Senior Security Analyst

About the position

As a Senior Security Analyst at TISTA Science and Technology Corporation, you will play a crucial role in ensuring the security and integrity of our information systems. This position is designed for individuals who are passionate about cybersecurity and want to make a positive impact on millions of people. You will work remotely, collaborating with cross-functional Agile and SDLC project teams, or you may support individual product initiatives. Your primary responsibilities will include conducting security authorization and assessment activities, obtaining Authorization to Operate (ATO) in compliance with NIST and client directives, and determining baseline IT security requirements for various IT systems. In this role, you will manage vulnerabilities and conduct technology evaluations and system design reviews to assess the effectiveness of existing controls. You will be responsible for monitoring progress, managing risks, and keeping key stakeholders informed about project outcomes. Additionally, you will assist in the Federal Information Processing Standard (FIPS) categorization of applications and systems, participate in risk assessments, and perform vulnerability scans and penetration testing to identify security weaknesses. You will document and implement security controls using NIST standards, generate necessary system documentation such as Security Assessment Reports (SARs) and Privacy Impact Analyses (PIAs), and create and maintain project content in the Governance, Risk, and Compliance (GRC) tool. Your expertise will also be required in assessing systems for risks, providing guidance on security requirements for cloud-hosted systems, and staying updated on industry standards and vulnerabilities. This position demands strong problem-solving skills, technical proficiency, and the ability to work collaboratively in a team environment.

Responsibilities

• Work as part of cross-functional Agile and SDLC project teams or support individual product initiatives.
• Conduct security authorization and assessment activities and obtain an Authorization to Operate (ATO) in line with NIST and client guidance.
• Determine the baseline IT Security requirements for IT Systems, diagram system authorization boundaries, and determine system categorization based on FIPS-199.
• Manage vulnerabilities and conduct technology evaluations and system design reviews to assess the effectiveness of existing controls.
• Monitor progress, manage risk, and ensure key stakeholders are kept informed about progress and expected outcomes, proposing and taking corrective action as appropriate.
• Assist in Federal Information Processing Standard (FIPS) categorization of applications/systems.
• Participate in risk assessments, vulnerability scans, and penetration testing of new and existing systems to identify, investigate, and document security weaknesses.
• Document and implement security controls using NIST standards.
• Review and generate authorization and assessment system documentation as needed, including Security Assessment Reports (SARs), Privacy Threshold Assessments (PTA), and Incident Response Plans (IRP).
• Create and maintain project content in the Governance, Risk, and Compliance (GRC) tool per client's guidance.
• Identify and report detailed Plan of Action and Milestone (POAMs); manage and monitor for corrective actions.
• Review and analyze system scan reports.
• Provide guidance on security requirements for systems hosted in cloud (including FedRAMP) versus on-premise.
• Research and stay up-to-date on industry standards and any new vulnerabilities and risks.
• Assess systems to analyze risk and report weaknesses findings.
• Work with developers and DBAs in addressing findings.
• Assess and review current technology infrastructure to identify key risk areas and ensure adequate levels of controls are in place to address those risks.
• Participate in and support internal and external compliance initiatives including audit requests, tabletop exercises, security training, and other tasks associated with improving the company's security posture.

Requirements

• 5+ years of demonstrated experience in the Information Security (Cybersecurity or Information Assurance) field.
• Recognized IT security certification, such as Security+ or Certified Information Systems Security Professional (CISSP).
• Demonstrates proficiency with developing, maintaining, and managing security authorization and assessment packages.
• Experience with developing and managing POA&Ms.
• Displays technical experience with conducting research and providing review recommendations on software and technologies for vulnerabilities.
• Technical experience with reviewing vulnerability scans and providing mitigation techniques.
• Possess experience in participating in Security Control Assessments (SCA's).
• Experienced in writing security-related policies and procedures and conducting audit log reviews.
• Knowledge of and experience with Federal security regulations, standards, and processes including FISMA and NIST.
• Experience with NIST Special Publications and guidance.
• Strong problem-solving and analysis skills, self-motivated, and able to work and communicate in a team environment.
• Experience with maintaining security packages in a Governance, Risk, and Compliance tool.
• Strong written and oral communication skills.

Nice-to-haves

• DevSecOps experience.
• Enterprise Mission Assurance Support Service (eMASS) experience.

Benefits

• Above industry healthcare benefits
• Remote working options
• Paid time off
• Training/certification opportunities
• Healthcare savings account
• Flexible savings account
• Paid life insurance
• Short-term and long-term disability
• 401K match
• Tuition reimbursement
• Employee assistance program
• Paid holidays
• Military leave
• And much more!