Security Analyst with Certification in Albany, NY

The Consultant shall be responsible for conducting security reviews and asset based risk assessments of key Service Delivery Offerings to clinet customers, as well as assist with security reviews of new technology and applications that are being developed to expand these services. The key Service Delivery Offerings include but are not limited to the following: Data Center facilities, Networks, email services, Telephony services, Remote VPN access, Directory Services, Internet Application Hosting & Development and Customer Care Center The Consultant and SRMO will jointly develop work plans as required to accomplish Consultant tasks. The work plans will include project deliverables and prescribed timeframes. All work plans, schedules and deliverables will be subject to the review and approval of the Director of or designee. The Consultant will provide written reports formats and templates defined by SRMO. The content must reflect accurate and comprehensive analysis and documentation of findings and details involved in the scope of work, plus present recommendations suited for management consideration. The Consultant will also offer consultation for improvements to the clients Information Security Program and Enterprise Security Architecture. Comments, appraisals, and recommendations will be constructive. All communications (email, text documents, minutes, conversations, etc.) related to clients security will be kept confidential and considered to be restricted information unless otherwise determined by SRMO. 1. Consultant - Responsibilities During the course of the Project, the Consultant will perform the following functions: Risk assessments Using SRMO's Risk Management methodology, the Consultant will primarily be responsible for providing project leadership and technical expertise for all of the following: * Clients Service Delivery Services Risk Assessments * Technology related Risk Assessments * Specific risk assessments related to applications under development or the introduction of new features or system components to the overall Enterprise Architecture The Consultant will follow SRMO processes to document risks; identify gaps and resolve compliance issues with the standards and controls used by Client (e.g. NIST; NYS Information Security Policy P03-002 - V3.2, ISO 17799/27001, HIPAA, FISMA) and make recommendations for mitigating risks. The Consultant will also assess current Client architecture and the deployed technologies used to provide security. This will include, but not be limited to the following: Host server security and configurations, Virtual Private Network (VPN) access, Intrusion Detection (IDS) systems, Intrusion Prevention (IPS) systems, Anti-Virus (AV), Wireless computing and access 2. Enterprise Architecture The Consultant will provide technical input regarding clients Enterprise Architecture, including the testing and assessment of new technologies that will enhance clients security architecture. The Consultant's recommendations must ensure that the security of clients Technical Information Assets conforms to industry standards. Areas of review may include, but not be limited to the following: Data Integrity and Authentication, Data Confidentiality, Trusted credentials, Application Access and Authentication, Software Integrity, System/Middleware security, Host security, Internal Network security, Network Perimeter security, Audit and event logging A key element will be to develop and architect solutions to ensure that clients key information assets are protected should the external security perimeter be compromised. 3. New Projects The Consultant and SRMO will jointly identify security related projects for the Consultant to undertake. Under the direction of the Director of SRMO or designee, Consultant will perform and update new project security assessments and ensue that security requirements are identified, tested, and implemented. In addition, the Consultant shall facilitate and ensure the successful transfer of knowledge from the Consultant to SRMO staff designated by the Director of SRMO or designee; submit required reports, as defined by client. * be responsible for daily backups of any data and/or software developed as a result of Consultant's tasks; and attend periodic (i.e. weekly) status meetings, as required Experience: Mandatory Requirements Four or more years experience performing security risk assessments of networks, data center operations, Internet application design and development, and remote access technology. Four or more years experience providing written reviews, reports and recommendations to improve security policies, standards, processes, and procedures for larger scale government or private company businesses. Four or more years experience analyzing compliance to industry best practice security policies and standards, documenting security weaknesses and developing remediation plans for management approval. At least one recognized Information Security or Audit Controls certification (ClSM, CISSP, ClSA, etc.). Desirable Experience 1. It is highly desirable that the proposed Consultant has conducted the following types of security reviews: * Evaluated the security of a network's design and any change proposals that present security risks. Identified and reported any non-compliance to an Enterprise's security rules related to secure communication among devices (e.g. Ports assignments, protocols, encryption standards, etc.), * Evaluated whether an organization's servers, network devices and system components were configured securely based on industry standards, guidelines or industry best practices. * Performed project security reviews to ensure security policies and requirements are met at all stages of an applications development life cycle. * Evaluated an organization's security and risk management program, in terms of risk reduction, policy and standards compliance levels, awareness training, vulnerabilities and remediation statistics, etc. * Conducted and documented assessments of an organization's compliance to the following industry controls and standards: NIST, ISO 17799/IS02700 1, HIPAA, FISMA . Evaluated and improved the security of the following technologies: MS Active Directory, LDAP/Nettegrity Site Minder, UNIX, REMOTE VPN, IPS/IDS, Wireless security, Firewalls, Security Event and Incident Management, Vmware, IBM Mainframe Reviewing and/ or improving security in these categories: a. Identity Authentication and Access Management b. Workforce security roles and responsibilities c. Contracts, RFPs, and vendor agreements d. Security Awareness Training e. Security incident reporting Professional level courses/ seminars in risk management, vulnerability management or auditing of IT systems. Experience with using an asset based risk assessment methodology. Experience in evaluating or developing Disaster Recovery Plans for Computer Centers and/or large scale Networks or IT Systems. Good project management and inter-personal communication skills as demonstrated by previous experience in managing larger scale, complex projects. Strong analytical and report writing skills that, if requested, can be supported by offering samples during the selection process. To Apply to this job go to http://www.GadBall.com or click here