This class is responsible for optimizing and maintaining operational security for the Department of Health & Social Services’ (DHSS) information security policy program to ensure information systems, security policies, standards and procedures are established and followed in compliance with department, state and federal mandates for properly securing electronic information. Work includes understanding the impact of security requirements on component systems and department mission. DHSS is the State’s largest cabinet department with hundreds of information systems, thousands of users both internal and external, and handles some of the State’s most complex transmission systems of highly confidential data protected by both state and federal mandates.
Nature and Scope
Under the direction of an administrative supervisor, a class incumbent is responsible for developing, implementing, and enforcing information security policies, standards, best practices and procedures in order to keep departmental systems and data secure. Work includes conducting security assessments and developing security measures to safeguard information against accidental or unauthorized violations and disclosures. A class incumbent is responsible for evaluating security solutions to confirm the proposed product will meet state and federal security requirements for the processing and storage of sensitive information. A significant aspect of work includes providing technical expertise to management in ensuring overall security policy program objectives are executed consistent with program expectations and supports all business and regulatory requirements. A significant portion of DHSS’ electronic data and systems fall under the Health Insurance Portability and Accountability Act (HIPAA) and the storage and transmission of electronic Protected Health Information (ePHI). Via security policy development, technical expertise, and familiarity with compliance requirements, a major responsibility of class incumbents is ensuring the integrity of data and systems relating to access, storage, and transmission of data both within DHSS systems and to external systems. In addition, participates in all information security audits, investigations and incident management in response to perceived threats and attempted and successful security breaches by staff, hackers and malicious or misdirected software. Contacts include department management, staff, DTI, business leaders, contractual staff and others to provide expert security policy assistance and coordinate security activities across divisions.
Essential functions are fundamental, core functions common to all positions in the class series and are not intended to be an exhaustive list of all job duties for any one position in the class. Since class specifications are descriptive and not restrictive, incumbents can complete job duties of similar kind not specifically listed here.
Develops, implements, and enforces DHSS’ information security policies, standards, best practices and procedures for complex systems and data including that which requires compliance with federal and state regulations for HIPAA and ePHI department-wide.
Conducts security risk assessments and gap analysis on systems and operational requirements to evaluate effectiveness, and identify vulnerabilities and non-compliance.
Makes recommendations on corrective action to security requirements and system designs to resolve issues; evaluates security solutions to confirm they meet department, state and federal security requirements for processing confidential and sensitive information.
Develops security policies and procedures for reviewing and approving new requirements and specifications for procurement of major systems.
Develops and updates systems security plans and reports such as the System Security Plans (SSP) and Safeguards Procedures Report (SPR) and the Safeguard Activity Report.
Performs security and internal control reviews on sensitive systems and develops unique security tools and techniques for assessment of complex/non-standard systems and operational requirements.
Completes security authorization packages for systems users to include security plans, assessment reports and a continuous monitoring plan/assessment schedule.
Provides assistance to department staff on security policy and conducts security related training.
Ensures compliance of department security operations with external entities such as the Center for Medicare and Medicaid Services, Internal Revenue Service, Payment Card Industry Data Security Standards and Delaware State Personally Identifiable Information data security requirements. Prepares policies and procedures to ensure the secure transmission of DHSS data to external entities.
Prepares and coordinates security audits, investigations and incident management.
Knowledge, Skills and Abilities
The intent of the listed knowledge, skills and abilities is to give a general indication of the core requirements for all positions in the class series; therefore, the KSA’s listed are not exhaustive or necessarily inclusive of the requirements of every position in the class.
Knowledge of concepts, processes, platforms, and best practices of department information technology systems and data security.
Knowledge of information technology systems areas that interface with security platforms and processes.
Knowledge of department, state and federal mandates as they apply to the storage and transmission of electronic information.
Skill in evaluating security solutions to meet state security requirements for processing and storing sensitive information.
Skill in conducting security risk assessments and gap analysis on systems and operational requirements.
Skill in identifying and articulating appropriate security measures and issues as they relate to department information technology systems and data.
Ability to work with conceptual security structures, outlines, and models.
Ability to understand and interpret federal and state security requirements and the impact of security requirements on component systems and department mission.
Ability to communicate effectively orally and in writing.
Ability to write clear, concise and informative reports
Ability to elicit information, evaluate findings and recommend corrective action.
JOB REQUIREMENTS for DHSS Information Security Policy Officer
Applicants must have education, training and/or experience demonstrating competence in each of the following areas:
Three years experience in developing, implementing, and enforcing Federal and State IT security policies, standards, best practices and procedures.
Three years experience in maintaining information security by conducting assessments/audits and analysis of information systems to identify security risks, changes/upgrades, evaluating IT security measures along with performing internal security control reviews; developing security reports; preparing corrective actions to audit and other findings; and recommending improvements to security solutions.