DataLock Consulting Group · 1 month ago
Security Penetration Tester
United States
Full-time
Remote
Mid, Senior Level
4+ years expDataLock Consulting Group is a technology company seeking a Security Penetration Tester to conduct security control assessments and determine the effectiveness of security controls and vulnerabilities. The role involves developing security assessment plans, performing audits, and ensuring continuous monitoring of security systems.
ComplianceConsultingCyber SecurityInformation TechnologySecurityTraining
Responsibilities
Develop, document and review System Rules of Engagement (ROE), Security Assessment Plans (SAPs) and Security Assessment Reports (SARs)
Have a working knowledge of the FedRAMP Penetration Guidance and Requirements
Develop associated schedules and resource plans to complete the assessments
Perform quality control on the assessment and associated deliverables
Participate as an individual contributor for complex system assessments
Develop practical and risk-based approaches for security control implementation and vulnerability remediation
Work closely with ISSOs (contractors and Government) and the technical team and ensure all appropriate A&A supporting documentation is provided prior to conducting the assessment
Review and provide feedback system boundaries, common controls, the security categorization of information systems, applicable security control baseline based on system categorization
Conduct/participate in Security Assessment Kickoff briefings and SAR briefings
Review cyber/system/network security body of evidence and documentation for accuracy and completeness
Conduct security controls assessment of applicable security controls and privacy controls; assess implemented security controls and provide assurance that they are operating as intended
Analyze security control findings for information systems and applications to convey weaknesses
Document security assessment results accurately; read, understand, and convey vulnerabilities found during the assessments
Create security assessment results and document recommendations in a SAR for remediations and security control measures
Perform audits of each system and provide an authorization recommendation based on determination of risk to the customer
Audits will include unprivileged and privileged scans against each applicable system
Audits will include unprivileged and privileged database scans against each applicable database management system (DBMS)
Perform quality control on the assessment and associated deliverables
Conduct Post Assessment Meetings with the customer
Provide Plan of Action and Milestones (POA&M) support to ensure mitigations are completed or the teams are working to mitigate all vulnerabilities in a timely fashion and within customer policy timelines
Develop and maintain a schedule for conducting reoccurring Continuous Monitoring and ongoing CDM efforts once the initial assessments are complete
Perform continuous monitoring to ensure implemented security controls remain functional throughout the lifecycle of the information system
Qualification
Required
2+ years' experience as a lead penetration tester
4+ years' experience performing security testing and/or security control assessments
4+ years' experience with developing and documenting the ROEs, SAPs, and SARs
4+ years' experience and expert knowledge of the NIST Cybersecurity Framework, Risk Management Framework, FIPS, and other NIST A&A publications
4+ years' of experience utilizing NIST 800-53 and 800-53A
Experience conducting Penetration Tests in a commercial and or federal environment
Experience assessing and providing recommendation on the following: Privacy Impact Assessment, Risk Assessment, System Security Plan, Disaster Recovery / Contingency Plan, and Incident Response Plan
Knowledge of the Systems Development Life Cycle (SDLC) and its application in the development of technology solutions
Knowledge and skills to perform and document the assessment
Experience with tools such as Nessus, Web Inspect, Db Protect and Splunk
Technical background with Windows, Unix, legacy systems, databases, web servers/applications, cloud and virtualization environments
Familiar with the cloud environments (services/security) and FedRAMP A&A process
Familiar with FedRAMP Penetration Testing Guidance
Effective verbal and written communication skills with ability to effectively communicate with all levels of users and teammates both written and verbally
Effective technical writing and documentation processing skills
BS/BA degree in Information Technology or related cyber/cyber-security field
Must possess one of the following certifications: Cisco Certified Network Professional CCNP / Security, CompTIA Advanced Security Practitioner (CASP+), Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), CISSP-Information Systems Security Engineering Professional (CISSP-ISSEP), SANS GIAC Penetration Tester (GPEN), Open Web Application Security Project Penetration Tester (OWASP), GIAC Certified Enterprise Defender (GCED), Certified Ethical Hacker (CEH), Cisco Certified Network Associate-Cyber-Ops (CCNA Cyber Ops), Computer Hacking Forensics Investigator (CHFI), GIAC Certified Forensic Analyst (GCFA), CompTIA PenTest+, OffSec Certified Professional (OSCP), OffSec Web Expert (OSWE), OffSec Experienced Pentester (OSEP), OffSec Web Assessor (OSWA), Certified Professional Penetration Tester (eCPPT), Web Application Penetration Tester (eWPT), Web Application Penetration Tester eXtreme (eWPTX), Hack the Box Certified Penetration Testing Specialist (HTB CPTS), Burp Suite Certified Practitioner
Company
DataLock Consulting Group
DataLock Consulting Group is a cybersecurity consulting firm that offers cloud security, program management, and training solutions.
11-50 employees
Funding
Current Stage
Early StageLeadership Team
Zyad Nabbus
Chief Executive Officer
Company data provided by crunchbase