Senior Cybersecurity Auditor

RTI International is an independent, scientific research institute dedicated to improving the human condition. Our vision is to address the world's most critical problems with technical and science-based solutions in pursuit of a better future. Clients rely on us to answer questions that demand an objective and multidisciplinary approach-one that integrates expertise across social, statistical, data, and laboratory sciences, engineering, and other technical disciplines to solve the world's most challenging problems.

We believe in the promise of science and technical solutions, and we push ourselves every day to deliver on that promise for the good of people, communities, and businesses in the US and around the world. If you are looking for the opportunity to make a real difference, RTI is the place for you.

The person in this role will be part of the Office of the Chief Information Officer (OCISO) Compliance team. This role is responsible for planning and performing audits of information systems and related processes in a multi-platform environment, including coordination, scheduling, and delivery of all compliance work products. The candidate must be able to interact directly with internal and external clients, manage resources, meet deadlines, assist management in the identification and assessment of technology related risks, report on the adequacy of risk-based controls, evaluate technology and business-related controls for integrated IT and business auditing efforts, and provide regular status and service-level reports to management. The candidate should have experience managing delivery of work products while working with Federal Government clients and have extensive experience with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF, i.e. NIST 800-37 and 800-53).

Essential Duties:

• Author project security authorization packages that must comply with FISMA and the NIST Risk Management Framework.
• Create, collect information, and maintain a security assessment Evidence Library.
• Formulate recommendations to resolve problems impacting the quality and effectiveness of security controls.
• Participate in information security working groups.
• Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.
• Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
• Manage delivery issues and participate in problem and change management meetings.
• Work with various stakeholders and identify information asset owners to classify data and systems as part of a control framework implementation.
• Serve as an active and consistent participant in the information security governance process.
• Work with the CISO and Cybersecurity Compliance Manager and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
• Manage outsourced vendors that provide information security assessment and auditing functions for compliance with contracted service-level agreements.
• Participate in new system development and implementation reviews by reviewing project documentation, conducting interviews, and assessing work completed.
• Ensure that development efforts are in compliance with organizational policies, standards and procedures, and controls are adequately incorporated into the systems;
• Work with outside auditors to help reconcile discrepancies or support the external auditing functions and local, federal examinations. May be responsible for developing and implementing tools to support automated audit effort. May perform due diligence and special review(s) work as required by management.
• Plan and perform compliance and internal control audits within each division of RTI.
• Review policies, standards and procedures and provides advice on their adequacy, accuracy and compliance with existing guidelines and regulatory requirements (e.g. FISMA, HIPAA, etc.) and assist in the preparation of ITS Security and Compliance policies.
• Support ITS Security in preparing proposal documents and certification and accreditation efforts. Identifies areas of opportunity for process, control or cost improvement and makes recommendations to management.
• Assist management in the identification and assessment of technology related risks, and reporting on the adequacy of risk-based controls.
• Support the Corporate Office of Internal Audit and external auditors throughout their audit engagements.
• Ensure that all audit related process documentation and risk assessments are regularly updated.
• Work on multiple auditing projects as a project leader or subject matter expert.
• Work on projects/issues of high complexity that require demonstrated knowledge across multiple technical areas and business functions.
• Review Security requirements for project Requests for Proposal (RPFs), Privacy Certificates, Data Management Plans and Infrastructure Security Questionnaires
• Participate in new system development and implementation reviews as needed.
• Ensure that development efforts are in compliance with RTI policies, standards and procedures, and controls are adequately incorporated into the systems.

Education & Experience Requirements:

Bachelor's Degree and 8 years of experience, Master's degree and 6 years of experience, PhD and 1 years of experience, or equivalent combination of education and experience.

Skills & Abilities:

Below are skills and abilities required to perform the essential duties of this job. An addendum that clarifies additional skills and abilities for incumbents in this job may be used in addition to this description.

• At least one IT security certification is highly preferred (Security+, Certified Information Systems Security Professional (CISSP), GIAC Security Essentials (GSEC), Systems Security Certified Practitioner (SSCP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA))..
• Knowledge of information security principles, including risk assessment and management, threat and vulnerability management, incident response, and identity and access management.
• This position is as much personal interaction as it is technical. Candidates should have excellent verbal and written communication skills, ability to work well under minimal supervision and work in a team oriented environment. You should be able to gather requirements from non-technical staff and translate that information into technical documentation to be used by developers and engineers.
• Strong analytical and problem-solving skills to enable effective security incident and problem resolution is essential.
• Excellent knowledge of MS Word, Outlook, PowerPoint, Excel.
• Working knowledge of generally applicable and accepted auditing standards and framework (e.g., COBIT) and best practices for IT services management (e.g., ITIL), government guidelines and laws (e.g., Sarbanes-Oxley Act).
• Ability to manage multiple priorities.
• Ability to work well with others.
• Ability to listen and communicate well both verbally and in writing.
• Ability to work independently.
• Attention to detail and accuracy.
• Ability to obtain proper security clearances as noted by contracts.
• Ability to obtain a DOD Secret Security Clearance.
• Demonstration of the RTI Values and Lead Forward behaviors by all employees is critical to the Institute's success. Behaviors associated with our Values and Lead Forward can been found on RTI Insider and Careers page.

For San Francisco, CA USA Job Postings Only: Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records. Further information is availablehere.

RTI accepts applications to our job openings from candidates with criminal histories or conviction records in accordance with all applicable laws, including the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act.

For Applicants in Massachusetts Only:It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.

The anticipated pay range for this role is listed below. Our pay ranges represent national averages and may vary by location as a geographic differential may be applied to some locations within the United States. RTI considers multiple factors when making an offer including, for example: established salary range, internal budget, business needs, and education and years of work experience possessed by the applicant. Further, salary is merely one element to our offer.

At RTI, we demonstrate our commitment to rewarding individual and team achievement through a total rewards package. This package includes (among other things) a competitive base salary, a generous paid time off policy, merit based annual increases, bonus opportunities and a robust recognition program. Other benefits include a competitive range of insurance plans (including health, dental, life, and short-term and long-term disability), access to a retirement savings program such as a 401(k) plan, paid parental leave for all parents, financial assistance with adoption expenses or infertility treatments, financial reimbursement for education and developmental opportunities, an employee assistance program, and numerous other offerings to support a healthy work-life balance.