cyber security

information security analyst job description

information security job description

information security job description
image from nextgov.com

The position information security analyst is a great opportunity for a security professionals to expand their skill set.

There are many types of information security analysts.  Some information security analysts examine the security features of a system, while others might be responsible for analyzing the security features of an entire organizations infrastructure.

Analysts are usually professionals with enough security to provide guidance on security incidents, security features and/or risks in a given information systems environment.

That being said, the term information security analyst is used in many different ways by many different organizations.  For example, sometimes organizations call their security professionals “analysts” when they actually do “engineering”.  And sometimes they will call security analysts engineers.  So take the description below with a grain of salt.

Essentially, an Analyst studies, monitors, computes, considers, contemplates and provides reports, incident handling, responses on existing systems.  Or they check on designs proposed developed by others.  While engineers, create, design, manipulate install, configure existing and/or proposed systems.  There is a lot of overlap so you should always examine the description of the specific job you plan on doing.

Analysts analyze.  Engineers build stuff.  But of course there can be lots of overlap.

Prerequisites for Typical Information Security Analyst:

If you have a solid understanding of networking, TCP/IP, subnetting, a little bit of server administration, malware identification and lots of system security experience than Information Security Analyst is for you.  Organization dealing with the federal government usually desire a BS degree or specific IT certifications.

Basic Job Description of Typical Information Security Analyst:

The Information Security Analyst responsibilities can sometimes include ensuring that system Information Security requirements are reached.  Another task might be to provide support for systems engineering life cycle from the specification through the design  oof hardware or software, procurement, development, to integration, test, operations and maintenance.  Provide analysis, definition, and the recommendation of information assurance and security requirements for advancing Information Security technologies of computing and network infrastructure. 

Responsibilities may include but are not limited to:
• Ensure compliance with Configuration Management (CM), Information Security governance, policy, directives, and guidance are followed.

Ensure compliance with certain security policies / standards such as:

  • Federal Information Security Management Act (FISMA)
  • NIST Special Publications (SP) 800 Series
  • Security Technical Implementation Guides (STIGs)
  • PCI
  • Sarbanes-Oxely Act
  • Risk Management Framework for DoD IT
  • ISO/IEC 27000
  • Health Insurance Portability and Accountability Act (HIPA)

• Conduct Information System Security Engineering activities at the subsystem and system level of design

• Complete Vulnerability scans, Information System Security audits, analysis, risk assessments, vulnerability assessments, intrusion detection/prevention and log monitoring of computing resources

• Computer Network Defense:

  • Analyze TCP/IP traffic
  • Continuous monitoring of information system security
  • Incident handling
  • SIEM Analyst
  • Data Loss prevention .
  • Coordination with computer emergency response team (CERT)

• Certification & Accreditation / Risk Management Framework analysis
• Support C&A Security Test and Evaluation processes

 

diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

diacap diarmf

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources