Security Controls Analyst
Document the security control implementation, as appropriate, in the Department’s FISMA management system (CSAM), providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).
Security control documentation describes how system-specific, hybrid, and common controls are implemented. The documentation formalizes plans and expectations regarding the overall functionality of the information system. The functional description of the security control implementation includes planned inputs, expected behavior, and expected outputs where appropriate, typically for those technical controls that are employed in the hardware, software, or firmware components of the information system. Documentation of security control implementation allows for traceability of decisions prior to and after deployment of the information system. The level of effort expended on documentation of the information system is commensurate with the purpose, scope, and impact of the system with respect to organizational missions, business functions, and operations. To the extent possible, organizations reference existing documentation (either by vendors or other organizations that have employed the same or similar information systems), use automated support tools (CSAM,) and maximize communications to increase the overall efficiency and cost effectiveness of security control implementation. The documentation also addresses platform dependencies and includes any additional information necessary to describe how the security capability required by the security control is achieved at the level of detail sufficient to support control assessment. Documentation for security control implementation follows best practices for hardware and software development as well as for system/security engineering disciplines and is consistent with established organizational policies and procedures for documenting system development life cycle activities. Whenever possible and practicable for technical security controls that are mechanism-based, organizations take maximum advantage of functional specifications provided by or obtainable from hardware and software vendors and/or systems integrators including security-relevant documentation that may assist the organization during the assessment and monitoring of the controls. Similarly, for management and operational controls, organizations obtain security control implementation information from appropriate organizational entities (e.g., facilities offices, human resource offices, physical security offices). Since the enterprise architecture and information security architecture established by the organization significantly influence the approach used to implement security controls, providing documentation of this process helps to ensure traceability with regard to meeting the organization’s information security requirement
The resources shall:
- allocate security controls as system-specific, hybrid, or common controls consistent with the enterprise architecture and information security architecture in CSAM.
- demonstrate the use of sound information system and security engineering methodologies in integrating information technology products into the information system and in implementing the security controls contained in the security plan and CSAM.
- document in CSAM how common controls inherited by organizational information systems have been implemented.
- document in CSAM how system-specific and hybrid security controls have been implemented within the information system taking into account specific technologies and platform dependencies.
- update all control information in CSAM as part of system migration; removing references to security controls and services no longer used and updating implementation statements in CSAM for new security services, common controls, hybrid controls, and system specific controls as part of the new hosting environment.
- complete and execute all necessary system owner or ISSO artifact requirements necessary for change management, configuration management, change control boards, assessment and authorization, and the Department’s Enterprise Architecture Review Process.
CERTs - Client is asking for any or all of the following:
CNSS (4011-4016, 4053)
For the ISC2 ones (CISSP, SSCP, CAP, CCSP) will accept an associate designation.
Job Status: Contract/Temporary