Jobs at ORock Technologies

View all jobs

Cybersecurity Compliance Analyst

Reston, VA · Information Technology
About ORock Technologies
ORock Technologies is a small business Cloud and Infrastructure as a Service (IaaS) provider that supports the specialized needs of organizations with the highest data security requirements, including Independent Software Vendors (ISVs), solution providers, and enterprise end users in such markets as Defense, Intelligence, Government, Financial Services, and Healthcare.
 
As a Red Hat Certified Cloud & Service Provider (CCSP), ORock owns and operates a carrier-grade private fiber optic network with multiple data centers and a secure, open source, “pure-play” Red Hat cloud. Our state-of-the-art IaaS and Cloud solutions offer superior levels of security, performance, compliance, flexibility, and control for ORock customers, channel partners, and software vendors.
 
Currently we have a need for a Cybersecurity Compliance Analyst to work out of our Reston, VA HQ. YOU MUST BE A US CITIZEN and be eligible for a clearance of Secret level or above. 

The Cybersecurity Compliance Analyst opening is a full-time position with responsibilities for knowing all applicable federal mandates and work with security team members ensuring all cyber security policies are adhered to and that required controls are implemented on a continuous basis.  The analyst will be responsible for developing security authorization packages, to include system security plans, security assessment reports, POAM summaries and a continuous monitoring plan/assessment schedule, and present executive level briefings. 
 
Primary Duties and Responsibilities: 
  • Write System Security Plans (SSP) and associated NIST controls to match technical implementation of the ORockCloud environment 
  • Map and develop controls to achieve and maintain industry compliance certifications (i.e HIPAA, PCI DSS, SOC) 
  • Assists in developing and performing internal compliance efforts including preparation for audits, certifications, and other assessments 
  • Interfaces directly with third party assessment teams, coordinating response activities, preparing supporting documentation, and presenting findings and other compliance information 
  • Review, validate, and prioritize compliance assessment findings 
  • Assist in the ongoing assessment and compliance monitoring of security controls 
  • Brief and educate internal team members about governance and compliance responsibilities 
  • Manage, coordinate, and participate in internal and external assessment meetings and audit walkthroughs 
  • Create POA&Ms and work with appropriate teams to remediate, mitigate, and close POA&M findings and gather and upload supporting artifacts 
  • Work with Operations, Engineering, and Security teams to respond to SAR findings 
  • Create Risk Mitigation Plans (RMPs) for assessment findings and vulnerabilities that cannot be remediated 
  • Responsible for POA&M management and ticket resolution 
  • Developing detailed remediation reports and recommendations for compliance and security improvements across the enterprise 
  • Perform implementation of security and compliance-based control flowing NIST 800-53 Rev4 security controls 
  • Implement Security Control Assessments (SCAs) findings and possibly other advanced-level Continuous Monitoring Activities within cloud-based environments 
  • Develop security policies and processes based on federal standards and conduct security and awareness training 
  • Ensures security authorization boundaries are properly defined and captured in the SSPs, and that all interconnection agreements (MOUs/ISAs) are in place and current 
Those successful in this position will have: 
  • 5-10 Years of experience with NIST, RMF, FEDRAMP, Common Criteria, FISMA-related activities to include system security plans, contingency plans, incident response plans, configuration management plans, security control requirements and assessments, Plan of Action and Milestones (POA&M), and training requirements 
  • Experience in reviewing Federal information systems’ compliance with the Federal Information Security Management Act (FISMA). Specifically, security control assessments in accordance with NIST SP 800-53, 800-53A, CNSSI 1253, and the Risk Management Framework (RMF) described in NIST SP 800-37 
  • Knowledge of information security standards (e.g., ISO 17799/27002, etc.), rules and regulations related to information security and data confidentiality (e.g. HIPAA, HITECH, etc.) and experience in other Security Frameworks (ISO, COBIT, HIPAA/HITECH, etc.) and regulatory requirements 
  • Must be able to verify and validate the implementation of security controls for IT systems, applications, software products and common controls for security control baselines (Low, Moderate, and High) in accordance with NIST SP 800-37, SP 800-53 Rev 4, and SP 800-53A Rev 4 with an understanding of classified systems through CNSSI 1253 
  • Must be able to comprehend and interpret policies, standards, guidelines and procedures as they relate to National Institute of Standards and Technology (NIST) and Federal Information Security Management Act (FISMA) 
  • Knowledge of checklists or configuration guides and experience for compliance with local / organizational policy and procedures (i.e., DISA Security Technical Implementation Guides (STIGS), Best practice guides, hardening guidance and other similar configuration management checklists and processes 
  • Must be able to work with system security personnel to identify, obtain and review artifact evidence needed to determine compliance with security controls in accordance with NIST SP 800-37, SP 800-53 Rev 4, and SP 800-53A Rev 4 
  • At least three (3) year of experience in the IT industry, with strong familiarity with the applicable NIST Special Publications 800-37 Revision 1, 800-53 Revision 3 or 4, and 800-53A Revision 1 
  • Experience reviewing Nessus output a plus, along with basic knowledge of networking components and various operating systems in a cloud environment 
  • Experience analyzing and documenting security control deficiencies and system vulnerabilities 
  • Knowledge and experience in writing policies, procedures, guidance, standards and instructional materials 
  • Must be able to clearly identify, document, and verbally communicate deficiencies in IT systems, documentation and organizational processes associated with all NIST SP 800-53 security control families.  Strong written and verbal communication skills including the ability to explain technical matters to a non-technical audience 
  • BA or BS in Information Security, Information Assurance, Computer Science, or related field

ORock Technologies requires the candidate to prove eligibility to work in the United States. All final candidates will be asked to complete a background check. These record checks can include any or all of the following: education verification, employment verification, drug screening, criminal record check, and/or driving record check.
 
ORock Technologies is an equal opportunity employer and considers qualified applicants for employment regardless of race, gender, gender identity, gender expression, age, color, religion, disability, veteran’s status, sexual orientation, or any other protected factor.
Powered by