Job ID: VA-643177 (98190105)
Govt Security Analyst/IT Risk Assessment Analyst (CISA/CRISC/CISSP) with business impact assessment, network vulnerability, NIST, IRS pub, VA COV experience
Location: 600 E Main St, 9th Floor, Richmond, VA 23219 (TAX)
Duration: 9+ months
Interview : Web Cam Interview Only
Will work remotely until offices safely reopen
MUST be able to pick up equipment IN PERSON and log in on site (initially) to engage COVID.
Experience performing Risk Assessments within a state agency environment Required 5 Years
IT experience (total number of years within IT) Required 5 Years
Exp w/performing comprehensive IT security risk assessmts, including evaluation of security controls implemented within a complex information system Required 5 Years
Exp with reviewing IT system doc: including Business Impact Assessments, previous Risk Assessments, System Security Plans, Network Vulnerability Required 5 Years
An in-depth understanding of National Institute of Standards and Technology (NIST) Special Publication 800-53 is required. Required 5 Years
CISA, CRISC, CISSP or similar certification preferred Highly desired
Familiarity with Commonwealth of VA (COV) Information Security Standards requirements SEC501-11, SEC525-04.1, SEC502-3, SEC520-02, IRS Publications Highly desired 5 Years
MUST be able to pick up equipment IN PERSON and log in on site (initially) to engage COV ID. No laptop will be shipped, no exceptions.
Will work remotely until offices safely reopen. Reminder: parking is NOT included for contractors.
Virginia Tax is looking for an experienced IT Risk Assessment Analyst to conduct IT security Risk Assessment for IT systems. Assess risk of the VATAX IT system based on confidentiality, integrity, and availability. The IT System includes but not limited to applications, servers, and databases. The Risk Assessment shall be performed in compliance with Commonwealth of Virginia SEC501-11 and 520-02 standards.
The analyst must be a self starter and have experience completing IT security risk assessments.
Assess risk of the VATAX IT system based on confidentiality, integrity, and availability. The IT System includes but is not limited to applications, servers and databases. The Risk Assessment shall be performed in compliance with SEC501-11 and 520-02 standards. TAX will provide training on using the IT Security Risk Assessment materials to conduct the IT Security Risk Assessments
– Conduct the risk assessment according to the project timeline
– Schedule Risk assessment meeting with system owners and administrators.
– Interview Subject Matter Experts based on a set of predefined questions and document information collected.
– Analyze system documentations and the results, follow up by email or meeting as necessary.
– Assess the risk and document risk findings in the Risk Assessment Template.
– Schedule meeting and review risk finding with system owner and administrator.
– Draft system risk assessment report and Risk Treatment Plan.
– Review results with the ISRM team and finalize the report.
– Disseminate report to system owner and administrator.
– Update VATAX risk register with risk findings.
The risk assessor must complete each IT system with a risk assessment questionnaire, Risk Assessment Template, Risk Assessment Report, and Risk Treatment Plan.
3 to 5 years experience of Risk Assessment
5 to 10 years of IT experience. CISA, CRISC, CISSP or similar certification preferred
**Professional references from the reporting mgr will be required if candidate has prior state agency experience.
Perform comprehensive IT security risk assessment, including the evaluation of security controls implemented within a complex information system.
Review and analyze IT system documentation, including Business Impact Assessments, previous Risk Assessments, System Security Plans, Network Vulnerability Assessment results, Continuity Plans, and Disaster Recovery Plans.
An in-depth understanding of National Institute of Standards and Technology (NIST) Special Publication 800-53 is required. Preferred is familiarity with Commonwealth of Virginia (COV) Information Security Standards requirements including:
– Information Security Standard (SEC501-11)
– Hosted Environment Information Security Standard (SEC525-04.1)
– IT Security Audit Standard (SEC502-3)
– IT Risk Management Standard (SEC520-02)
– IRS Publication 1075
Previous experience conducting risk assessments for information technology security with Commonwealth Information Technology Security Standards at COV agencies preferred.
Preference given to those with COV IT Risk Assessment experience or similar.
To be best fit for this role:
– Ability to learn quickly and be a self-starter with a strong team and customer focus and to be able to balance multiple tasks simultaneously.
-Strong organizational skills to put structure in place to deliver strategic and tactical results in a dynamic complex environment.
– Ability to pay attention to detail and systematically organize, analyze, and process massive amounts of information
– Ability to build relationships and collaborate with key stakeholders at all levels within the department.