Skip to main content

8110 Gatehouse Road, Falls Church, VA 22042

Back to Results

Cyber Risk Assessor III

Nokes Boulevard 621266 Full Time 45745 Nokes Boulevard, Sterling, VA, 20166, US

Job Description

The Cyber Risk Assessor III oversees, evaluates, and supports assessment and advisory processes necessary to assure that computer systems and technology processes meet Inova’s information assurance requirements incorporating a systematic process to identify protection gaps and risks affecting Inova’s Mission, Vision, and Values. Oversees and administers Information Assurance programs, health and effectiveness metrics for Information Assurance programs, and reporting requirements established by Information Security leadership. Plans and conducts periodic assessments and evaluations on security control effectiveness. This position provides recommendations to reduce or eliminate risks on identified and assessed gaps in security controls, system design, and process workflow. Evaluates and reviews external party relationships as they affect Inova systems or information. Supports policy and standards review and revision. The Cyber Risk Assessor III conducts quality review of formal reports and program deliverables to ensure high quality output meeting customer needs.

Job Responsibilities
  • Produces formal reports and plans associated with work products.
  • Produces and briefs formal presentations based on formal reports.
  • Plans and conducts security authorization reviews and assurance case development for initial installation of systems and networks.
  • Reviews authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
  • Verifies that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
  • Develops security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
  • Performs security reviews, identify gaps in security architecture, and develop a security risk management plan.
  • Performs security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in a risk mitigation strategy.
  • Performs risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
  • Provides input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
  • Verifies and updates security documentation reflecting the application/system security design features.
  • Participates in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
  • Ensures that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
  • Assures successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals.
  • Defines and documents how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
  • Ensures that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
  • Supports necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
  • Ensures that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • Assesses the effectiveness of security controls.
  • Assesses all the configuration management (change configuration/release management) processes.
  • Develops methods to monitor and measure risk, compliance, and assurance efforts.
  • Provides recommendations for possible improvements and upgrades.
  • Reviews or conducts audits of information technology (IT) programs and projects.
  • Applies security policies to meet security objectives of the system.
  • Applies service-oriented security architecture principles to meet organization's confidentiality, integrity, and availability requirements.
  • Performs cybersecurity testing of developed applications and/or systems.
  • Provides cybersecurity guidance to leadership.
  • Analyzes and reports organizational security posture trends.
  • Analyzes and reports system security posture trends.
  • Assesses adequate access controls based on principles of least privilege and need-to-know.
  • Verifies adequate security requirements are in place for all applications.
  • Works with stakeholders to resolve computer security incidents and vulnerability compliance.
  • Provides advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
  • Advises senior management (e.g., Chief Information Security Officer [CISO], Chief Information Officer [CIO]) on risk levels and security posture.
  • Advises appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture.
  • Collaborates with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.
  • Ensures that security improvement actions are evaluated, validated, and implemented as required.
  • Ensures that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s).
  • Interprets patterns of noncompliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise's cybersecurity program.
  • Provides enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans.
  • Recommends policy and coordinate review and approval.
  • Develops policies and procedures to ensure information systems reliability and accessibility and to prevent and defend against unauthorized access to systems, networks, and data.
  • Participates in defining IT security requirements.
  • Plans and coordinates the delivery of an IT security awareness training program for end users at all levels in the organization.
  • Assesses effectiveness and efficiency of instruction according to ease of instructional technology use and student learning, knowledge transfer, and satisfaction.
  • Conducts learning needs assessments and identify requirements.
  • Develops the goals and objectives for cyber curriculum.
  • Plans instructional strategies such as lectures, demonstrations, interactive exercises, multimedia presentations, video courses, web-based courses for most effective learning environment in conjunction with educators and trainers.
  • Creates training courses tailored to the audience and physical environment.
  • Conducts periodic reviews/revisions of course content for accuracy, completeness alignment, and currency (e.g., course content documents, lesson plans, student texts, examinations, schedules of instruction, and course descriptions).
  • Establishes and maintain communication channels with stakeholders.
  • Other duties as assigned.



Minimum Bachelors OR equivalent combination or education and experience.


Minimum 5 years in Information Assurance or similar field OR 7 years in system or network administration involving controls selection and gap analyses.


Minimum: Any vendor-agnostic and security-oriented certification demonstrating a rigorous understanding of computer security principles, such as CISSP, HCISPP, CISA. Alternatively, 2 or more vendor-specific certifications related to information security or information assurance from at least two different vendors.

Knowledge, Skills and Abilities (KSAs)

- Knowledge and training in system analyses and assessments.

- Familiar with healthcare-related and biomedical-related systems.

-Knowledge and training in Knowledge and Information Management.

-Familiar with Governance, Risk, and Compliance principles and tools.

-Excellent interpersonal skills, critical thinking, organizational and developing leadership skills. Ability to manage multiple diverse efforts across the organization including interaction with external parties.

-Possesses ability to advise and recommend based on principles, laws, and concepts as they relate to cybersecurity and privacy.

-Possesses mastery of information technology infrastructure, systems, applications and principles for employment.

-Possesses mastery of security control evaluation, analysis methods, risk frameworks, laws, policies, such as NIST RMF, HIPAA, HITECH, and PCI-DSS, as they relate to technology and technology processes.

-Possesses mastery of cyber threats including methods and practices leveraged against systems and networks.

-Mastery of application of principles related to and execution of processes for assessments, risk treatment, policy management, continuity and recovery oversight, and security training and awareness.