Job Overview:
As a Security Control Assessor (SCA), you will play a crucial role in assessing and ensuring the security controls implemented within our information systems. This entry-level position involves working closely with our cybersecurity team to evaluate the effectiveness of security measures, identify vulnerabilities, and recommend improvements to enhance the overall security posture of our organization. Candidates conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).
Job Functional Titles:
Personnel performing this work role may also be referred to officially or unofficially as the following functional titles:
- Information Assurance (IA) Compliance Analyst
- Information Assurance (IA) Auditor
- Certifying Agent/Authority
- System Certifier
- Security Control Validator
- IT Auditor
- Assessor
- CompTIA Security+
- CompTIA Cloud+
- CompTIA Advanced Security Practitioner (CASP+)
- CompTIA Cybersecurity Analyst (CySA+)
- CompTIA PenTest+
- ISC2 Governance, Risk and Compliance Certification (CGRC)
- ISC2 Systems Security Certified Practitioner (SSCP)
- GIAC Security Leadership Certification (GSLC)
Bachelor’s degree or higher from an accredited college or university.
Experience:
2 - 5 years of experience. Candidates are expected to have a more advanced skill set and practical experience.
Candidates will have an immediate understanding and exposure to the following core career elements:
Core Tasks:
- Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072)
- Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level. (T0079)
- Draft statements of preliminary or residual security risks for system operation. (T0083)
- Maintain information systems assurance and accreditation materials. (T0141)
- Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements. (T0150)
- Assess the effectiveness of security controls. (T0309)
- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. (T0177)
- Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. (T0178)
- Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181)
- Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks. (T0184)
- Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244)
- Information Assurance
- Information Systems/Network Security
- Information Technology Assessment
- Legal, Government, and Jurisprudence
- Risk Management
- Systems Testing and Evaluation
- Vulnerability Assessment
- Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. (K0054)
- Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
- Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. (K0038)
- Knowledge of the Security Assessment and Authorization process. (K0037)
- Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). (K0049)
- Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). (K0179)
- Skill in discerning the protection needs (i.e., security controls) of information systems and networks. (S0034)
- Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. (S0027)
- Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. (K0267)
- Knowledge of Risk Management Framework (RMF) requirements. (K0048)
- Knowledge of organization's evaluation and validation requirements. (K0028)
- Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. (K0013)
- Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. (K0040)
- Knowledge of penetration testing principles, tools, and techniques. (K0342)
- Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). (K0070)
