MIT Lincoln Laboratory IT Security Risk Assessor - Special Programs in Lexington, Massachusetts
The Security Services Department's overall mission is to ensure a safe and secure environment and protect MIT Lincoln Laboratory at all facilities in which staff members perform their mission of research and development. To accomplish this mission, this department formulates and implements policies, plans, and actions designed to protect facilities against threats of vandalism, accidental destruction, and sabotage; and safeguards personnel, classified and unclassified information systems, personal identifiable information, property, and other assets from exploitation and recruitment by foreign intelligence agencies.
IT Security Risk Assessor - Special Programs (IC4)
The IT Security Risk Assessor position performs audits of classified Information Systems (IS) to ensure that they are in compliance with applicable laws and government regulations, to include the National Industrial Security Program Operation Manual (NISPOM) guidelines regarding the protection of classified information systems, National Institute of Standards and Technology (NIST) standards and special publications and Laboratory Information System Security Procedures. The c andidate must be knowledgeable in computer security principles and policies, to include, Security Technical Implementation Guides (STIGs), NIST 800-53 / Risk Management Framework (RMF), Joint SAP Implementation Guide (JSIG), Intelligence Community Directive (ICD) 503, and DoD Manual 5205.07 Volumes 1- 4. The position requires the ability to write comprehensive reports and brief to key staff members, Group and Division Leadership across the Laboratory. Using both existing tools and working in collaboration with Laboratory research staff on new cyber defense techniques and technologies, the IT Security Risk Assessor is responsible for maintaining and auditing programs to validate compliance with various government regulations and Laboratory Information Security policies. The position is responsible for conducting comprehensive assessments of the management, operational, and technical security controls employed within or inherited by Information Systems to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). The position requires a high level of technical expertise and the ability to conduct open source and internal research to identify current threat indicators, exploits and vulnerabilities. The position also requires a high level of communication skills to include the ability to provide training and briefings to all levels of Laboratory staff and industry partners. Excellent writing skills are required, as the majority of work includes documenting findings, observations and deliverables. The successful candidate must have excellent follow-up and problem solving skills.
Perform Information Systems (IS) audits
Complete System Security Plan (SSP) / Data Security Plan (DSP) cybersecurity risk analysis
Advise network engineers on results of cybersecurity risk analysis
Execute and support major Program network security initiatives
Conduct staff security outreach and engagement
Provide information security decision support
Conduct assessments on vulnerability scanning and patch compliance
Conduct cyber research collaboration and risk mitigation
Provide staff security awareness and training
Support incident response and remediation efforts
Produce security risk and impact assessment reports Support vulnerability management operations through documentation and reporting of findings to lab leadership
Bachelor’s degree in Computer Science, Information Technology, Computer Information Systems, or related field is required with a minimum of seven (6) years’ experience conducting risk assessments within Special Access and Sensitive Compartmented Information Programs.
Information Assurance Certifications preferred (CISSP/CISA, Security+, GSEC, CRISC or equivalent)
Advanced academic degrees and/or certifications in Information Assurance, Information Security or IT certifications may be considered substitutes for DoD security experience.
Experience in compliance auditing, security reviews, or vulnerability assessments
Technical experience and skills, course work completed toward a degree, and industry IT certifications (i.e., CISSP, CISA) may be considered substitutes for education and experience.
Candidate must possess an in-depth knowledge of information security principles and policies to include the Risk Management Framework (RMF) as presented by the National Institute of Standards and Technology (NIST), Joint Special Access Program (SAP) Implementation Guide (JSIG), Intelligence Community Directive 503 (ICD-503), and all applicable Security Technical Implementation Guides (STIGs).
DoD 8570 IAM Level I Baseline Certification required
Position Requirements (cont.)
Technical experience and skill securing operating systems such as Linux, Windows Server/client OS, and virtualization technologies.
Experience using vulnerability scanning tools such as NESSUS, SCAP, RETINA, WASP, SECSCN
Experience using audit reduction tools, and endpoint security products
Experience assessing vulnerabilities in Free and Open Software (FOSS), Commercial-off-the-Shelf (COTS), Government-off-the-Shelf (GOTS), and custom software
Working experience directly related to Assessment and Authorization using any the following:
NIST 800-53 / Risk Management Framework (RMF)
Joint SAP Implementation Guide (JSIG)
Intelligence Community Directive (ICD) 503
National Industrial Security Program Operating Manual (NISPOM) Chapter 8
Joint Air Force, Army, Navy (JAFAN) 6/3
Position Requirements (cont.)
Knowledge of System Security Plans (SSPs) and associated artifacts such as the Plan of Action & Milestones (POA&M), Risk Assessment Reports, and Continuous Monitoring Strategies
Demonstrated capabilities in presenting ideas written and orally are required.
Local as well as some overnight travel may be required
Selected candidate will be subject to a pre-employment background investigation and possess a current in scope Top Secret level security clearance with compartmental program eligibility
For Benefits Information, click http://hrweb.mit.edu/benefits
Selected candidate will be subject to a pre-employment background investigation and must be able to obtain and maintain a Secret level DoD security clearance.
MIT Lincoln Laboratory is an Equal Employment Opportunity (EEO) employer. All qualified applicants will receive consideration for employment and will not be discriminated against on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability status, or genetic information; U.S. citizenship is required.
Requisition ID: [[id]] #CJ