ShorePoint is a cybersecurity services firm with a focus on high-profile, high-threat private and public-sector customers who demand experience and proven security models to protect their data. We are seeking Compliance and Continuous Monitoring Engineers to: Provide Security Assessment & Authorization (A&A) and Information Assurance (IA) Support; Conduct Technical Security Assessments; Perform Enterprise Vulnerability Scanning & Reporting Functions; and Conduct Enterprise Vulnerability System Scanning. This is a unique opportunity to shape the growth, development and culture of an exciting and emerging company in the cybersecurity market.

Roles and Responsibilities

  • Work closely with target organizations to ensure full comprehension of the standard security controls; conduct site visits as required
  • Assist with security controls compliance assessments using established matrixes of tailored control and provide expert support in assessments of target organizations
  • Provide support to Vulnerability Management programs
  • Provide support to assessed organizations to ensure proper tracking of Plan of Action and Milestone (POA&M) items
  • Provide support and conduct annual reviews of the security controls (or some subset of the security controls) to ensure continued compliance as requested
  • Assist with establishing footholds on endpoints within monitored organizations networks in order to provide day-to-day visibility into the security posture
  • Provide expert support for the development and maintenance of develop of processes and best-practices for evaluating A&A data through a standard scorecard
  • Utilize industry standard tools for automating the review of system configuration and security control compliance
  • Conduct periodic NIST controls assessments in support of network authorization and continuous monitoring
  • Provide detailed observations from controls assessments in the form of Security Assessment Report (SAR) and Risk Assessment Report (RAR) documents
  • Employ a scan-patch-scan methodology to ensure all systems identify and receive appropriate security patches
  • Conduct vulnerability scanning using industry standard tools (e.g. Tenable Nessus) on a weekly to bi-weekly basis
  • Report scan result data to appropriate system administrators to aid in the deployment of system updates and patches
  • Develop a mitigation plan detailing a prioritized timeline for patch deployment (e.g. 30-60-90-day patch deadlines based on each finding’s severity level)
  • Conduct false positive analysis and vulnerability analysis to determine the legitimacy of all detected vulnerabilities as well as prioritize their remediation
  • Configure the identified application to effectively ingest, process, and report vulnerability data collected during assessments as well as data provided from organizations’ self-assessments
  • Conduct long term trend analysis, identifying improvements or degradations in system security
  • posture across the enterprise
  • Provide dashboard views of data roll-ups from all facets of assessed systems (e.g. risk, vulnerability data, POA&M status) in order to present high-level executive summary reports to government leadership

Required Skills

  • Must be able to perform Vulnerability and Compliance assessments on all devices identified during enterprise network scans, including: Operating systems, Oracle and MySQL Databases, and Web applications
  • Comfortable using enterprise-class network scanning tools such as: (Tenable Nessus, Tenable Security Center), database scanning tools (AppDetective and DbProtect) and Web scanning tools (Web Inspect), and should be knowledgeable about the security best practices and most common vulnerabilities that exist for each of these technologies, including SANS and OWASP Top 1
  • Experience performing enterprise-level assessment scanning of Networks, databases, and Web Applications
  • Comfortable configuring and performing host, ports and services discoveries on large enterprise networks, and identify target operating systems and applications/services based on discovery scan results
  • Experience with open source and commercial testing tools; A non-comprehensive list includes Nessus, NMAP, App Detective, Hailstorm, Guardium, and Web Inspect
  • Comfortable using, configuring, troubleshooting, and administering Tenable Security Center, Tenable Nessus (standalone), AppDetective, and Web Inspect
  • Solid understanding of the security policies used by intelligence organizations, as well as security guidelines published by the National Institute of Standards (e.g., 800-53 and 800-53a)
  • Ability to think critically and creatively. Capable of synthesizing and analyzing large amounts of scan data
  • Ability to articulate thoughts and findings in a concise and comprehensive manner

Certification Requirement

Must have one of the following certifications: ISC2, CISSP, GIAC, GCIA, or GCIH

Education Requirement

Bachelor’s degree or ten (10) years of IT experience

Security Clearance

Top Secret with SCI eligibility and ability to pass a Counter-Intelligence (CI) polygraph

Sound like the job for you?

Send us a link to your resumé or portfolio to become part of our talent pool.

Submit your resumé here!