- Hourly / - BiWeekly /
- Monthly / $89,727.00-$150,415.00 Yearly
SKILLED
SERVICE BARGAINING UNIT:
G NCP
A Department of Information Technology
(DoIT) Cyber Defense Incident Responder II is the full performance level of
work in the Office of Security Management (OSM). Responsibilities include handling escalated
security incidents and supporting the investigation and remediation of these
events, proactive threat hunting, capability development, and operational
continuous improvement. Positions in this classification do not supervise other
positions.
Employees in this classification
receive general supervision from a DoIT Cyber Defense Incident Responder
Manager or an Executive Cyber Leadership Director.
Position placement in
this classification is determined by the Classification Job Evaluation Methodology.
The use of this method involves comparing the
assigned duties and responsibilities of a position to the job criteria found in
the Nature of Work and Examples of Work sections of a classification
specification.
The
DoIT Cyber Defense Incident Responder I and the DoIT Cyber Defense Incident Responder II are
differentiated based on the degree of supervisory control exercised by the manager
over these employees. The DoIT Cyber Defense Incident Responder I
performs these duties under moderate supervision. The DoIT Cyber Defense Incident Responder II performs
the full range of duties under general supervision. The DoIT Cyber Defense Incident Responder II
differs from the DoIT Cyber Defense Incident Responder Ld/Adv in
that the DoIT Cyber Defense Incident Responder Ld/Adv
handles cases of a more complex nature or leads lower-level DoIT Cyber Defense Incident Responders.
Coordinates
and provides expert technical support to enterprise-wide cyber defense
technicians to resolve cyber defense incidents;
Correlates
incident data to identify specific vulnerabilities and make recommendations
that enable expeditious remediation;
Performs
analysis of log files from a variety of sources (e.g., individual host logs,
network traffic logs, firewall logs, and intrusion detection system [IDS] logs)
to identify possible threats to network security;
Performs
cyber defense incident triage, to include determining scope, urgency, and
potential impact, identifying the specific vulnerability, and making
recommendations that enable expeditious remediation;
Performs
cyber defense trend analysis and reporting;
Performs
initial, forensically sound collection of images and inspect to discern
possible mitigation/remediation on enterprise systems;
Performs
real-time cyber defense incident handling (e.g., forensic collections,
intrusion correlation and tracking, threat analysis, and direct system
remediation) tasks to support deployable Incident Response Teams (IRTs);
Receives
and analyzes network alerts from various sources within the enterprise and
determine possible causes of such alerts;
Tracks
and documents cyber defense incidents from initial detection through final
resolution;
Writes
and publishes cyber defense techniques, guidance, and reports on incident
findings to appropriate constituencies;
Employs
approved defense-in-depth principles and practices (e.g., defense-in-multiple
places, layered defenses, security robustness);
Collects
intrusion artifacts (e.g., source code, malware, Trojans) and use discovered
data to enable mitigation of potential cyber defense incidents within the
enterprise;
Serves
as technical expert and liaison to law enforcement personnel and explain
incident details as required;
Coordinates
with intelligence analysts to correlate threat assessment data;
Writes
and publishes after action reviews;
Monitors
external data sources (e.g., cyber defense vendor sites, Computer Emergency
Response Teams, Security Focus) to maintain currency of cyber defense threat
condition and determine which security issues may have an impact on the
enterprise;
Coordinates
incident response functions;
Performs
other related duties.
