Information Security Consultant - Cissp Required

Title: Information Security Consulting Project

Location: Sacramento, CA

Duration: Contract Terms: Hourly W-2, CTC

US-based candidates only, local consultants preferred

Summary - This 4 - 7 month contract opportunity.

Project Overview

This State agency desires the services of a highly skilled information security consultant to conduct a security vulnerability assessment of a key application, which is part of a larger project and associated infrastructure.

The assessment will include concise documentation, findings, recommendations, and implementation guidelines and will consist of THREE PHASES:

- THE FIRST PHASE WILL BE AN ANALYSIS OF THE APPLICATION DESIGN AND DOCUMENTATION.
- THE SECOND PHASE WILL INCLUDE A VULNERABILITY ASSESSMENT OF THE INFRASTRUCTURE IN ORDER TO DETERMINE THE OVERALL EFFECTIVENESS OF THE SECURITY DEVICES AND DESIGN STRATEGY OF THE APPLICATION AND ARCHITECTURE.
- THE THIRD PHASE WILL CONSIST OF A PENETRATION TEST OF THE APPLICATION, WITH AN ATTEMPT TO DISCOVER AND EXPLOIT ANY VULNERABILITIES PRESENT WITHIN THE SYSTEM.

The consulting services engagement will assess both internal and external threats and vulnerabilities (procedural, software, hardware, and policy). The consultant will assess the security of the application in comparison with industry best practices to ensure the confidentiality, integrity and availability of services and contained data.

All findings will be identified regardless of whether or not the findings are positive or negative. For each negative finding, the consultant will identify the appropriate industry best practice, recommend the appropriate remediation action to secure the network or resources, and identify the impact (level of risk) to the organization. Where applicable, the recommendations will include system and network design modifications.

The overall strategy will include appropriate short-term and long-term recommendations. If during the assessment, the customer provides the consultant with a response to any noted deficiency, the consultant will also include those comments in the final report. The consultant's written report will be presented to the customer in a format consistent with the requirements specified under the deliverables section.

ROLESconnections to the existing ECOM environment using Web Services Security (WS-Security) and Security Assertion Markup Language (SAML); and associated security systems.
- Perform a penetration test on:
- Class B subnet that contains the ETF infrastructure
- Portions of the application that reside within the DMZ; and web services in EDR core utilized by ETF context
- Review, document, and make recommendations on the configuration, security, and overall effectiveness of the following:
- ETF design and architecture.
- IDS/IPS system.
- Oracle Identity and Access Management.
- Identify and exploit weaknesses through vulnerability assessment scans and penetration tests that will not cause harm to systems and data.

SKILLS & EXPERIENCES:

- Experience performing information security audit assessments and penetration testing directly relating to the tasks identified in this Statement of Work (5 years minimum required).
- Current Certified Information Systems Security Professional (CISSP) certification (indicate how many years certified).
- Experience in programming with .NET, Java, SAML and WS-Security (indicate years of experience).
- Experience in supporting Cisco Routers, Switches and Firewalls (indicate years of experience).
- Experience administering Microsoft IIS, IBM HTTP Server and WebSphere Application Server (indicate years of experience).
- Experience supporting Windows, Unix/Linux, and VMware environments (indicate years of experience).
- Experience working with intrusion detection and prevention systems (indicate type and years of experience).
- Experience in the design and deployment of large scale network systems (indicate type and years of experience).
- Experience presenting findings to all levels of staff and management (indicate years of experience, cite references, and provide copies of sanitized presentations).
- Experience in preparing formal reports (Indicate years of experience, cite references, and provide copies of sanitized reports).
- Clearly describe the candidate's overall background and experience performing vulnerability assessments, and the complexity of the networks that were evaluated that will enable the candidate to properly analyze the strengths and weaknesses of our security system (Minimum of 5 years required).