Job ID: TX-5371213SA2E (912690102)
Security Analyst with federal/state mandates, C&A, NIST SP 800-37, risk management, vulnerability assessment, OWASP, SSE-SMM and healthcare/HHSC ISG experience
Location: Austin TX (DSHS)
Duration: 8 months
Minimum Requirements:
Years Skills/Experience
10Previous experience working as a Business Analyst liaison between Information Technology (IT) staff, security staff and the business stakeholders to incorporate non-functional security requirements on the business, business processes and IT systems that includes applications and infrastructure.
8Work as a business analyst (BA) that has written and implemented security requirements based on federal and/or state mandates, from High-Level System Architecture Design, System Requirements, System Design, System Implementation and System Test.
6Experience in the application of the Security Certification and Accreditation (C&A) process for Information Systems (IS) at a Federal and/or State level, in either specifying C&A requirements and/or demonstrating/implementing security compliance of those requirements.
6Previous experience using Business Analyst expertise in facilitating day-to-day activities to produce the security deliverables needed from the stakeholder/customer, network/operations team, access administration team, and implementation teams.
2Have knowledge of and is familiar with NIST SP 800-37, Risk Management Framework. Be able to either determine security risks or provide proof of compliance in the following areas: security categorization, security control selection, security control implementation, security control assessment, information system authorization and security control monitoring.
2Experience with assisting an organization in establishing, documenting and integrating information system security policies, processes, security procedures, security requirements and security assurances into the appropriate phases of the SDLC to support risk management.
Preferences:
Years Skills/Experience
2Previous experience in Texas state agencies implementing applications and incorporating security solutions
2Previous experience with DSHS business programs and IT systems.
2Knowledge of HHSC Information Security Guide (ISG) and how to apply it
Description of Work
All work products resulting from the project shall be considered “works made for hire” and are the property of the DSHS. DSHS may include pre-selection requirements that potential Vendors (and their Workers) submit to and satisfy criminal background checks as authorized by the Texas law. DSHS will pay no fees for interviews or discussions, which occur during the process of selecting a Worker(s).
An experienced Business and Security Analyst (BA/SA) to assist with business and security analysis work. The work involves understanding how to protect agency/program assets and deliver cybersecurity, software security, and vulnerability assessment services. The resource will frequently need to train and/or educate the program areas and non-security knowledgeable personnel with the interpretation of security controls and what appropriate implementation mechanisms will satisfactorily meet those controls. This resource will work under general supervision, with moderate latitude for the use of initiative and independent judgment. The resource will be an advocate, compliance specialist and promote information security as a desired function that is integral to the business.
The resource will schedule and manage work sessions between program area subject matter experts (SMEs), information technology technicians and vendors in developing the cybersecurity compliance artifacts in any of the following formats: WORD, EXCEL, PowerPoint, and VISIO. The person must demonstrate experience in project development and be not only fluent in Software Development Life Cycle (SDLC) concepts, deliverables and terminology, but also in the Secure Software Development Life Cycle (e.g. OWASP Secure Software Development Lifecycle (S-SDLC), OWASP Software Assurance Maturity Model, and/or System Security Engineering Capability Maturity Model (SSE-SMM).
The resource must be an experienced technical Business Analyst who has proven ability in analyzing and documenting business and IT processes, developing and managing functional requirements through various SDLC methodologies to implementation, and working closely with the business to incorporate new functionalities, with security in mind, to enhance and modify their business practices and processes. Additionally, the worker will have had successful experience in defining project scope and creating/managing schedules. The worker must have excellent verbal and written communication skills.