Security Control Assessor Resume
4.00/5 (Submit Your Rating)
Washington, DC
SUMMARY:
Competent IT Security Analyst with 6 years of experience in Information Security with focus on Confidential, Confidential Risk Management Framework(RMF), System categorization, security control selection, implementation, assessment, authorization and Monitoring security controls respectively; in an effort to mitigate risk and vulnerability of the system.
PROFESSIONAL EXPERIENCE:
Security Control Assessor
Confidential, Washington, DC
Responsibilities:
- Operate Risk Management Framework using Confidential 800 - 37 as Confidential guide and FIPS 199 as Confidential guide to categorize information systems.
- Classify information Systems using the RMF processes to ensure system Confidentiality, Integrity and Availability.
- Select security controls using Confidential 800-53 Rev 4 as guidance base on system security categorization.
- Document selected security controls in the SSP that was earlier created using Confidential 800-18.
- Determine likelihood of risk occurrence using Confidential 800-30 as Confidential guide
- Most of my current projects are focused on RMF phase 4 (Assessing security controls)
- Effectively engage in the assessment processing & preparing for assessment, conducting assessment, communicate assessment results, and maintain the assessment.
- Coordinate, participate and attend weekly Confidential forums for security advice and updates.
- Use the implementation section of the (SSP) System Security Plan in addressing how each control is implemented (frequency of performing the controls, control types and status).
- Create SAP (to document assessment schedules, control families to be assessed, control tools and personnel, client’s approval for assessment, assessment approach and scope, ROE if vulnerability scanning is involve).
- Determine assessment method (examining policies and procedures, interviewing personnel and testing technical controls), using Confidential 800-53A as Confidential guide.
- Create (R TM) and Risk Traceable Matrix in which to document assessment result (pass/fail)
- Prepare Security Assessment Reports (SAR) in which all the weaknesses are reported.
- Create Plans of Actions and Milestones to tracing corrective action and resolving weaknesses and findings.
- Conduct Confidential Privacy Threshold Analysis ( Confidential ) and Privacy Impact Analysis (PIA) where necessary by working closely with the Confidential and the System Owner.
- Review Confidential & Confidential package items .
- Set- up and participate in the Assessment Kick-up meetings per Confidential SP 800-53A.
- Prepare Confidential package documents (SSP, SAR, POAM reports, and Confidential & Confidential package) to enable the Authorizing officer to make Confidential risk-base decision to sign the Authorization to Operate ( Confidential )
- Determine threat sources and applying security controls to reduce risk impact.
- Conduct risk management by identifying, assessing, responding and monitoring risk respectively.
- Use POA&M tracking tools like CSAM (Cyber Security Assessment and Management), Excel spread sheet to make sure the POA&M is not in delay status.
- Ensure that controls are implemented correctly, functioning as intended and producing the right results.
Cyber Security Analyst
Confidential Technologies, Washington, DC
Responsibilities:
- Conducted assessment on Management, operational and technical Security Controls.
- Determined security categorization using Confidential 800-60 vol. 2 as information guide.
- Selected security controls using Confidential 800-53 Rev 4 as guidance base on system security categorization.
- Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.
- Created (RTM) Risk Traceable Matrixes in which Pass/fail assessment results were documented.
- Worked with Confidential and the Security assessment team to Access Security Controls selected.
- Review Privacy Impact Assessment (PIA) documents after Confidential positive Confidential were created and ensure PII findings are recorded in the System of Record Notice (SORN).
- Provided audit briefings to agency and Information Systems Security Officer ( Confidential ), ensuring that all findings are documented in the POA&M within their Trusted Agent Confidential (TAF) tool.
- Applied Risk Assessment to system security and likelihood of risk occurrence using Confidential 800-30 to determine.
- Managed Security Control Assessment schedules for the client’s systems to ensure system remain compliant with Confidential and Continuous Monitoring requirements.
- Prepared and updated the Confidential requirements in the Confidential & Confidential package ready for system authorizing officer to make Confidential risk-base- determination base on the risk level reported.
- Performed Confidential Government-wide program that provides Confidential standardized approach for security assessment, authorization, and continuous monitoring for cloud products/ computing services on multi-agency systems in accordance to Confidential security control baselines.
- Conducted Security Assessments to determine if controls were implemented correctly, operating as intended and meeting desired objectives/results.
- Examined policies and procedures, interviewed personnel on tested controls and conducted screenshot testing of system configuration of technical controls.
- Managed vulnerabilities with the aid of Nessus vulnerability Scanners to detect potential risks on Confidential single or multiple assets across the enterprise network.
- Determined sources of threat and weaknesses to the system.
- Performed vulnerability testing (looking for missing patches, weak password setting, configuration from retention system's default access password and unnecessary services not disabled).
- Monitored controls post authorization to ensure continuous compliance in accordance to Confidential guidelines in Confidential 800-137 for security control continuous monitory.
- Managed vulnerabilities with the aid of Nessus vulnerability Scanners to detect potential risks on Confidential single or multiple assets across the enterprise network.