Risk Assessor

Responsibilities

 While the other assessor roles on the Security Assessment team perform technical testing and generate risk information, the Risk Assessor focuses exclusively on analyzing existing Risk Information Sources (RIS) (regardless of generation source). Put another way, the other assessor roles generate a RIS that is (potentially) used by the Risk Assessor (possibly along with other RIS) to determine the risk posture of the system being assessed. The Risk Assessor role is utilized whenever a Risk Assessment is requested. The Risk Assessor typically works independently of and after the Security Assessment team. The Risk Assessor is not typically a part of the Security Assessment team but may interact with them to better understand their findings and their context. Before identifying the risks to the system, the Risk Assessor first familiarizes herself with the system by reviewing the system’s SSP, ISRA, PIA, and any existing ACT RARs. The purpose of this review is to understand the purpose, design, implementation, and environment of the system; its development roadmap; and the already-identified risks to the security and privacy of the system. The Risk Assessor reviews and analyzes the data from all available RIS (including the Findings and output from ongoing ACT Security Assessments). Available RIS might include ACT Security Assessments that are being conducted concurrently or that were conducted in the past; other available RIS might include sources such as penetration testing performed by the CMS Cybersecurity Integration Center (CCIC), DHS Cyber Hygiene, etc. The Risk Assessor works with ISPG and/or the appropriate Security Assessment Lead or Risk Assessment Lead to determine which Risk Information Sources should be considered for each Assessment. The Risk Assessor documents the identified Risks and analysis in the current version of the ACT Risk Assessment Report Template.

Qualifications

Minimum Qualifications: (Minimum knowledge, skills, and abilities to perform the job)

• 3-5 years of experience with Federal Accreditation testing, a degree can be substituted for some, but not all the experience.
• Document control reviews and findings as they occur according to client requirements.
• Candidate must be a great communicator (both written and verbal) and be able to work with a group as well as independently.
• Report writing experience.
• Experience in Windows systems.
• Understanding of Privacy Concepts.
• Understanding of information management and protection systems (AV, Patch management, etc.).
• Utilize various information system inspection tools to audit systems, analyze potential vulnerabilities and identify mitigation approaches.
• Interview skills.
• Understanding of security control concepts.
• Understanding of program security and information systems security best practices.
• Ideal candidate will be self-motivated, a team player, organized, and detail oriented.

Desired Qualifications: (desired experience, education, and training)

• Experience in Federal security certification and accreditation.
• Security , CAP, CISA, or equivalent certifications.