- Hourly / - BiWeekly /
- Monthly / $89,727.00-$150,415.00 Yearly
SKILLED
SERVICE BARGAINING UNIT:
G
A
Department of Information Technology (DoIT) Information Systems Security
Specialist is the full performance level of work in the Office of Security
Management (OSM) and is tasked with the management of subprograms, evaluation
and management of vendor performance and service level agreements (SLAs),
development of security accreditation and authorization packages, and/or
evaluation of vendor supplied 3rd party audits. Positions in this
classification do not supervise other positions.
Employees
in this classification receive general supervision from a DoIT Information
Systems Security Manager or another higher-level IT Director.
Position
placement in this classification is determined by the Classification Job
Evaluation Methodology. The use of this method involves comparing the assigned
duties and responsibilities of a position to the job criteria found in the
Nature of Work and Examples of Work sections of a classification specification.
The DoIT Information Systems Security Manager differs
from the DoIT Information Systems Security Specialist
in that the DoIT Information Systems Security Specialist
performs the full range of duties under general supervision while the DoIT Information Systems Security Manager has
supervisory responsibility for lower-level DoIT Information Systems Security Specialists.
Acquires
and manages the necessary resources, including leadership support, financial
resources, and key security personnel, to support information technology (IT)
security goals and objectives and reduce overall organizational risk;
Acquires
necessary resources, including financial resources, to conduct an effective
enterprise continuity of operations program;
Advises
senior management (e.g., Chief Information Officer [CIO]) on risk levels and
security posture;
Advises
senior management (e.g., CIO) on cost/benefit analysis of information security
programs, policies, processes, systems, and elements;
Advises
appropriate senior leadership or Authorizing Official of changes affecting the
organization's cybersecurity posture;
Collects
and maintains data needed to meet system cybersecurity reporting;
Communicates
the value of information technology (IT) security throughout all levels of the
organization stakeholders;
Collaborates
with stakeholders to establish the enterprise continuity of operations program,
strategy, and mission assurance;
Ensures
that security improvement actions are evaluated, validated, and implemented as
required;
Ensures
that cybersecurity inspections, tests, and reviews are coordinated for the
network environment;
Ensures
that cybersecurity requirements are integrated into the continuity planning for
that system and/or organization(s);
Ensures
that protection and detection capabilities are acquired or developed using the
IS security engineering approach and are consistent with organization-level
cybersecurity architecture;
Establishes
overall Enterprise Information Security Architecture (EISA) with the
organization's overall security strategy;
Evaluates
and approves development efforts to ensure that baseline security safeguards
are appropriately installed;
Evaluates
cost/benefit, economic, and risk analysis in decision-making process;
Identifies
alternative information security strategies to address organizational security
objective;
Identifies
information technology (IT) security program implications of new technologies
or technology upgrades;
Interfaces
with external organizations (e.g., public affairs, law enforcement, Command or
Component Inspector General) to ensure appropriate and accurate dissemination
of incident and other Computer Network Defense information;
Interprets
and/or approves security requirements relative to the capabilities of new
information technologies;
Interprets
patterns of noncompliance to determine their impact on levels of risk and/or
overall effectiveness of the enterprise's cybersecurity program;
Leads
and aligns information technology (IT) security priorities with the security
strategy;
Leads
and oversees information security budget, staffing, and contracting;
Manages
the monitoring of information security data sources to maintain organizational
situational awareness;
Manages
the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of
Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency;
Manages
threat or target analysis of cyber defense information and production of threat
information within the enterprise;
Monitors
and evaluates the effectiveness of the enterprise's cybersecurity safeguards to
ensure that they provide the intended level of protection;
Oversees
the information security training and awareness program;
Participates
in an information security risk assessment during the Security Assessment and
Authorization process;
Participates
in the development or modification of the computer environment cybersecurity
program plans and requirements;
Prepares,
distributes, and maintains plans, instructions, guidance, and standard
operating procedures concerning the security of network system(s) operations;
Provides
enterprise cybersecurity and supply chain risk management guidance for
development of the Continuity of Operations Plans;
Provides
leadership and direction to information technology (IT) personnel by ensuring
that cybersecurity awareness, basics, literacy, and training are provided to
operations personnel commensurate with their responsibilities;
Provides
system-related input on cybersecurity requirements to be included in statements
of work and other appropriate procurement documents;
Provides
technical documents, incident reports, findings from computer examinations,
summaries, and other situational awareness information to higher headquarters;
Recognizes
a possible security violation and take appropriate action to report the
incident, as required;
Recommends
resource allocations required to securely operate and maintain an
organization's cybersecurity requirements;
Recommends
policy and coordinate review and approval;
Supervises
or manages protective or corrective measures when a cybersecurity incident or
vulnerability is discovered;
Tracks
