data files and regulate access to safeguard information in computer files.
? Monitor current reports of computer viruses to determine when to update virus protection systems.
? Modify computer security files to incorporate new software, correct errors, or change individual access status.
? Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures.
? Confer with users to discuss issues such as computer data access needs, security violations, and programming changes.
? Train users and promote security awareness to ensure system security and to improve server and network efficiency.
? Coordinate implementation of computer system plan with establishment personnel and outside vendors.
? Develop documentation of testing and evaluation activity in order to arrive at logical and comprehensive conclusions and recommendations.
? May ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure.
? May respond to computer security breaches and viruses
Specific Skills Requirements:
? Organization & information-gathering skills.
? Advanced technical analysis, technical writing and reporting, including managing related documentation & files.
? Knowledge of security engineering
? Knowledge of United States (US) Government security authorization (certification and accreditation) policies and processes;
? Ability to independently and, as a team member, plan, execute and document security tests and evaluations;
? Ability to perform analysis of in-place technical and non-technical security controls protecting information and information systems;
? Ability to clearly communicate results, findings, and recommendations;
? Ability to research and maintain proficiency in tools, techniques, countermeasures, and trends in information security, computer and network vulnerabilities, data hiding, network security, and encryption;
? Knowledge of computer & network security incident/event auditing and analysis, including incident handling, response and follow-up
? Knowledge of networking and internetworking protocols and their associated vulnerabilities, vulnerability research methodologies and sources
? Experience in penetration testing, including wired and wireless, telephonic war-dialing, social-engineering, and application security vulnerability assessments.
? Ability to provide guidance and input to technical reviews of proposed projects, and the certification and accreditation process.
? Perform successfully in a team environment.
? Requires confidentiality, professionalism and may require passing and maintaining a higher level background investigation to continue in the position.
? Technical and English language skills to communicate effectively via telephone; e-mail correspondence, and in-person meetings.
? Work non-core hours when as circumstances warrant.
? Carry out assigned tasks with a professional demeanor, as exhibited in excellent written and oral communication skills, listening skills, patience, logical and sound reasoning, and problem-solving approach.
? Meet timelines, milestones, deliverables, and provide timely status updates on assigned tasks.
? Support a sustainable infrastructure by ensuring adequate documentation of activities, including cross-training of employees as necessary; support the Continuous Assessment and Monitoring Program.
Typical Work Activities may include any of the following:
? Interacting with Computers ? Using computers and computer systems (including hardware and software) to program, write software, set up functions, enter data, or process information.
? Getting Information ? Observing, receiving, and otherwise obtaining information from all relevant sources.
? Analyzing Data or Information ? Identifying the underlying principles, reasons, or facts of information by breaking down information or data into separate parts.
? Evaluating Information to Determine Compliance with Standards ? Using relevant information and individual judgment to determine whether events or processes comply with laws, regulations, or standards.
? Communicating with Managers, Peers, or Co-workers ? Providing information by telephone, in written form, e-mail, or in person.
? Identifying Objects, Actions & Events ? Identifying information by categorizing, estimating, recognizing differences or similarities, and detecting changes in circumstances or events.
? Processing Information ? Compiling, coding, categorizing, calculating, tabulating, auditing, or verifying information or data.
? Documenting/Recording Information ? Entering, transcribing, recording, storing, or maintaining information in written or electronic/magnetic form.
? Monitor Processes, Materials, or Surroundings ? Monitoring and reviewing information from materials, events, or the environment, to detect or assess problems.
? Updating & Using Relevant Knowledge ? Keeping up-to-date technically & applying new knowledge to the job
Knowledge ? The specific position may require any or all of the following:
? Computers & Electronics ? Knowledge of circuit boards, processors, chips, electronic equipment, and computer hardware and software, including applications and programming.
? Telecommunications ? Knowledge of transmission, broadcasting, switching, control, and operation of telecommunications systems.
? Engineering & Technology ? Knowledge of the practical application of engineering science and technology.
? Public Safety & Security ? Knowledge of relevant equipment, policies, procedures, and strategies to promote effective local, state, or national security operations for the protection of people, data, property, and institutions.
? Communications & Media ? Knowledge of media production, communication, and dissemination techniques and methods. This includes alternative ways to inform and entertain via written, oral, and visual media.
Skills ? The specific position may require any or all of the following:
? Critical Thinking ? Using logic and reasoning to identify the strengths and weaknesses of alternative solutions, conclusions or approaches to problems.
? Complex Problem Solving ? Identifying complex problems and reviewing related information to develop and evaluate options and implement solutions.
? Active Listening ? Giving full attention to what other people are saying, taking time to understand the points being made, asking questions as appropriate, and not interrupting at inappropriate times.
? Writing ? Communicating effectively in writing as appropriate for the needs of the audience.
? Judgment & Decision Making ? Considering the relative costs and benefits of potential actions to choose the most appropriate one.
? Active Learning ? Understanding the implications of new information for both current and future problem-solving and decision-making.
? Monitoring ? Monitoring/Assessing performance of individuals or organizations to make improvements or take corrective action.
Abilities: The specific position may require any or all of the following:
? Written/Oral Comprehension ? Listen to, read and understand information and ideas presented in writing or through spoken words.
? Problem Sensitivity ? Able to tell when something is wrong or is likely to go wrong. It does not involve solving the problem, only recognizing there is a problem.
? Deductive Reasoning ? Apply general rules to specific problems to produce answers that make sense.
? Inductive Reasoning ? Combine pieces of information to form general rules or conclusions (includes finding a relationship among seemingly unrelated events).
? Information Ordering ? Arrange things or actions in a certain order or pattern according to a specific rule or set of rules (e.g., patterns of numbers, letters, words, pictures, mathematical operations).
? Written/Oral Expression ? Communicate information and ideas in writing or speaking so others will understand.