Director, Information Security
Location: Elkridge, MD/Remote
FosterThomas, a Mid-Atlantic Staffing and Recruiting Firm, is leading the search for a Director, Information Security for our Client located Elkridge, MD, currently remote.
Performs duties and responsibilities commensurate with assigned functional area within a department(s) which may include, but are not limited to, any combination of the following tasks:
- Document, develop, and review security and privacy policies, procedures, standards, guidelines, and baselines.
- Develop, maintain, and enhance a security, privacy, and insider threat awareness program. Develop or research and propose role-based training.
- Develop, document, and implement a vulnerability management program and processes for the IDOS EDMP environment. Use automated tools to perform static and dynamic analysis testing to identify vulnerabilities and attack vectors in web applications.
- Provide support and subject matter expertise for relevant legal, regulatory, and contractual requirements including but not limited to: FedRAMP, FISMA, HIPAA/HITECH, HITRUST, IRS Pub 1075, 1974 Privacy Act, PRA, HHS policy (including IS2P), CMS policy (including IS2P2), CMS ARS, CMS RMH, CMS BPSSM, CMS TRA, CMS XLC and/or TLC, NIST CSF, NIST RMF, NIST FIPS, NIST Special Publications, OMB Memoranda, OMB Circulars, Presidential Directives, DHS Binding Operational Directives, NARA records retention requirements, DFARS, and CMMC.
- Independently develop a variety of A&A deliverables including: System Security Plans, E-Authentication Risk Analysis, Information Security Risk Assessment, Privacy Impact Assessments, Annual Assessments, Contingency Plans, Incident Response Plans, and FIPS 199 Security Categorizations, etc.
- Develop and maintain Plans of Action and Milestones corrective actions for audit findings.
- Recommend system architecture solutions based on industry best practices and knowledge of Federal and organizational security guidelines.
- Performs periodic internal audits, vulnerability assessments, and Web Application testing.
- Maintains current knowledge of relevant technology as assigned.
- Manages small, agile teams of security analyst, engineers and architects
- Work with infrastructure/DevOps to tune security monitoring tool configuration in order to reduce false positives and ensure patching expectations are met.
- Build, develop, and maintain relationships with internal and external stakeholders. Promote a DevSecOps culture of collaboration across contract support to ensure security, privacy, and risks are considered at every phase of the SDLC for all platforms and contracts as well as for corporate environment enhancements.
- Work with system stakeholders to identify key processes, conduct risk assessments, perform gap analyses, determine residual risk, and establish risk appetite thresholds.
- Contribute to the annual strategic planning and business plan for the contract related to security.
- Create, enhance, and disseminate reports and status updates to contract stakeholders.
- 8+ years of related experience in Security Compliance.
- Hands-on experience with NIST Standards and FedRAMP Regulations.
- CISSP in good standing required.
- CAP or FITSP certification strongly desired
- CISM or CISSP-ISSMP certification strongly desired.
- Bachelor’s Degree in Computer Science or a related technical discipline, or the equivalent combination of education, professional training or work experience
- Experience in managing IS Security, developing policies, procedures and guidelines in a complex environment
- CIPP/G certification or experience driving ATOs including the privacy controls specified in NIST SP 800-53 rev 4 Appendix J strongly desired.
- Experience in the development, implementation and operation of IT Security Strategy within a complex environment
- Knowledge and experience with security best practices and relevant legislation
- Experience with IT Security management, access policy and management, authentication, authorization, audit, secure communications and network protection, data protection and privacy, and security administration
- Strong risk assessment and risk management skills.
- Vulnerability management tools (e.g., Nessus, Tenable Security Center, or Tenable.io)
- Dynamic application security testing tools (e.g., Burp Suite Professional)
- Static application security testing tools (e.g., HP Fortify, Veracode)
- GRC tools (e.g., CSAM/CFACTS)
- Proficient in Microsoft Office (Word, Excel, PowerPoint, etc.)
- Microsoft Project
- Excellent interpersonal, communication, and organizational skills.
- Excellent written and verbal communication skills – must be able to communicate fluently in English both verbally and in writing
- Should be extremely facts and data oriented.
- Should be deadline and closure oriented.
- Strong persuasion, facilitation and influencing skills.
- High Energy Levels. Should be self-driven.
- Strong analytical, organizational and project management skills.
- Demonstrated ability to lead and work with cross functional teams including senior level individuals.
- Must be able to thrive in a fast-paced, rapidly evolving environment with varying priorities, based on a team building culture.