The Cybersecurity Policy and Procedure Analyst - Junior is responsible for effectively managing information security risk organization-wide requires the following key elements:
- Assist the ISSO in the development of a long-term cybersecurity strategy for the NHLBI. Provide expertise and develop artifacts corresponding to each of the following:
- Recommend security control objectives .
- Provide assessment of current cybersecurity status.
- Recommend security domain model.
- Offer cybersecurity related plan of actions and milestones.
- Recommend individual security strategies such as contingency planning, systems documentation, system inventories, risk analysis, etc.
- Assist the ISSO in defining key metrics for NHLBI cybersecurity posture. The key metrics shall include data collection methodologies and reporting requirements.
- Monitor and assess Federal law, Executive Agency Policy/Publication, HHS/NIH/NHLBI Standard/Policy/Memo, and other sources for Cybersecurity guidance for impact to the NHLBI Cybersecurity program. The Contractor shall provide reports as needed.
- Create, review, and revise documents (such as memos, informational papers, briefs, communication packages) related to Cybersecurity to support sharing policy/guidance information with the NHLBI community and staff.
- Create an implementation plan for all the cybersecurity policies and standards that are applicable to the NHLBI with actionable items and timelines.
- Carry out the cybersecurity related action items in the implementation plan. Some implementation plans for the standards and policies require annual review.
GCIO seeks a Cybersecurity Policy and Procedure Analyst - Junior with the following:
- Knowledge of strategic planning for cybersecurity risk management, compliance, policy and procedure development
- Knowledge of cybersecurity risk management implementation (strategy and plan to exeute)
- Knowledge of NIST 800-39 Managing Information Security Risk (Organization, Mission, and Information System view). The is different focus than 800-37 Guide for Applying the Risk Managment Framework
- Knowledge of NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) new framework that D/A are applying to their cybersecurity program and it is how they are reporting FISMA metrics to DHS
- Knowledge of GRC (governance, risk management, compliance)
- Knowledge of FISMA
- Knowledge of 800-53 controls
- Senior level communications
- Strategic planning
- Excellent analysis and writing skills
The Cybersecurity Policy and Procedure Analyst - Junior will:
- Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk;
- Ensure that the organization’s risk management process is being effectively conducted across the three tiers of organization, mission/business processes, and information systems;
- Foster an organizational climate where information security risk is considered within the context of the design of mission/business processes, the definition of an overarching enterprise architecture, and system development life cycle processes; and
- Help individuals with responsibilities for information system implementation or operation better understand how information security risk associated with their systems translates into organization-wide risk that may ultimately affect the mission/business success.