Information Assurance Analyst
Execute the VA Enterprise Risk Analysis (ERA) process using a custom ERA tool to identify key cybersecurity risk factors in network-connected medical devices and Special Purpose Systems, including building automation systems, physical security systems, and operational technology. Summarize, evaluate and report risk factors using quantitative and qualitative scores to provide a VA authorizing official with awareness of the residual cyber risk prior to connecting these devices to the VA network. Acquire, review, and leverage system documentation and data gathered through questionnaires and interviews with customers in the field and vendors and manufacturer representatives to accurately document critical security posture elements in a common reporting format, including hardware and software inventory, communications profile, system interconnections, data types and stores, the presence or lack of security controls, and settings and mechanisms for a given device type. Work within the Specialized Device Security Division Risk Management team and collaborate with Federal and contractor teammates to achieve the best outcomes for the ERA process. This position is open to remote delivery anywhere within the U.S., to include the District of Columbia.
Experience with Cybersecurity, risk management, or risk assessment for complex systems
Experience with NIST SP 800-53 and NIST SP 800-30
Experience with documenting and depicting network topology and network protocols
Ability to engage directly with clients and third parties to facilitate enterprise risk analysis
Ability to obtain a security clearance
HS diploma or GED and 18+ years of experience with systems security engineering or BS degree in CS, IT, or Engineering and 10+ years of experience with systems security engineering
Experience with cybersecurity analysis of medical technology or Internet of Things (IoT)
Experience with Governance, Risk, and Compliance (GRC)
Experience with Assessment and Authorization (A&A) and eMASS
Experience with Excel and Visio
Public Trust clearance
CompTIA Security+, Certified Risk Management Professional (CRISC), or Certified in Risk and Information Systems Control (CRISC)
Applicants selected will be subject to a security investigation and may need to meet eligibility requirements for access to classified information.
We're an EOE that empowers our people-no matter their race, color, religion, sex, gender identity, sexual orientation, national origin, disability, veteran status, or other protected characteristic-to fearlessly drive change.
Booz Allen Hamilton Inc.