Wanna be responsible for IT security for an entire organization? Well here’s your chance! It looks like a great opportunity for a very experienced infosec professional interested in a managerial or business leadership position. The opportunity requires 15-20 years of experience in a security role and someone who knows network security architecture and infrastructure.

And don’t forget … if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details. Well anyway … on to the job post.

Overview

A client of CSO Security Risk is seeking a Chief Security Officer (CSO) who will be responsible for directing activities of the corporate security function and operational risk management to enhance the value of the company and brand. The successful candidate will work closely with the VP of Infrastructure and Operations to manage security functions related to corporate information systems and data centers.

The CSO will oversee a network of employees and vendors who safeguard the company’s assets, intellectual property and computer systems. Physical protection responsibilities will include physical safety of employees and visitors, asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include firewalls, network security architecture and infrastructure, network access and monitoring policies, employee education and awareness, and more. This person must be able to develop and implement flexible security solutions, dictated by the needs of a hybrid and rapidly evolving decentralized business environment.

Roles & Functions

• Work closely with corporate executives, business managers, audit and legal counsel to understand corporate requirements related to security and regulatory compliance, and to map those requirements to current security projects
• Manage the development and implementation of global policies, processes, and guidelines related to corporate security strategy and associated architecture and engineering standards to ensure ongoing maintenance of security
• Oversee the continuous monitoring and protection of facilities, personnel and information systems. Evaluate suspected security breaches and recommend corrective actions (including incidents involving outside vendors)
• Define and implement an ongoing Risk Assessment program, which will define, identify, and classify critical assets, assess threats and vulnerabilities regarding those assets, and implement safeguard recommendations
• Assist internal audits in the development of appropriate criteria needed to assess the level of new/existing applications and/or technology infrastructure elements for compliance with enterprise security standards
• Establish and monitor formal certification programs regarding enterprise security standards relating to the planned acquisition and/or procurement of new applications or technologies
• Assist in the review of applications and/or technology environments during the development or acquisitions process to (a) assure compliance with corporate security policies and directions and (b) assist in the overall integration process regarding the company’s own technology environment
• Oversee the development of, and be the enterprise champion of, a corporate security awareness and training program
• …

Requirements

• At least 15-20 years of experience in a security role, with proven leadership experience in enterprise security
• Must have experience in a managed healthcare/HIPAA compliant company
• Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team
• Able to communicate security-related concepts to a broad range of technical and non-technical staff
• Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation
• Must have strong working knowledge of pertinent law and the law enforcement community
• Must have a solid understanding of information technology and information security
• Must be an excellent public speaker who can interface effectively with external customers
• Must be a results-oriented person who can achieve tangible improvements in the corporate security arena
• Excellent technical and communications skills are a must+

For additional details and contact information on how to apply for this position, please head over to the posting on CSO Online.

#####

You can find more career opportunities over on our Job Board. Head on over there for all the details. Today’s post image is from HoneyWellNow.files.

I read an interesting article this morning over on InfosecIsland.com that discussed the security of using Skype in the enterprise. As expected it didn’t give us the magic “yes” or “no” but instead the typical “it depends.” Overall, I thought the author made a very good point in that we trust a lot of our data to third parties, as I’ve mentioned in my teleconference security post, and Skype is just another third-party. The decision to use Skype should just follow the same considerations you’d normally take when acquiring any new third-party service.

But I know … you want the magic “yes” or “no”… The article described the initial premise of “within a business environment for very specific cases.” And let’s assume that those “specific cases” don’t include discussing your top-secret plans to take over the world. I’d say go for it!

Furthermore, I’d say probably 95% of the content in our daily conversations is already publicly known (shoulders, giants, dwarfs and all), mindless dribble, gossip or basically stuff that just isn’t sensitive at all and as such it’s fine to use Skype practically all the time. No sense throwing the baby out with the bathwater…

via InfosecIsland.com

SecureState was recently asked if using Skype within a business environment for very specific cases was a good idea.

The company asking the question was unsure of the security implications and what risk would be introduced by implementing the Skype application.

Concerns over security and privacy have existed ever since Skype was launched over eight years ago. What is the consensus now regarding data protection when using Skype in the enterprise?

Continued here.

#####

What do you think? Is Skype secure enough? Trusted enough? This article’s post image was found over at ParkerLiveOnline.com.

