Job posting

How technical are CISSP holders? CISSP is a management cert yet this job description appears to expect some expert level knowledge in cloud and networking.

Qualifications
Skill Requirements: The ideal candidate is an Information Assurance security professional who possesses at least 5 years of IA Security consulting experience. The desirable candidate must have experience with large Local Area Networks, Wide Area Networks, Virtual Private Cloud (VPC), as well as Security Technical Implementation Guides (STIG) compliance and must be familiar with Security Event Management, Vulnerability Management, Penetration Testing and Security Analysis.
Additionally, the ISSO must have good knowledge of DoD Risk Management Framework and generate/maintain a System Security Plan (SSP)

Position Description: The ISSO Candidate will fully support activities within the
Virtual Private Cloud (VPC). This ISSO will ensure compliance with all systems security requirements and updates, providing guidance and instruction as necessary to the existing personnel. This person will be named as, and fully responsible for, the ISSO duties associated with the Virtual Private Cloud (VPC) for the client. The ISSOs are responsible for implementing and following the client’s and federal information assurance policies and guidelines for securing the client’s IS. These duties include but are not limited to: ensuring all IS are operated, maintained, and disposed of in accordance with security policies and practices; support security requirements we will undertake vulnerability and penetration testing on the system once installed, correct pertinent issues, and retest as required; record any issues that would affect a production system to assist and expedite an ATO; generate and maintain a System Security Plan (SSP), and we will provide the following security management activities; Assessment of VPV encryption against FIPS 140-2 (data at rest and data in transit) status; ensuring that all users have the requisite security clearances, authorization, and need-to-know, and are aware of their security responsibilities before they are granted access to the IS; ensuring that system security requirements are complied with, unless waived during all phases of the system lifecycle; establishing audit trails and ensure their review, and make them available, when required.

It also requires

Detail NIST knowledge

Detail FISMA knowledge
FIPS 140-2 knowledge
Health Insurance Portability and Accountability Act (HIPAA) knowledge
Hands-on C&A experience
Vulnerability Management (hands-on/detail)
Penetration Testing (hands-on/detail)
Continuous Monitoring
Able to complete SSPs, POA&Ms, support audits
Able to multi-task, delivery on-time and with quality
Able to handle stressful situations (if applicable)
Superior Customer Service
Excellent Communication Skills Other- as identified for all the other ISSOs

Find more posts tagged with

Comments

goatama

So where does the post mention CISSPs? Based on the language in the posting, this is most likely a DoD contractor (Raytheon or similar) and if CISSP is a requirement it's because it complies with the DoD 8570 level that they require for this job. This looks like a mid-level engineering position, though, not senior. All of those requirements are things a CISSP with 5 years of experience should know how to do.

Unfortunately, like any cert, there are a lot of incompetent people that lie and have others lie for them to get the cert. I know a few CISSPs that couldn't do this job in a million years. And I know others that could do it in their sleep. Remember, the cert itself is not necessarily an indicator of the knowledge of the holder. It's an indicator that they were able to process enough information to pass the exam.

gespenstern

I am CISSP and I'm pretty technical. And BTW this JD isn't that technical. This JD puts a lot of stress on various risk management and security management frameworks and regulations.

In addition to regulations a successful candidate should be capable of launching tenable nessus and reading its report and recommend which security patches to apply to address this or that, maybe launching zenmap to scan a network, that's pretty much all hands-on.

They are looking for a smooth talker with great powerpoint presentation skills from what I see who may not know a single powershell commandlet, or how some basic stuff like TLS works.

cyberguypr

Looks like an HPE job consulting for some .gov or similar: http://www.my.jobs/pontiac-mi/information-system-security-officer/631C182A967E4A4FB665003A87713BD2/job/?utm_campaign=.JOBS%20Sitemap%20Feed&vs=28&utm_medium=.JOBS%20Universe&utm_source=.JOBS%20Sitemap%20Feed-DE

Asking how technical CISSP are is the same as asking how good are doctors at advanced neurology concepts. Some are good, others are not, yet they all could be excellent physicians. I know many great GRC heavy CISSPs that are masters at what they do yet can't tell a router from a firewall. Others are masters of all things technical but don't know the difference between SLA and ALE. The cert is so wide that applies to anyone from a security analyst to a CISO and everything in between.

What's missing from the post above is this:

The ISSO candidate is required to be certified with one of the following during the period of performance of the Task Order: Certified Information Systems Security Professionals (CISSP), ISC2 Certified Authorization Professional (CAP), GIAC Security Leadership Certification (GSLC), ISACA Certified Information Security Manager (CISM), ISACA Certified Information System Auditor (CISA).

As you can see not one of those certs is technical. The guy that gespenstern described is what they are looking for.

Pmorgan2

Sometimes it feels a little arbitrary when you're readying the job posting, but most federal IT jobs expect you to have Security+ (level 1 or 2 jobs) or CISSP (level 3 jobs) in addition to your technical skills. There are regulations that require the federal IT workforce to have some baseline in information assurance education, and they use certification as the metric for meeting that baseline.

Of the 13 IT job specialties in federal service, only 5ish really focus on Information Security policy. The rest of them just take policy into consideration when doing their thing.