Index Analytics, LLC, is a rapidly growing, Baltimore-based small business providing health-related consulting services to the federal government. At the center of our company culture is a commitment to instilling a dynamic and employee-friendly place to work. We place a priority on promoting a supportive and collegial team environment and enhancing staff experience through career development and educational opportunities.

The Information Security Systems Analyst (InfoSec SA) performs cybersecurity-related tasks designed to safeguard the security of systems and information assets by protecting against unauthorized access, modification, or destruction.

The InfoSec SA demonstrates expertise in various systems administration concepts, practices, and procedures. They rely on extensive experience and judgment to plan and accomplish goals. They perform a variety of complex tasks, and a wide degree of creativity and latitude is expected. They lead and direct the work of others, typically reporting to department management or executive. They may provide consultation on complex projects and be a top-level contributor/specialist in the department. They must be an expert at problem-solving, identifying risk, and communicating results and recommendations to department management.

The InfoSec SA will:

• Manage information systems security including disaster recovery, database protection, and software development

• Perform technical support focused on developing, operating, managing, and enforcing security capabilities for systems and networks

• Analyze information security systems and applications, then recommend and develop effective security measures

• Identify, report, and resolve security violations

• Evaluate IT infrastructure in terms of risk to the organization and establish controls to mitigate loss

• Determine and recommend improvements in current risk management controls and system changes or upgrades

• Work with end users to determine needs, implement policies or procedures, and track compliance through the organization

• Establish, plan, and administer the information security function's overall policies, goals, and procedures

• Implement network security policies and procedures to ensure network (LAN/WAN, telecommunications, and voice) security and protect against unauthorized access, modification, or destruction

Responsibilities

• Aid project teams in compiling documentation for Security Compliance Audit/Adaptive Capability Testing (SCA/ACT), Security Impact Analysis (SIA), and Authority to Operate (ATO) prior to project implementation and support the recurring and ongoing security requirements.

• Work with Federal Agency and contract-supported Information System Security Officers (ISSOs) to monitor and track the progress of remediations to security findings.

• Work with developers to support secure coding practices, explain application-related security findings and how to avoid reproducing them, and ensure information security risks are managed throughout all the phases of the software development lifecycle (SDLC).

• Use automated tools to perform static source code and dynamic security testing to identify vulnerabilities and attack vectors in web applications.

• Provide support for contract-supported programs, federal agencies, federally owned system, or enclaves' information assurance programs.

• Provide support for proposing, coordinating, implementing, and enforcing information security policies, standards, and methodologies.

• Perform vulnerability/risk assessment analyses to support certification and accreditation.

• Provide configuration management (CM) for information system security software, hardware, and firmware.

• Manage changes to the system and assess the security impact of those changes.

• Prepare and review documentation to include Systems Security Plans (SSPs), Risk Assessment Reports, Certification and Accreditation (C&A) packages, and System Requirements Traceability Matrices (SRTMs).

• Support security authorization activities in compliance with the U.S. Department of Health & Human Services (HHS) for the Centers for Medicaid and Medicare Services (CMS) and the Food and Drug Administration (FDA).

• Complete a Security Impact Analysis as part of each sprint within an agile development organization.

• Support, implement, maintain, and monitor security and privacy controls in compliance with Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) requirements and guidance; knowledge of Cybersecurity Maturity Model Certification (CMMC) requirements is a plus.

• Plan, document, implement, assess, maintain, and monitor security and privacy controls per requirements, policies, standards, processes, and procedures documented in the CMS BPSSM, ARS 3.1 and 5.0, TRA, and RMH.

• Support audits, assessments, penetration test-related documentation requests, and vulnerability remediate efforts.

• Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses identified in security tests and audits.

• Recommend system architecture solutions based on industry best practices and knowledge of federal and organizational security guidelines.

• Perform periodic internal audits, vulnerability assessments, and web application security testing.

• Maintain current knowledge of relevant security and privacy trends and technology.

• Knowledge of Symantec Endpoint Security cloud is a plus.

Qualifications

Required

• Bachelor's degree with at least 10 years of experience; or an associate degree with at least 14 years of experience
  • Acceptable degree specialties include but are not limited to the following: Information Technology, Mathematics, Computer Networking, Cybersecurity, and various engineering and science disciplines.
• CISSP Certification required.
  • Additional certifications (other than those required for the position) in specialization may be substituted for one year of experience; degree must be in a relevant technical curriculum and experience must be related to the job duties.

• Hands-on experience with implementing, documenting, maintaining, and monitoring NIST, HIPAA, and FedRAMP control requirements

• Experience in implementing and enforcing policies, procedures, and guidelines in a complex environment

• Experience driving ATOs, including the privacy controls specified in NIST SP 800-53 rev 4 Appendix J

• A good understanding of and ability to communicate security and risk implications to technical and non-technical audiences

• Knowledge and experience with security best practices and relevant legislation

• Excellent interpersonal, verbal, and written communication and organizational skills; must be able to communicate fluently in English both verbally and in writing

• Meet deadlines with success

• Strong analytical, organizational, and project management skills

• Ability to thrive in a fast-paced, rapidly evolving environment with varying priorities based on a team-building culture

Preferred

• 3–5 years supporting security initiatives at HHS or other government agencies (CMS preferred) or related experience in security compliance using this NIST Risk Management Framework

• Working knowledge of DevSecOps principles (such as CI/CD, test automation, etc.), process automation, and tools

• Experience evaluating DevSecOps tools such as AWS CI/CD, NewRelic, Splunk, Git, CloudBees Jenkins, Docker/OpenShift, SonarQube/Fortify/Nessus, and LaunchDarkly. for security risk and compliance

• Knowledge of CMS Acceptance Risk Safeguards (ARS), FISMA compliance (and CFACTS), FedRAMP and NIST security guidance and publications, HIPAA, and related privacy and compliance regulations

• Hands-on experience with implementing, documenting, maintaining, and monitoring CMS Acceptable Risk Safeguards control requirements

• Experience working as part of an agile scrum team and assisting with security-related tasks and deliverables associated with bi-weekly sprints

• Experience using vulnerability scanners such as Nessus, OpenVAS, or Nexpose

• Experience running static analysis/static application security testing tools such as SonarQube, Fortify, or Veracode

• Experience running dynamic application security testing tools such as WebInspect, AppScan, Qualys, Burp Suite Pro, or OWASP ZAP

• Experience with GRC tools such as CSAM, CFACTS, or Xacta

• Proficient in Microsoft Office (Word, Excel, PowerPoint), Project, and Visio

• Experience securing cloud-based environments such as AWS and Azure Cloud

Index Analytics provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.