About the Agency
The incumbent of this position serves as an Information Systems Security Officer (ISSO) and in conjunction with the SAO system sponsors for the Scientific Computing Infrastructure (SAO-SCI) and the High Energy Astrophysics Division (HEA) is responsible for supporting information security procedures that assure compliance with the requirements to safeguard the SAO-SCI and HEA Automated Information Systems (AIS), while optimizing protections for confidentiality, integrity, and the availability of SAO’s information system assets.
Reviews assigned log files for core/critical systems in order to identify potentially suspicious activity including but not limited to inappropriate and failed logins, security compromises to any SAO servers or desktops, etc.
Supports Plan of Action and Milestones (POA&Ms) and helps coordinate involvement and efforts to remediate security issues. Follows up with SAO-SCI and HEA IT staff so that POA&Ms are worked and closed in a timely manner with an emphasis on closing any Smithsonian OIG IT security findings. Keeps SAO management briefed on POA&M remediation status and closures.
Reviews system and web applications for security vulnerabilities. Works with the IT and web application staff to fix IT security weaknesses. Keeps SAO management briefed on the risks associated with high impact security vulnerabilities.
Reviews SAO critical core devices (network switches, Solaris and Linux servers, Windows servers, web servers and applications, etc.) against vendor product documentation and/or vendor websites in order to optimize defenses or deterrents to high impact vulnerabilities based on timely patching of US-CERT and industry flagged security issues, etc.
Supports federal government requirements for FISMA assessments and authorizations, as implemented at the Smithsonian, by supporting annual IT Security risk assessments on the SAO-SCI and HEA Automated Information Systems (AIS).
Reviews and updates FISMA documents and artifacts as required for SAO to follow Smithsonian best practice recommendations based on:
FIPS 140-2, Security Requirements for Cryptographic Modules
FIPS 200, Minimum Security Requirements for Federal Information and
System Categorization (FIPS 199)
System Security Plan (SSP) and Annual Validated User List
Configuration Management Plan (CMP)
Configuration Management Compliance Reports
System Test & Evaluation Plan (ST&E) and the annual test results and Security
Assessment Report (SAR) Summary
Contingency Plan (CP) Annual Test Results
Disaster Recovery Plan (DRP) Tabletop Test Results
Risk Assessment (RA)
Plan of Action and Milestones (POA&M) Workbook
Authorization “Authority to Operate” Letter
Quarterly Account Management Reports for core/critical systems
Quarterly Log Review, Patch reports for core/critical systems
Vulnerability Scan Results