B&M is hiring Security Assessors (entry-level and experienced) for IT security testing, risk and vulnerability analysis, and consulting engagements on Federal projects. The Security Assessors will plan and conduct IT security assessments and testing of technical, management, and operational controls of Federal IT security and privacy programs and systems. These positions require an understanding of security principles, how they apply to system architectures, and the various testing methods utilized to ascertain the effectiveness of those controls. The candidates who fill the position will work in a team environment with an experienced Project Manager. The candidates will be assigned risk and vulnerability assessments under the direction of the Project Manager, and be expected to develop client-ready deliverables.

The candidates may perform any or all of the following: conduct IT security testing (risk and vulnerability analysis) of complex operational systems and facilities; define and describe risk exposure based on threats and exploit paths, while factoring in mitigating controls; provide recommendations for remediating detected vulnerabilities and compliance gaps; conducts independent testing of corrective actions to validate risk/vulnerability resolution. The candidates, with guidance from the Technical Project Manager, is expected to be able to evaluate technical controls related to areas such as, but not limited to, the adequacy of encryption controls implemented across a variety of platforms to protect sensitive data in transit and at rest; the architecture, configuration, and use of antivirus and malware detection and management solutions; audit log generation, aggregation, and analysis; and authentication solution configuration and management.

Responsibilities:

  • Familiar with OMB Circular A-130 and NIST requirements, particularly NIST SP 800-37 Revision 2 and SP 800-53 Revision 5

  • Able to plan, conduct, and document IT security testing in accordance with NIST SP 800-53A Revision 5

  • Facilitates and conducts Security Control Assessments (SCA) and possibly additional advanced-level Continuous Monitoring Activities within internally hosted and cloud-based environments

  • Ensures cyber security policies are adhered to and that required controls are implemented

  • Validates respective information system security plans to ensure NIST control requirements are met

  • Develops resultant SCA documentation, including but not limited to the Security Assessment Report

  • Initiates recommendations associated with the findings on how to improve the customer’s security posture in accordance with NIST controls

  • Reviews the controls that support the Requirements Traceability Matrix (RTM) and the details of the System Security Plan (SSP) to determine completeness and accuracy

  • Follows and abides by the SCA Standard Operating Procedure (SOP) that is provided by the client

  • Provides Security Assessment Results to meet client requirements and standards, which will include at a minimum the following documents: SAR, RTM, and a detailed technical results document as stipulated by the client upon Security Assessment completion

  • Assists with the interpretation and analysis of Security Assessment Results upon completion of each Security Assessment and/or as requested to assist with post-assessment questions, to assess the vulnerability and risk to the system and to the customer or other connected systems

  • Able to lead small, less complex system assessments independently

  • Able to assist team members with proper artifact collection to the client’s examples of artifacts that will satisfy assessment requirements

  • Be proficient at testing, analyzing and interpreting Security Assessment Results for all systems, including but not limited to the following platforms:

    • Microsoft Server 2008/2012/Other, UNIX/Linux, Microsoft SQL Server, Oracle DBMS, Sybase DBMS, Windows 7, IIS, Mobile Device Management solutions, Routers/Switches/Firewalls, Printers/Faxes/Multi-Function Devices, .Net and Java custom-developed applications

Tools:
Familiarity with the following tools is preferred, but is not required: Archer GRC, Qualys, Tenable, CoreImpact, DbProtect, Nessus, IBM AppScan, Symantec Endpoint Protection, Symantec DLP, FireEye ATP, McAfee SIEM, McAfee IDS/IPS, ForeScout, MS Excel pivot tables.

Entry-Level Requirements:

  • Bachelor or Master of Science in Computer Science or Cybersecurity with GPA > 3.5

  • Knowledge of Federal information security standards and methodologies preferred, including FISMA requirements, OMB standards and guidelines, and NIST Federal Information Processing Standards (FIPS) Publications and Special Publications (NIST FIPS 199, NIST FIPS 200, NIST SP 800-37, NIST SP 800-53/A, etc.)

  • Ability to apply information security principles to enterprise applications, operating systems, and networks

  • Excellent written and verbal communication skills

Experienced-Level Requirements:

  • Bachelor or Master of Science in Computer Science or Cybersecurity with GPA > 3.5

  • 2 - 4 years of Security control assessment (SA&A) experience

  • Experience in performing IT security testing, IT control assessments/audits, and/or IT Security Testing and Evaluation (ST&E) preferred

  • Knowledge of Federal information security standards and methodologies preferred, including FISMA requirements, OMB standards and guidelines, and NIST Federal Information Processing Standards (FIPS) Publications and Special Publications (NIST FIPS 199, NIST FIPS 200, NIST SP 800-37, NIST SP 800-53/A, etc.)

  • Ability to apply information security principles to enterprise applications, operating systems, and networks

  • Excellent written and verbal communication skills

  • One or more of the following certifications is preferred: CISSP, CEH, CISA, CISM, CAP


Citizenship Requirements:
U.S. Citizens only. Applicants selected will be subject to a government security investigation and must be able to pass a Federal background check for a public trust clearance.


To Apply:
Please send your detailed resume that includes a summary of your SA&A qualifications at the top of the resume to hr@bm-consulting-group.com


Equal Opportunity Employer:
B&M Consulting Group, Inc. is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability or protected veteran status, or any other legally protected basis, in accordance with applicable law.