Sr FISMA Compliance AnalystApply Now
The Sr. FISMA Compliance Analyst is responsible for developing and executing control test plans for assigned critical processes and associated integrated controls (including Sarbanes-Oxley). The incumbent must become familiar with NIST requirements (NIST 800-53) as well as FFIEC, HIPAA, GLBA, PCI and other regulatory frameworks. The incumbent is responsible for working with IT areas to ensure critical processes have been analyzed and documented. The incumbent must ensure that adequate testing is performed on assigned control tests.
This position will perform testing in certain IT areas to ensure controls are designed and operating effectively. In other IT areas, the incumbent will serve as an oversight role to validate test plans and results. The incumbent will be responsible for issue identification and remediation validation. This position will be responsible for effective and timely communication of issue statuses. Some Communication with senior management may be required and will be verbal as well as written. The incumbent will work with control owners to gather evidence and support work being performed by other groups. Strong organizational skills are required and proven communication skills are a must. The position will be responsible for certain requirements around federal boundaries. The incumbent must become familiar with the boundaries currently supported and the process to maintain an authority to operate. Additionally, this position will be involved in other projects as assigned that may be regulatory, security, IT or risk related.
1. Test Planning and Execution
a. Identify components to be tested and controls included for each component assigned to the analyst (i.e. mainframe application, general support system components like Networks and PBX, open systems).
b. Create the detailed test plan for areas of responsibility. Work with Control Owners and other participants.
c. Execute testing. Work with Control Owners to communicate the testing requirements based on the in scope controls and appropriate test methods in accordance with NIST 800-53A assessment objectives. Gather and evaluate evidence. Document and communicate testing results to Control Owners and other participants.
d. Prepare detailed evidence to support compliance of controls tested.
e. Manage document storage/portal for testing evidence.
2. Issues Management
a. Responsible for understanding the issue management process and managing issues related to assigned areas and components. Communicate with owners and approve remediation plans. Retest items as remediation plans are implemented.
b. When new items are identified, work with Control Owners to ensure the new finding is accurate and the remediation date is a cceptable.
c. Work with Issue Owners through the process of closing issues.
3. Project Work
a. Become the control expert on assigned areas and monitor overall compliance with that area on a continuous basis.
b. Train and educate IT personnel in relation to applicable regulatory requirements and responsibilities. Work with control owners to update controls based upon regulatory source updates and/or additions to Navient's regulatory requirements.
c. Ensure documentation remains current, adequate testing is performed, results are evaluated and discussed with owners and has authority to recommend changes to controls, testing, or remediation based on findings. Evaluate risk associated with each boundary component and ensure controls are adequate and cover potential exposure.
d. Rely on risk management expertise to recommend enhancements based on current industry trends or federal guidelines.
e. Develop and maintain library and inventory for audit reports.
4. Support & Communication
a. Participates as a key participant in the IT Compliance department. Work closely with Information Security, IT. Corporate Compliance, and all other key program members to ensure the overall program continues to meet the federal security requirements in the most cost effective, efficient manner possible.
b. Tracks individual project and assigned issues, publishes documentation and ensures IT and business areas are on schedule to meet deadlines.
c. Communicates ideas, testing strategies, findings, and process improvements, both verbally and in writing, in a clear, concise manner tailored to the appropriate audience.
5. Certification and Accreditation
a. Build and maintain a structured certification and accreditation process that meets federal requirements. Responsible to update and maintain documentation to be available for agency or assessor reviews.
b. Build a structure that is easily repeatable as new government contracts are awarded.
This position will support a federal government contract. Applicants must be able to obtain Public Trust security clearance as required of federal government contractors to include a background check conducted by the U.S. Government to determine eligibility and suitability for federal contract employment for public trust or sensitive positions. For this level of clearance, applicants must possess U.S. citizenship.
* Bachelor's Degree in Information Systems, Business or equivalent experience
* 5 years minimum experience in Information Technology, Information Security and/or auditing/controls testing
* Ability to meet project due dates.
* Excellent written and verbal communication skills, including presentation skills.
* Ability to simultaneously work on multiple projects.
* Ability to recognize/analyze/and document deficiencies and articulate those deficiencies to key management personnel.
* Excellent organizational skills.
* Excellent analytical skills and problem solving ability.
* Ability to make recommendations and decisions independently.
* Ability to perform well under pressure and to work independently with high levels of initiative.
* Proficient in Microsoft Excel.