Looks like a great job opportunity has turned up over at the NoVA Hackers Association’s  facility host. I know several of the folks that work in their security department over there and it seems like a challenging and rewarding place to work.

The Company

ICF International (NASDAQ:ICFI) partners with government and commercial clients to deliver professional services and technology solutions in the energy and climate change; environment and infrastructure; health, human services, and social programs; and homeland security and defense markets. The firm combines passion for its work with industry expertise and innovative analytics to produce compelling results throughout the entire program life cycle, from research and analysis through implementation and improvement. Since 1969, ICF has been serving government at all levels, major corporations, and multilateral institutions. More than 3,500 employees serve these clients worldwide. ICF’s Web site is www.icfi.com.

Job Description

ICF International is currently looking for a Security Engineer II with enterprise security architecture and engineering experience. This position will report directly to the Information Security Officer in the Corporate Information Technology group.

The Security Engineer II will implement, utilize and maintain security solutions related to host and network based intrusion detection and prevention, access control, system hardening, firewalls, encryption, PKI, and configuration/incident/vulnerability management. The Security Engineer II will interface with internal and external users and ICF business clients to identify, mitigate, and provide timely resolution of information security issues and events.

Qualifications

Key Responsibilities:

• Serve as an internal information security consultant to the organization
• Enforce compliance with information security policies and procedures
• Initiate, facilitate, and promote information security awareness
• Perform risk assessments and serve as an internal auditor for security issues
• Perform security assessments, penetration tests, and code reviews
• Conduct incident response and system triage
• Conduct forensic investigations of systems and network communications

Basic Qualifications:

• Bachelor’s degree
• At least 3 years of experience working in an environment performing information security related tasks as defined responsibilities or comparable experience conducting documented information security research is required.
• At least 1 year of experience scripting and/or programming experience (Python, Ruby,C, Java)
• Experience identifying and resolving security issues on computer systems
• Experience with log monitoring, analysis, and correlation
• Experience performing enterprise incident monitoring, response, and analysis
• Experience using commercial and open source security software such as Nmap, Nessus, Wireshark, Rapid7, WebInspect, Metaspl0it Framework, Ettercap, Burp Suite, etc

Special Job Conditions:

• Must be bondable
• Must be able to live 25lbs
• Must pass background check and drug screen
• Must be available for on-call incident response
• Must be available to work scheduled hours for position
• Must be available to work overtime if necessary to meet deadlines

Preferred Skills/Experience:

• Bachelor’s degree in Computer Science, Information Systems Engineering, Computer Forensics or Computer/IT related degree
• Systems Engineering, Computer Forensics, or an equivalent amount of IT industry training and/or work experience
• Web application testing and/or development experience
• Experience conducting forensic analysis and investigations
• Experience working with databases and implementing database security controls
• Experience managing Arcsight Logger and/or Arcsight ESM
• Malware analysis and reverse engineering experience
• Familiarity and understanding of Microsoft, Apple, and UNIX/Linux operating systems
• Knowledge of current NIST and Executive security policies, standards, and regulations
• Strong knowledge of TCP/IP communication, routing protocols, and client server communication technology
• Ability to apply for and be granted a Top Secret security clearance
• Any of the following certifications:
• Microsoft: MCITP, MCTS, MCPD
• Cisco: CCNA, CCNA-Security, CCNP, CCSP
• IT Governance: CISA, CISM, GSNA
• General: CISSP, SSCP, GSEC, GISP
• Linux: RHCE, LPI
• Offensive: OSCP, OSCE, OSWP, GPEN
• Forensics: EnCE, GCFE, GCFA, GREM
• ArcSight: ACSA, ACIA, ACASA, ACAIA
• Applications: GWAPT
• Incidents: GCIA, GCIH

Professional Skills:

• Able to present a professional appearance and demeanor at all times
• Strong oral and written communication and organization skills

ICF offers an excellent benefits package, an award winning talent development program, and fosters a highly skilled, energized and empowered workforce.

ICF International is an Equal Opportunity and Affirmative Action Employer – M/F/D/V

To apply for this position please visit ICF’s Career Center and search for job number 1100002525.

#####

Today’s post image is from NationalDefenseMegaDirectory.com.

