CL - Security Analyst - Consultant

Job Description: NA NA

SCOPE OF THE PROJECT:
DHEC actively strives to keep in compliance with PCIDSS standards. The PCI compliance analyst will manage the PCI compliance initiative under the guidance of the Chief Information Security Officer and PCI project management DHEC actively strives to keep in compliance with PCIDSS standards. The PCI compliance analyst will manage the agencies PCI compliance and other compliance related systems under the guidance of the Chief Information Security Officer and PCI project management team. This position will aim to maintain PCI compliance and lower the agency s overall risk profile. This position will work closely with the Security Operations Center (SOC) Server Hosting Team and Application Teams to review vulnerability reports investigate solutions test solutions and their impacts to other environments follow the agency s Change Management process implement solutions track and document remediation.

Candidates should be selfmotivated teamoriented work under limited supervision and respond to priority tasks as needed.

DAILY DUTIES / RESPONSIBILITIES:
The system engineer will be responsible for managing the discovery analysis tracking and remediation of vulnerabilities across the agency s technology systems.
Responsibilities include:
Maintain and improve the vulnerability management process.
Develop solutions and automated methods to reduce manual and repetitive tasks.
Follow a mature change management process preparing change management requests and presenting requests to the change management board for approval.
Work closely with key stakeholder groups including the SOC to ensure appropriate levels of engagement and focus are maintained.
Plan and implement technical changes without unexpected disruption to the service and with minimal oversight.
Create maintain and review operational processes and support documentation.
Adheres to Information Technology application development standards and security requirements.
Prepare and maintain system documentation and architecture diagrams as assigned.
Ability to plan organize review implement associated project milestones to completion.
Requires mastery technical and business knowledge in multiple disciplines/processes.
Create supporting project and system documentation.
Provide updates to the Project Team.
Assist with development of policies and procedures to conform and comply with agency standard cyber security policy design related to information risk management designation of data as to criticality confidentiality and protection. (NIST NA053 FISMA SC InfoSec Requirements etc.)
The position will be utilized for 40 hours per week for the duration of this project. The selected candidate should be able to work flexible hours where it may be necessary for work to be completed outside traditional business hours.
The candidate will work closely with the CISO and PCI project team to identify prioritize and schedule changes to the agency s PCI environment to support PCI compliance. The candidate will work closely with customer and subject matter experts for the system design migration to the new framework and testing.

This will also include compliance to DHEC security policy/procedures as well as integrating systems when possible to streamline staff workflows user security and data correction.

Module support of the project.
DHEC will require that selected personnel sign the DHEC confidentially agreement and/or Business Associate (BA) agreement if applicable. All web services must be secure.
DHEC will not accept any offers including an uplift charge. The rate paid per consultant must not exceed the maximum rate established for this position described in the State contract terms.
Contractors must be onsite during each week throughout the term of the contract.
Follow agency IT Standards policies and procedures to include documentation.
All source code (compiled and uncompiled) will become the sole property of the South Carolina Department of Health and Environmental Control. Any source code data product or functionality resulting from this SOW or previously owned/developed by DHEC will remain the sole property of DHEC and is not to be incorporated into the core product of any vendors application. Any modifications and interfaces developed under said contract will be not be used by the contractor for any independent project of the contractor or published or publicized by the contractor without written permission of DHEC.
DHEC has the final say on all programming choices.

Payment Schedule:
All timesheets shall be entered and approved in a timely manner per State contract terms. The State will not pay any extra costs (i.e. Travel employee benefits insurance room and board etc.) for temporary employees under this contract.

DHEC Support:
DHEC will provide:
All required information including formulas data and mechanisms to check output.
Staff to assist with any application or data questions.
Conference rooms and scheduling for any application demos.
Workstation and required software.

REQUIRED SKILLS (RANK IN ORDER OF IMPORTANCE):
1. EXPERIENCE IN PROJECTS INVOLVING PCI/NIST SECURITY IMPLEMENTATIONS AND/OR AUDITS.
2. KNOWLEDGE OF INFORMATION TECHNOLOGY FIELD BEST PRACTICES ORGANIZATION AND OPERATIONSFAMILIARITY WITH VULNERABILITY MANAGEMENT REPORTS AND TOOLS (NESSUS CLOVER SECURITY ETC.)
3. KNOWLEDGE OF NETWORKING PROTOCOLS INCLUDING TCP/IP HTTP NTP DNS MLLP NDM
4. SECURITY KNOWLEDGE IN NETWORKING DATABASES SYSTEMS AND WEB OPERATIONS
5. VULNERABILITY SCANNING
6. MICROSOFT ACTIVE DIRECTORY.
7. ITIL INCIDENT AND PROBLEM MANAGEMENT PROCESSES
8. NIST CONFIGURATION MANAGEMENT CONTROLS
9. EXPERIENCE WITH SECURITY AND DATA CLASSIFICATION RELATED TO CDC HIPAA AND CJIS

PREFERRED SKILLS (RANK IN ORDER OF IMPORTANCE):
1. Experience network vulnerability scanning and penetration testing.
2. Knowledge of Information Security best practices.
3. Ability to establish positive working relationships with technical staff customers and others involved in datacentric management.
4. Excellent written oral and interpersonal communication skills
5. Knowledge of Information Technology Field best practices organization and operations
6. Experience with SolarWinds LanSweeper AD
7. Ability to integrate technical systems with agency goals and objectives.
8. Experience working with PCI environments
9. Security Certification (CISSPCRISC CEH)

REQUIRED EDUCATION:
Bachelors or Masters Degree in a relevant field of work and/or equivalent work experience.
Additional Sills: PREFERRED SKILLS (RANK IN ORDER OF IMPORTANCE):1. Experience network vulnerability scanning and penetration testing. 2. Knowledge of Information Security best practices. 3. Ability to establish positive working relationships with technical staff customers and others involved in datacentric management.4. Excellent written oral and interpersonal communication skills5. Knowledge of Information Technology Field best practices organization and operations 6. Experience with SolarWinds LanSweep AD7. Ability to integrate technical systems with agency goals and objectives.8. Experience working with PCI environments9. Security Certification (CISSPCRISC CEH) Skills: Education NIST Configuration Management Controls Yes 8 Advanced Currently Using 2 4 Years Miscellaneous KNOWLEDGE OF INFORMATION TECHNOLOGY FIELD BEST PRACTICES ORGANIZATION AND OPERATIONS Yes 2 Expert Currently Using 4 6 Years Network Security Experience in projects involving PCI/NIST security implementations and/or audits. Yes 1 Expert Currently Using 4 6 Years Network Security Security Knowledge in networking databases systems and Web operations Yes 4 Expert Currently Using 4 6 Years Protocols Knowledge of networking protocols including TCP/IP HTTP NTP DNS MLLP NDM Yes 3 Expert Currently Using 4 6 Years Specialties Experience with security and data classification related to CDC HIPAA and CJIS Yes 9 Expert Currently Using 4 6 Years Specialties ITIL Incident and problem management processes Yes 7 Advanced Currently Using 2 4 Years Specialties Microsoft Active Directory Yes 6 Advanced Currently Using 2 4 Years Specialties Vulnerability Scanning Yes 5 Expert Currently Using 4 6 Years