Information System Security Manager

Overview

Draper is an independent, nonprofit research and development company headquartered in Cambridge, MA. The 2,000+ employees of Draper tackle important national challenges with a promise of delivering successful and usable solutions. From military defense and space exploration to biomedical engineering, lives often depend on the solutions we provide. Our multidisciplinary teams of engineers and scientists work in a collaborative environment that inspires the cross-fertilization of ideas necessary for true innovation. For more information about Draper, visit www.draper.com.

Our work is very important to us, but so is our life outside of work. Draper supports many programs to improve work-life balance including workplace flexibility, employee clubs ranging from photography to yoga, health and finance workshops, off site social events and discounts to local museums and cultural activities. If this specific job opportunity and the chance to work at a nationally renowned R&D innovation company appeals to you, apply now www.draper.com/careers.

Equal Employment Opportunity

Draper is committed to creating a diverse environment and is proud to be an affirmative action and equal opportunity employer.   We understand the value of diversity and its impact on a high-performance culture.  All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, disability, age, sexual orientation, gender identity, national origin, veteran status, or genetic information.   

Draper is committed to providing access, equal opportunity and reasonable accommodation for individuals with disabilities in employment, its services, programs, and activities. To request reasonable accommodation, please contact hr@draper.com.

Responsibilities

Responsibilities:  

The Information Systems Security Manger (ISSM) will lead the Information Assurance (IA) efforts for multiple Department of Defense (DoD) information systems. The ISSM performs the development, implementation, and evaluation of information systems for assigned programs in compliance with the Risk Management Framework (RMF) as outlined in either the DAAPM, Navy OD 68340. The ISSM will work under the direction of the Cybersecurity Manager. The successful candidate must be knowledgeable of information technology and security principles.  This is a multi-tasking environment that demands customer service, communication, and organizational skills.  Due to the nature of this work, this job requires on-site presence in Cambridge, MA. Some travel may be required.

Qualifications

Qualifications:  

Required Qualifications:  

Must have experience.  

• Creates and develops tactics, techniques, and procedures to enhance the formal IS security program.
• Supports Risk Management Framework (RMF) authorizations for large and complex laboratory network enclaves.
• Experience supporting various computer hardware platforms and multiple operating systems, both stand-alone and network configurations.
• Customer service skills, including good interpersonal skills and the ability to communicate effectively with all levels of employees, and a professional demeanor
• Develops and maintains a formal IS security program and policies for their assigned area of responsibility.
• Develops and oversees operational information systems security implementation policy and guidelines.
• Coordinate with PSO/SCA/ISSP or cognizant security official on approval of external information systems.
• Ensure ISSOs under their purview are appointed in writing and provide oversight to ensure ISSOs follow established IS policies and procedures;
• The ISSM shall assume ISSO responsibilities in the absence of the ISSO;
• Maintain required IA certifications;
• Ensure System Administrators (SA) monitor all available resources that provide warnings of system vulnerabilities or ongoing attacks;
• Ensure periodic testing is conducted to evaluate the security posture of IS by employing various intrusion/attack detection and monitoring tools (shared responsibility with ISSOs);
• Ensure all ISSOs receive the necessary technical and security training (e.g., operating system, networking, security management) to carry out their duties;
• Ensure approved procedures are used for sanitizing and releasing system components and media;
• Maintain a repository of all organizational or system-level cybersecurity-related documentation (including ATOs) for IS under their purview;
• Coordinate IS security inspections, tests, and reviews;
• Ensure proper measures are taken when an IS incident or vulnerability is discovered;
• Ensure data ownership and responsibilities are established for each IS, and specific requirements (to include accountability, access and special handling requirements) are enforced;
• Ensure development and implementation of an effective IS security education, training, and awareness program;
• Ensure CM policies and procedures for authorizing the use of hardware/software on an IS are followed. Any additions, changes or modifications to hardware, software, or firmware must be coordinated with the ISSM/ISSO and appropriate AO prior to the addition, change or modification;
• Serve as a voting member of the Configuration Control Board (CCB) and/or the Risk Executive Board, if applicable. The ISSM shall have authority to veto any proposed change they feel is detrimental to security. Appeals on an ISSM/ISSO veto may be taken to the AO. The ISSM may elect to delegate this responsibility to the ISSO;
• Maintain a working knowledge of system functions, security policies, technical security safeguards, and operational security measures;
• Manage, maintain, and execute the information security continuous monitoring plan;
• Ensure a record is maintained of all security-related vulnerabilities and ensure serious or unresolved violations are reported to the AO/DAO; and
• Assess changes to the system, its environment, and operational needs that could affect the security authorization.

Preferred Qualifications:  

• Preferably 2 years of experience performing as an ISSM, or similar.
• Ability to obtain a Top Secret/SCI clearance and willing to take a CI-Poly (customer dependent and/or department dependent).
• Experience with RMF (NIST SP 800-53, JSIG, DAAPM, ICD 503), IR, Vulnerability Management, SCAP, STIG, and Security-Relevant Tools.
• Ability to obtain a Top Secret/SCI clearance and willing to take a CI-Poly (customer and/or department dependent).

Security Requirement:     Current in scope Top Secret security clearance is required.