Last week I noticed NIST put out another draft infosec document that they need comments on. This time the publication that needs updated is SP 800-30, Guide for Conducting Risk Assessment, Revision 1. And updated it is in need of… NIST released the original version almost 10 years ago. Then it was known as the “Risk Management Guide for Information Technology Systems.” This revision narrows the focus of the document to just risk assessment rather than the entire risk management process. As you may know SP 800-39, Managing Information Security Risk, has taken over those duties.

Over the years we’ve had several posts discussing this key document. @rybolov talked about it way back in 2008 where he discussed how NIST should not change it. SP 800-30 also made several appearances at many of the local meetups, including this ISSA DC meeting two years ago. A few months later @rybolov hit on it again in an overview post about NIST’s core publications.

NIST puts these recommendations out and many of us working around DC have to deal with them due to customer requirements. And we spend a lot of time complaining about what they should and shouldn’t be. Instead of complaining, this is our chance … again … to give some feedback.

You can grab a copy of the draft here [PDF]. Comments should be emailed to sec-cert@nist.gov by November 11th.

via GovInfoSecurity.com

The National Institute of Standards and Technology unveiled Monday its initial draft of an update to its Guide for Conducting Risk Assessment, Special Publication 800-30, Revision 1.

The update’s focus on risk assessment, one of the four steps in the risk management process, expands from the earlier version of SP 800-30 to include more in-depth information on a variety of factors essential to determining information security risk, such as threat sources and events, vulnerabilities and impact and likelihood of threat occurrence. The draft guidance describes a three-step process that includes key activities to prepare for risk assessments, activities to successfully conduct risk assessments and approaches to maintain the currency of assessment results.

Continued here.

InfosecIsland.com also had a recent article on SP 800-30 that you may want to check out if you’re looking for a different perspective.

#####

Today’s post image is from NetworkArmor.com. See ya!

The OWASP – DC/MD Local Chapter infosec meetup event last week featured Rex Booth giving an introduction to OWASP, Matt Fisher looking at web risks and assessments, and a general discussion of BlackHat and DefCon. I wasn’t able to go but Rex has recently posted his notes from this session to the OWASP – DC/MD email list for those interested. See our original post for more information.

Here is some information regarding this week’s Wednesday OWASP – DC/MD Local Chapter infosec meetup event. Upon arriving please go to the 9th floor and sign in. Someone will escort you to the meeting location (room 8S026). If you are late and can not get in, please call (202) 270-8715.

• Who: Rex Booth, Grant Thornton LLP & Matt Fisher
• What:
  • Booth – Introduction to OWASP
  • Fisher – The Big Picture: Web Risks and Assessments Beyond Scanning: This talk will focus on the need to run risk and threat model software and pick appropriate people, tools, and testing techniques to test against the threat model. In today’s resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.
  • Group Discussion – Security Conference Review: BlackHat & DefCon
• When: 8/20, 6:30 PM EDT
• Where: Deloitte & Touche (1001 G Street NW; Washington, DC 20001)

For more information on the OWASP – DC/MD Local Chapter, see its description in our NoVA Meetups section. See our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

Rybolov from The Guerilla CISO, a local infosec NoVA-based blog, has put together a great blog post about NIST’s latest effort to modernize SP 800-30: Risk Management Guide for Information Systems. In his post he stresses how NIST should not change this document into a “catalog of controls gap analysis” process to favor compliance management over risk management.

Overall, Rybolov is right on point! We really need to stop stressing being compliant and start focusing on risk management. Compliance should be a by-product of risk management, not the other way around.

Here is some information regarding this week’s Thursday ISSA – NoVA Chapter infosec meetup event.

• Who: David Graziano
• What: Managing the Risk Equation: Cyber Attacks and Data Loss Prevention
  • This session will investigate examples of cyber attacks, an examination of technological and psychological methodologies employed by hackers, plus proper defense-in-depth strategies to mitigate these threats. Many of these solutions will provide improved visibility and situational awareness that mitigate cyber threats as automatic enforcement of security policy.
• When: 5/15, 6:30 PM EST
• Where: Nortel Government Solutions (12730 Fair Lakes Circle, Fairfax, VA 22033)

For more information on ISSA – NoVA Chapter, see its description in our NoVA Meetups section. Here are links to the post about this meetup.