- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
- Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
- Plan and conduct security authorization reviews and assurance case development for new and existing installation of systems and networks to confirm that risk is within acceptable limits.
- Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
- Verify and update security documentation reflecting the application/system security design features.
- Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
- Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
- Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Assure successful implementation and functionality of security requirements and appropriate IT policies and procedures that are consistent with the organization's mission and goals.
- Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
- Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
- Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
- Conduct interactive training exercises to create an effective learning environment
- Develop new or enhance existing awareness and training materials that are appropriate for intended audiences.
|
