An Information System Security Officer (ISSO) is an individual responsible for ensuring the appropriate operational security posture is maintained for an information system and as such, is responsible to and works in close collaboration with the Information System Security Manager (ISSM). The ISSO shall have the detailed knowledge and expertise required to manage the security aspects of both networked and stand-alone information system environments and is assigned responsibility for the day-to-day security operations of a system. In close coordination with the ISSM, the ISSO plays an active role in monitoring a system and its environment of operation to include developing and updating the SSP, managing and controlling changes to the system, and assessing the security impact of those changes. The IAO assists the IT Staff when necessary.
Responsibilities include but are not limited to:
- Ensuring operational security, providing security guidance and IS validation utilizing the National Institute of Standards and Technology (NIST) Risk Management Framework, Department of Defense (DoD), and local security policies
- Maintain awareness of changes to local and DoD security policies and modify policies or configurations to implement directed changes.
- Review system security audit logs, and utilize network scanning software to monitor network activities for possible compromise and take corrective action as needed.
- Provide annual information system security user training.
- Perform self-inspections in conjunction with the local security manager.
- Maintain vulnerability scanning tools and patch management utilities to ensure IT staff pushes patches to all systems in an effort to maintain compliance with all applicable directives.
- Ensure all users that request network accounts have the requisite security clearances, authorization, need-to-know, and are aware of their security responsibilities before granting access to the IS.
- Coordinate any changes or modifications to hardware, software, or firmware of a system with the ISSM/AO/DAO prior to the change.
- Ensure all required approvals are granted and received prior to purchasing any hardware equipment or software applications.
- Conduct periodic review of information systems to ensure compliance with the security authorization package.
- Ensure systems are operated, maintained, and disposed of in accordance with security policies and procedures as outlined in the security authorization package.
- Report all security-related incidents to the ISSM and all applicable personnel and implement any corrective measures.
- Ensure all IS security related documentation is current and accessible to properly authorized individuals.
- Write System Security Policies for site networks, stand-alones and facility:
- Prepare System Security Plan (SSP) in accordance with the applicative governing directive for systems, and ensure all networks are in maintained according to their respective SSPs.
- Develop and maintain local Information Assurance policies for the site facility as well as assist off-site locations.
- Interface with information assurance managers and other security representatives as needed to discuss updates of security policies and make necessary changes to SSPs.
- Assist Project Officers in getting approved for project equipment and software.
- Review system policies and document findings.
- Assist network manager with daily tasks as needed:
- Assist in validating servers and workstations security settings.
- Assist with information system security incidents.
- Assist in network user accounts creation or modification of accesses.
- Assist in getting software and hardware approvals.
- Assist in turning in or disposing of equipment and software.
- Education and Experience
- Current certification identified in DoD Manual 8570,01-M for IAM II
- High-school diploma or an Associate’s degree (A.S.), with a BS preferred. Field experience can be substituted for education degree.
- Familiarity in Information Systems security gained from higher education, trade certifications (MS or CISCO certifications), or a combination of the previous and direct job experience in the information technology / information security field.
- Special Skills and Abilities
- Experience working with patch management, network intrusion detection, audit reduction/filtering tool, data-at-rest, and encryption software.
- Experience installing, configuring, maintaining, and troubleshooting operating system platforms such as Windows 7, Windows Server 2008/2012 to include security configuration knowledge of group and local policies.
- Technical and professional writing expertise; experience with MS Office products.
- Experience in information security that includes configuration of workstations and servers for proper security settings.
- Experience using the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) tool.
- Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information.
The job also requires the ability to lift 50 – 70lbs and escort personnel, as necessary.
The job is performed in a general office or comparable working area; occasional distractions, such as noise, interruptions, or congested work area.
Top Secret Clearance with SCI