Security Consultant, FedRAMP Assessment | Remote US
About CoalfireCoalfire is on a mission to make the world a safer place by solving our clients’ toughest cybersecurity challenges. We work at the cutting edge of technology to advise, assess, automate, and ultimately help companies navigate the ever-changing cybersecurity landscape. We are headquartered in Denver, Colorado with offices across the U.S. and U.K., and we support clients around the world. But that’s not who we are – that’s just what we do. We are thought leaders, consultants, and cybersecurity experts, but above all else, we are a team of passionate problem-solvers who are hungry to learn, grow, and make a difference. And we’re growing fast. We’re looking for a Consultant to support our FedRAMP Assessment team. Position SummaryThe Security Consultant will work as part of a team assessing the security and compliance of client firms against regulatory and industry requirements and standards, and against security best practice frameworks. This role will have a strong understanding of framework requirements, perform audit/assessments, and develop reports for clients. They will work closely with Project Managers, Senior Managers, Directors, and other Delivery team members to effectively manage project timelines and deliverables.
What You'll Do
- Work collaboratively with a team of assessors as a compliance specialist in at least one area of expertise and assist with the planning of assessment for clients.
- Draft audit programs that sufficiently address both the required objectives of the regulatory body and the complexity of the client environment.
- Autonomously lead interview and inquiry walkthroughs with clients to determine the conformity of environments against stated requirements.
- Assess security vulnerabilities against the appropriate security frameworks.
- First-level reviewer of drafted audit planning and reporting materials.
- Pursue and corroborate conclusions derived from inquiry procedures with client while ensuring diligent interview notes are captured.
- Offline and remote evidence inspection of client provided documentation; appropriately mark artifacts requiring follow-up or additional clarification.
- Assess client provided documentation for compliance with a variety of standards.
- Prepare and review assessment reports.
- Educate and interpret compliance activities for clients.
- Manage priorities and tasks to achieve delivery utilization targets.
- Ensure quality products and services are delivered on time per Coalfire quality standards.
- Continuous professional development; maintain industry specific certifications, depth of knowledge, credentials, and designations.
- Collaborate with project managers, quality management and/or other delivery team members to drive customer satisfaction and meet project deliverables.
- Establish and maintain positive collaborative relationships with clients and stakeholders.
- Identify upsell and cross sell opportunities; escalate to appropriate leadership.
- Execute, examine, interview and test procedures in accordance with the appropriate control.
- Ensure cybersecurity policies are adhered to and that required controls are implemented.
- Review and assess respective information system security plans to ensure control requirements are met.
- Understand how to apply quality standards and adhere to a minimum benchmark for quality assurance throughout the documentation of each work product or deliverable.
- Provide advice to customers on issues affecting the scope of work in a manner that provides additional value.
- Develop documentation and author recommendations associated with your findings on how to improve the customer’s security posture in accordance with appropriate controls.
What You'll Bring
- Minimum 2-3 years of experience in the IT industry, with strong familiarity with the applicable NIST Special Publications 800-37 Revision 2, 800-53 Revision 4 and/or 5, and 800-53A Revision 4.
- Technical and detailed understanding of NIST 800-53 Rev 4 and 5 AT, CA, CM, CP, IR, MA, MP, PE, PL, PS, RA, SA, SI control families.
- Ability to lead testing sessions for assigned controls.
- Ability to independently research a technical topic and develop logical testing approaches to validate 800-53 control implementations.
- Ability to assist team members with proper artifact collection and detail to client’s examples of artifacts that will satisfy assessment requirements.
- Read and interpret all control families.
- Read and interpret firewall rulesets and network/boundary/data flow diagrams.
- Strong written and verbal communication skills including the ability to explain technical matters to a non-technical audience.
- Strong personal initiative to appropriately manage time and meet deadlines.
- Strong consulting skills; ability to advise and challenge the status quo while building strong relationships.
- Ability to build high-trust relationships and credibility quickly.
- Able to maintain a high attention to detail.
- Ability to facilitate meetings to small or large groups.
- Adept in handling conversations in a diplomatic and broad-minded fashion.
- Demonstrate strong technical research skills.
- Travel 20%.
- Bachelor's degree (four-year college or university) in IT or business, or equivalent combination of education and work experience.
Bonus Points
- Expertise in security frameworks and regulatory requirements (such as FedRAMP, StateRAMP, SOC 2, ISO, NIST, COBIT, HIPAA/HITECH, HITRUST or PCI).
- Experience working with technologies hosted via cloud computing environments (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform).
- Experience reviewing Nessus output a plus, along with basic knowledge of networking components and various operating systems in a cloud environment, including UNIX and Microsoft.
- Expertise in other Security Frameworks (ISO, NIST, COBIT, HIPAA/HITECH, etc.) and regulatory requirements.