Information System Security Officer (ISSO)
Information System Security Officer (ISSO) Performance Requirements:
- Execute Security Authorization activities program.
- Assist in developing unified guidelines and procedures for conducting certifications and/or system-level evaluations of federal information systems and networks including the critical infrastructure of TSA.
- Develop and present, both verbally and in writing, highly technical information and presentations to non-technical audiences at all levels of the organization. Audiences for this information include, but are not limited to, senior executives at TSA and other agencies.
- Ensure IT systems have all security controls in place and functioning properly in accordance with NIST 800-53A publication.
- Conduct and evaluate/analyze vulnerability results from the following set of tools to include but not limited to: NESSUS, AppDetective, WebInspect and ISS.
- Support onsite external and internal audits for designated systems.
- Report incidents within the time frame prescribed by DHS 4300 policy for incident response.
- Contractor must have excellent communication and writing skills. The contractor will frequently participate in official meetings with high ranking officials from TSA and DHS.
- Thorough knowledge of, and experience with, the NIST 800 series publications to include: 800-30, 800-37, 800-53 and 800-53a.
- Previous experience creating all necessary Certification and Accreditation (C&A) documentation. Experience must be clearly defined in the resumes.
- Proficiency conducting and evaluating/analyzing results from the following set of tools, to include but not limited to: NESSUS and ISS.
- Minimum of 3 years demonstrated experience with Enterprise Network devices (i.e. routers, switches, firewalls). Experience must be clearly outlined in resume.
- Minimum of 3 years demonstrated experience with Operating platforms (i.e. UNIX, Solaris, and Microsoft) and others as required. Experience must be clearly outlined in resume
- Certification and Accreditation Professional (CAP), Certified Information systems Security Professional (CISSP), or similar widely recognized IT Security certification is required.
- 3-6 Years of strong relevant experience
- Support all applicable agency and Federal Security policies, directives, mandates, and laws.
- Ensure security requirements for the major application or general support system are being or will be met.
- Timely and successful Security Authorization, Ongoing Authorization and Privileged Account Audits as directed by IAD of government and government-operated systems, applications, networks, and interfaces completed in accordance with the TSA and DHS procedures.
- Review the design and specifications for systems to ensure they will meet Security Authorization requirements into the network and systems
- Evaluate and recommend system architecture features to enhance system security.
- Advise developers on the best ways to incorporate Security Authorization requirements into the network and systems.
- Coordinate the development of a Contingency Plan with the System Owner (SO) and ensure the plan is regularly tested and maintained.
- Prepare Risk Analysis (RA) to determine if cost-effective and essential security controls are in place
- Understand the security risks from interconnecting the system to other systems
- Direct preparation of system security plans in accordance with TSA and DHS guidelines.
- Evaluate and provide reviews with recommendations of System Security Plans for new and modified systems.
- Check plans for completeness and accuracy.
- Control, update and maintain an equipment inventory data base.
- Attend security awareness and related training programs and distribute security awareness information to the user community as appropriate.
- Report IT security incidents in accordance with established procedures.
- Report security incidents not involving IT resources to the appropriate security office.
- Support the appropriate IT security personnel or system owner (SO) in the preparation of reports to higher authority concerning sensitive and/or national security information systems.
- Evaluate change recommendation to current networks and systems for their security impact
- Provide oversight for Plan of Action and Milestones (POA&M) issues for both classified and unclassified networks and systems.
- Implement a security policy for the system that is compliant with all applicable agency and higher policies, directives, mandates, and laws.
- Provide technical review and recommendations for all Risk Assessments and Vulnerability Assessments conducted for the system, program, or site.
- Provide security analysis of IT activities to ensure that appropriate security measures are in place and enforced. This includes ensuring that appropriate steps are taken to implement information security requirements for IT systems throughout their life cycle, from the requirements definition phase through disposal.
- Assist in the development and evaluation of system boundaries and the establishment of physical and personnel security measures.
- The ISSO must possess experience with NIST 800 publication standards. The ISSO shall conduct Risk Management Framework activities in accordance with NIST 800-37 standards. Verify all Risk Management Framework documentation is maintained for systems as required by applicable TSA OIT and IAD Standard Operating Procedures.
- Provide oversight for penetration testing or other ‘Red Team’ activities that might occur at/or traverse the system’s infrastructure as a part of a Security controls assessments as requested.
- Ensure the continuous monitoring of an information system while providing oversight and monitoring of the security controls in the information system on an ongoing basis and inform the authorizing official when changes occur that may impact the security of the system.
- The ISSO shall comply with the confidentiality, integrity, and availability of human resource data and the proper protection of Sensitive Security Information (SSI), Privacy Information, and Personally Identifiable Information (PII).
- Assist with the security evaluation of systems and networks. Conduct and evaluate/analyze vulnerability results from the following set of tools to include but not limited to: NESSUS, AppDetective, WebInspect, and ISS.
- Drafts and coordinates the development of Interconnection Security Agreements for connections with government or other domains.
- Reviews and performs security categorization of systems in accordance with FIPS 199.
- Apply requirements for security controls in accordance with FIPS 199 and NIST SP 800-53 and the appropriate system hardening checklists and guides. Ensure IT systems have all security controls in place and functioning properly in accordance with NIST 800-53A publication.
- Record the results of security evaluations and system designs in DHS/TSA security information systems.
- Report incidents within the timeframe prescribed in DHS 4300 policy for incident response.
- Track as needed and maintain privileged user training records of all privileged users of responsible system(s). Ensure privileged users complete annual privileged user training each year and report results to IAD.
- Public Trust