Senior C&A Compliance Auditor
Job Description:
Individual will work with Department of Energy management, staff and contractor personnel to perform reviews of previously prepared Certification and Accreditation (C&A) packages for IT systems that are identified as being subject to FISMA reporting. All reviews will be performed in compliance with the ACIO for Cyber Security (CISO) C&A audit and review process. Each review will be classified as either a compliance review which will confirm the packages consistency to DOE C&A policies and procedures or will provide advice and assistance in improving the quality of each package so that it will achieve compliance to DOE C&A policies and procedures. Each review will be conducted at one of three levels of rigor ranging from package structural and content analysis to detailed and rigorous compliance reviews. Reviews may include both unclassified and classified systems. Due to the size of most C&A packages, reviews will be conducted using a team approach. These positions are not IG/HCC positions. In addition, they may participate in the development of documentation for C&A packages and assist others in developing documentation related to C&A packages. These positions will be full time, long term positions that will require a high level of diligence and productivity.
The incumbent's responsibility is to manage, coordinate and participate in C&A package reviews. It is expected that this individual may manage multiple teams of two or three individual reviewers/assessors. This individual will coordinate the teams' activities to ensure that packages are reviewed in a manner that is consistent with type classification and at a level of rigor identified at the initiation of the review process with the system owner. This individual should have experience leading IT security audit teams, the preparation of Government C&A packages and/or managing the build-out and deployment of complex IT systems. They must understand the threat environment associated with Federal IT systems. They should be experienced working in an IT audit environment and be able to work with federal managers, IT System Owners and other staff responsible for those systems being assessed. They must participate in the development of documentation for C&A packages and assist others in developing documentation related to C&A packages. In addition, they must input and train others to input data and documentation into an automated C&A and FISMA tool.
Job Requirements:
- Bachelor degree (Masters preferred) in Information Technology, Security, or Engineering with 7 or more years experience; or an equivalent combination of education and work experience. Degree in accounting/audit disciplines combined with information security background will be given strong consideration
- US Citizen (REQUIRED)
- Ability to obtain a DOE Q level clearance required. US Government Top Secret clearance highly desired
- CISSP certification required. Audit or C&A certifications highly desired (CISA, CAP, CIA).
- Systems or network certifications (MCP, CCNA, etc.) a plus
- Demonstrable knowledge of NIST Special Publications associated with C&A preparation is required.
- Must have comprehensive knowledge and understanding of the threat environment in which Federal IT System are developed, deployed, operated and managed.· Must have extensive experience in leading both program and system-level cyber security reviews and audits.
- Must have experience in preparing C&A packages.
- Strong organizational, planning, and analytical skills
- Excellent verbal and written communication skills
- Demonstrated ability to distill information from technical resources
- PC and desktop applications competency (e.g., Microsoft Office, Microsoft Project, email, etc.)
- Experience in real world network and system security including problems and solutions.
- Understanding of IT Security Assessment tools is a plus.
- Must be able to travel on an occasional basis, estimated to be less than 20%.