Knowledge of computer networking
concepts and protocols, and network security methodologies;
Knowledge of risk
management processes (e.g., methods for assessing and mitigating risk);
Knowledge of laws,
regulations, policies, and ethics as they relate to cybersecurity and privacy;
Knowledge of cybersecurity
and privacy principles;
Knowledge of cyber threats
and vulnerabilities;
Knowledge of specific
operational impacts of cybersecurity lapses;
Knowledge of data backup
and recovery;
Knowledge of business
continuity and disaster recovery continuity of operations plans;
Knowledge of host/network
access control mechanisms (e.g., access control list, capabilities);
Knowledge of network
services and protocols interactions that provide network communications;
Knowledge of incident categories,
incident responses, and timelines for responses;
Knowledge of incident
response and handling methodologies;
Knowledge of intrusion
detection methodologies and techniques for detecting host and network-based
intrusions;
Knowledge of network
traffic analysis methods;
Knowledge of packet-level
analysis;
Knowledge of system and
application security threats and vulnerabilities (e.g., buffer overflow, mobile
code, cross-site scripting, Procedural Language/Structured Query Language
[PL/SQL] and injections, race conditions, covert channel, replay,
return-oriented attacks, malicious code);
Knowledge of what
constitutes a network attack and a network attack’s relationship to both
threats and vulnerabilities;
Knowledge of cyber defense
and information security policies, procedures, and regulations;
Knowledge of different
classes of attacks (e.g., passive, active, insider, close-in, distribution
attacks);
Knowledge of cyber
attackers (e.g., script kiddies, insider threat, non-nation state sponsored,
and nation sponsored);
Knowledge of system
administration, network, and operating system hardening techniques;
Knowledge of cyber-attack
stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation
of privileges, maintaining access, network exploitation, covering tracks);
Knowledge of network
security architecture concepts including topology, protocols, components, and
principles (e.g., application of defense-in-depth);
Knowledge of OSI model and
underlying network protocols (e.g., TCP/IP);
Knowledge of cloud service
models and how those models can limit incident response;
Knowledge of malware
analysis concepts and methodologies;
Knowledge of an
organization's information classification program and procedures for
information compromise;
Knowledge of network
protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS),
and directory services. K0565 Knowledge of the common networking and routing
protocols (e.g. TCP/IP), services (e.g., web, mail, Domain Name System (DNS),
and how they interact to provide network communications;
Knowledge of Application
Security Risks (e.g. Open Web Application Security Project Top 10 list);
Skill in identifying,
capturing, containing, and reporting malware;
Skill in preserving
evidence integrity according to standard operating procedures or national
standards;
Skill in securing network
communications;
Skill in recognizing and
categorizing types of vulnerabilities and associated attacks;
Skill in protecting a
network against malware. (e.g., NIPS, anti-malware, restrict/prevent external
devices, spam filters);
Skill in performing damage
assessments;
Skill in using security
event correlation tools;
Skill in designing incident
response for cloud service models;
Ability to design incident
response for cloud service models;
Ability to apply techniques
for detecting host and network-based intrusions using intrusion detection
technologies.
Education: A bachelor’s degree in
computer science, cybersecurity, information technology, software engineering,
information systems, computer engineering or related field.
Experience: Five years of
experience in malware analysis,
digital forensics, data/network analysis, information assurance technician, and
incident handling.
Notes:
1. Candidates may substitute
the “Education” requirement listed above, for a High School Diploma or
possession of a High School Equivalency certificate and two additional years of
experience as described above.
2. Candidates may substitute up to two
years of the “Experience” requirement listed above for a graduate level degree in
computer science, cybersecurity, information technology, software engineering,
information systems, computer engineering or related field from an accredited
college or university.
Must have a Cyber Security Service Provider (CSSP) Incident
Responder certification, as described on the Maryland Department of Information
Technology website.
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
Class
Descriptions are broad descriptions covering groups of positions used by
various State departments and agencies. Position descriptions maintained
by the using department or agency specifically address the essential job
functions of each position.
This is a Skilled Service
classification in the State Personnel Management System. All positions in this
classification are Skilled Service positions. Some positions in Skilled Service
classifications may be designated Special Appointment in accordance with the
State Personnel and Pensions Article, Section 6-405, Annotated Code of
Maryland.
This classification is assigned to Bargaining Unit G, Engineering, Scientific
and Administrative Professionals classes. As provided by the State Personnel
and Pensions Article, Section 3-102, special appointment, temporary,
contractual, supervisory, managerial and confidential employees are excluded
from collective bargaining. Additionally, certain executive branch agencies are
exempt from collective bargaining and all positions in those agencies are
excluded from collective bargaining.
This classification is one
level in a Non-Competitive Promotion (NCP) series. NCP promotions are
promotions by which employees may advance in grade and class level from trainee
to full performance level in a classification series. In order to be
non-competitively promoted to the next level in a NCP series, an employee must:
1) perform the main purpose of the class, as defined by the Nature of Work
section of the class specification; 2) receive the type of supervision defined
in the class specification and 3) meet the minimum qualifications of the
classification.
July 1, 2021
Director, Division of
Classification and Salary