Senior Information Security Analyst (Remote Eligible)

at  Mathematica Policy Research

Position Description:
Mathematica applies expertise at the intersection of data, methods, policy, and practice to improve well-being around the world. We collaborate closely with public- and private-sector partners to translate big questions into deep insights that improve programs, refine strategies, and enhance understanding. Our work yields actionable information to guide decisions in wide-ranging policy areas, from health, education, early childhood, and family support to nutrition, employment, disability, and international development. Mathematica offers our employees competitive salaries, and a comprehensive benefits package, as well as the advantages of being 100 percent employee owned. As an employee stock owner, you will experience financial benefits of ESOP holdings that have increased in tandem with the company’s growth and financial strength. You will also be part of an independent, employee-owned firm that is able to define and further our mission, enhance our quality and accountability, and steadily grow our financial strength. Learn more about our benefits here.
We are looking for a highly organized and tech-savvy Senior Information Security Analyst to join our IT Security, Risk and Compliance group. This individual will leverage their technical background and expertise in the application of security and privacy standards in contributing to the continuous improvement of Mathematica’s information security program while delivering client security services to projects in the public and private sectors. This role will advise project and technology teams on government and industry standards and best practices for securing applications in cloud, on-premises, and hybrid deployments, test applications according to prescribed security test plans, recommend specific tools and procedures to enhance application security and describe how project processes and procedures align with security and privacy standards. In addition, the Senior Information Security Analyst may interact directly with clients and support efforts to execute contractual requirements.

Position Requirements:

• Bachelor’s degree in computer science, software development, cybersecurity or relevant discipline preferred. Will also consider a combination of education and computer / IT skills developed through progressively responsible positions in technology or consulting roles.
• 5+ years of experience in security and privacy risk assessment and compliance in on-premises, cloud, and hybrid environments.
• Possession of or ability to obtain professional certifications in information security or risk management, such as Certified Information System Security Professional (CISSP), CGRC – Governance, Risk and Compliance Certification, Certified Information Security Manager (CISM) or other relevant certification required. Amazon Web Services security certification desirable.
• Expertise in federal standards and regulations-compliant security and privacy programs, and Authority to Operate (ATO) processes.
• Expert knowledge of relevant FedRAMP and National Institute of Standards and Technology (NIST) Special Publications
• Experience preparing and / or reviewing ATO documentation for federal agencies.
• Experience reviewing security control implementations and communicating security best practices and risks associated with control deficiencies in cloud-hosted and on-premises environments.
• Ability to collaborate effectively in a highly matrixed organization in on-premises, cloud, and hybrid security implementation. Demonstrated ability to team with and partner across business units.
• Experience reviewing information system design documentation and architecture diagrams to identify security weaknesses.
• Demonstrated knowledge of modern application architecture design principles and frameworks such as containerization, serverless computing, microservices, and RESTful API
• Demonstrated knowledge of continuous monitoring, POA&M, and vulnerability management requirements, tools, techniques, and processes.
• Experience with security and privacy incident response.
• Expertise applying consulting concepts and skills when engaging project and client teams.
• Ability to ask questions and approach a new or unfamiliar task, skill, or project with a can-do mindset.
• Strong organizational skills and ability to work in a fast-paced, multidisciplinary, and matrixed team setting.
• Superb interpersonal skills, with the ability to convey complex security and privacy concepts to varied audiences in verbal and written formats

• Engage with project teams advising on development of solutions to align with prevailing security and privacy standards, guidelines, and best practices.
• Lead security tasks on project teams with significant client-facing security responsibilities, including establishing and maintaining compliance with contractual, FISMA, and HIPAA requirements.
• Lead the development of client and corporate security assessment and authorization documentation (system security plans, risk assessment, security control testing reports, contingency plans, responses to third-party questionnaires and audits).
• Lead on-premise and cloud technology risk and compliance assessments and recommend solutions to correct deficiencies.
• Support federal clients in leading the execution of annual security and privacy assessments of third- party developed information systems, including planning and scheduling, Rules of Engagement development, security and privacy control selection, third-party penetration testing coordination, and POAM management.
• Translate project security and privacy compliance requirements into tasks, prioritize assignments, and develop plans and schedules to support timely delivery.
• Contribute security oversight into early-stage information system design planning on projects.
• Ensure project teams integrate standardized information security principles into modern application architecture development and apply security testing within CI/CD pipelines.
• Promote use of disciplined security testing techniques, tools, and metrics across SDLC (software solution development, deployment, maintenance / operations, and disposition).
• Interact directly with clients and partners, including HHS and large federal IT integrators, and states.
• Develop, operationalize, and standardize security processes, including management of access to client systems and data, vulnerability management, and continuous monitoring.
• Contribute to corporate security policies, standards, procedures, and plans, and identify opportunities to improve efficiency.
• Actively support the advancement of organizational diversity, equity and inclusion efforts, and apply diversity, equity and inclusion lens across job responsibilities.
• As a federal government contractor, all staff working in our central ITS group with access to corporate computer systems are required to successfully undergo a background investigation or security clearance as a condition of employment.
• Additional duties may be assigned as needed.

Position Requirements:

• Bachelor’s degree in computer science, software development, cybersecurity or relevant discipline preferred. Will also consider a combination of education and computer / IT skills developed through progressively responsible positions in technology or consulting roles.
• 5+ years of experience in security and privacy risk assessment and compliance in on-premises, cloud, and hybrid environments.
• Possession of or ability to obtain professional certifications in information security or risk management, such as Certified Information System Security Professional (CISSP), CGRC – Governance, Risk and Compliance Certification, Certified Information Security Manager (CISM) or other relevant certification required. Amazon Web Services security certification desirable.
• Expertise in federal standards and regulations-compliant security and privacy programs, and Authority to Operate (ATO) processes.
• Expert knowledge of relevant FedRAMP and National Institute of Standards and Technology (NIST) Special Publications
• Experience preparing and / or reviewing ATO documentation for federal agencies.
• Experience reviewing security control implementations and communicating security best practices and risks associated with control deficiencies in cloud-hosted and on-premises environments.
• Ability to collaborate effectively in a highly matrixed organization in on-premises, cloud, and hybrid security implementation. Demonstrated ability to team with and partner across business units.
• Experience reviewing information system design documentation and architecture diagrams to identify security weaknesses.
• Demonstrated knowledge of modern application architecture design principles and frameworks such as containerization, serverless computing, microservices, and RESTful API
• Demonstrated knowledge of continuous monitoring, POA&M, and vulnerability management requirements, tools, techniques, and processes.
• Experience with security and privacy incident response.
• Expertise applying consulting concepts and skills when engaging project and client teams.
• Ability to ask questions and approach a new or unfamiliar task, skill, or project with a can-do mindset.
• Strong organizational skills and ability to work in a fast-paced, multidisciplinary, and matrixed team setting.
• Superb interpersonal skills, with the ability to convey complex security and privacy concepts to varied audiences in verbal and written formats.