Security Control Assessor (SCA)

As a Security Control Assessor (SCA) at Ignite IT, you will advise on security standards, conduct comprehensive security assessments for Information Systems, manage Plans of Action and Milestones (POA&Ms), and evaluate security documentation. You’ll also act as a cybersecurity advisor to senior management, contributing to strategic decisions regarding system risks and security compliance.

To qualify for the Security Control Assessor (SCA) role at Ignite IT, candidates must possess a Bachelor's degree or equivalent experience, along with 12 years of IT experience, and 7 years of relevant security experience. Additionally, you will need certifications like DOD 8140 IAM Level II and an active Top Secret Clearance, preferably with SCI eligibility.

Ignite IT offers a range of professional development assistance for Security Control Assessors, including training opportunities, tuition reimbursement, and access to workshops. This commitment helps employees stay competitive and current in cybersecurity practices and continuously improve their skills.

A Security Control Assessor (SCA) at Ignite IT should have strong knowledge of the Risk Management Framework (RMF) NIST 800-37, as well as familiarity with NIST 800-series guidelines, FISMA, and SA&A processes. Hands-on experience with continuous monitoring and managing vulnerabilities is also highly valuable.

At Ignite IT, Security Control Assessors can look forward to a competitive benefits package that includes health insurance options, dental and vision insurance, a 401(k) plan with matching contributions, paid time off, flexible spending accounts, and more. This diverse range of benefits underscores our commitment to employee well-being and work-life balance.

Staying current in the cybersecurity field requires ongoing education and research. I regularly read industry publications, attend conferences, and participate in professional networks to gain insights on emerging threats and compliance updates relevant to my role as a Security Control Assessor.

In a previous position, I discovered a vulnerability during a routine assessment that could have led to a data breach. I documented my findings in a Security Assessment Report and presented them to management, proposing immediate remediation actions and developing a long-term monitoring strategy to ensure ongoing compliance.

I have utilized various vulnerability scanning tools, compliance software, and documentation frameworks. For instance, I've worked extensively with tools aligned with the NIST 800-series and frameworks like FedRAMP for cloud security assessors, enabling thorough evaluations and well-documented reviews.

In such cases, I emphasize open communication and collaboration. I would engage with the ISO to discuss my findings, providing clear documentation and evidence supporting my assessment. Discussing potential risks and listening to their perspective can help us reach a mutual understanding and agree on a path forward.

When developing POA&Ms, I prioritize identifying vulnerabilities and assessing their impact on the system. I create clear, measurable action steps with timelines for remediation, assigning responsibilities to appropriate team members. This structured approach ensures accountability and effective tracking of progress.

I ensure compliance by conducting thorough assessments, documenting all findings, and maintaining a detailed record of all controls in place. Frequent reviews and updates are vital, as is close collaboration with the Information System Owners to ensure they understand their responsibilities in maintaining compliance.

For continuous monitoring, I advocate for implementing automated tools to gather real-time data on system performance and security postures. Regular reviews of security controls and proactive communication with system owners ensure that any issues are addressed promptly and compliance is maintained.

I have assessed numerous cloud environments, particularly focused on frameworks like FedRamp for AWS and Azure. My methodology includes evaluating the security control baselines, conducting vulnerability assessments, and ensuring that cloud systems meet the requisite compliance standards for continuous monitoring.

I evaluate risk levels by considering the potential impact on confidentiality, integrity, and availability for system data. This involves not only assessing existing controls but also analyzing potential threats and vulnerabilities, allowing me to develop a comprehensive risk report that informs decision-making.

My experience includes implementing comprehensive vulnerability management processes, which encompass identifying, assessing, and prioritizing vulnerabilities across systems. I ensure timely patching and remediation, and I document the findings in reports to maintain transparency and track progress against POA&Ms.