audit findings and recommendations to ensure that appropriate mitigation actions
are taken;
Uses
federal and organization-specific published documents to manage operations of
their computing environment system(s);
Promotes
awareness of security issues among management and ensure sound security
principles are reflected in the organization's vision and goals;
Oversees
policy standards and implementation strategies to ensure procedures and
guidelines comply with cybersecurity policies;
Participates
in Risk Governance process to provide security risks, mitigations, and input on
other technical risk;
Evaluates
the effectiveness of procurement function in addressing information security
requirements and supply chain risks through procurement activities and
recommend improvements;
Identifies
security requirements specific to an information technology (IT) system in all
phases of the system life cycle;
Ensures
that plans of actions and milestones or remediation plans are in place for
vulnerabilities identified during risk assessments, audits, inspections, etc.;
Assures
successful implementation and functionality of security requirements and
appropriate information technology (IT) policies and procedures that are
consistent with the organization's mission and goals;
Supports
necessary compliance activities (e.g., ensure that system security
configuration guidelines are followed, compliance monitoring occurs);
Participates
in the acquisition process as necessary, following appropriate supply chain
risk management practices;
Ensures
that all acquisitions, procurements, and outsourcing efforts address
information security requirements consistent with organization goals;
Continuously
validates the organization against
policies/guidelines/procedures/regulations/laws to ensure compliance;
Forecasts
ongoing service demands and ensure that security assumptions are reviewed as
necessary;
Defines
and/or implements policies and procedures to ensure protection of critical
infrastructure as appropriate;
Performs
other related duties.
Knowledge of computer networking
concepts and protocols, and network security methodologies; Knowledge of risk
management processes (e.g., methods for assessing and mitigating risk); Knowledge
of laws, regulations, policies, and ethics as they relate to cybersecurity and
privacy; Knowledge of cybersecurity and
privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge
of specific operational impacts of cybersecurity lapses; Knowledge of
applicable business processes and operations of customer organizations;
Knowledge of encryption algorithms K0021 Knowledge of data backup and recovery;
Knowledge of business continuity and disaster recovery continuity of operations
plans; Knowledge of host/network access control mechanisms (e.g., access
control list, capabilities lists); Knowledge of cybersecurity and privacy
principles used to manage risks related to the use, processing, storage, and
transmission of information or data; Knowledge of vulnerability information
dissemination sources (e.g., alerts, advisories, errata, and bulletins);
Knowledge of incident response and handling methodologies; Knowledge of
industry-standard and organizationally accepted analysis principles and methods;
Knowledge of intrusion detection methodologies and techniques for detecting
host and network-based intrusions; Knowledge of Risk Management Framework (RMF)
requirements; Knowledge of measures or indicators of system performance and
availability; Knowledge of current industry methods for evaluating,
implementing, and disseminating information technology (IT) security
assessment, monitoring, detection, and remediation tools and procedures
utilizing standards-based concepts and capabilities; Knowledge of network
traffic analysis methods; Knowledge of new and emerging information technology
(IT) and cybersecurity technologies; Knowledge of how traffic flows across the
network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP],
Open System Interconnection Model [OSI], Information Technology Infrastructure
Library, current version [ITIL]); Knowledge of system and application security
threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site
scripting, Procedural Language/Structured Query Language [PL/SQL] and
injections, race conditions, covert channel, replay, return-oriented attacks,
malicious code); Knowledge of resource management principles and techniques;
Knowledge of server administration and systems engineering theories, concepts,
and methods; Knowledge of server and client operating systems; Knowledge of
system software and organizational design standards, policies, and authorized
approaches (e.g., International Organization for Standardization [ISO]
guidelines) relating to system design; Knowledge of system life cycle
management principles, including software security and usability; Knowledge of
technology integration processes; Knowledge of the organization’s enterprise
information technology (IT) goals and objectives; Knowledge of what constitutes
a network attack and a network attack’s relationship to both threats and
vulnerabilities; Knowledge of information security program management and
project management principles and techniques; Knowledge of Supply Chain Risk
Management Practices (NIST SP 800-161); Knowledge of organization's risk
tolerance and/or risk management approach; Knowledge of enterprise incident
response program, roles, and responsibilities; Knowledge of current and
emerging threats/threat vectors; Knowledge of critical information technology
(IT) procurement requirements; Knowledge of system administration, network, and
operating system hardening techniques; Knowledge of applicable laws, statutes
(e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives,
executive branch guidelines, and/or administrative/criminal legal guidelines
and procedures; Knowledge of information technology (IT) supply chain security
and supply chain risk management policies, requirements, and procedures; Knowledge
of critical infrastructure systems with information communication technology
that were designed without system security considerations; Knowledge of network
security architecture concepts including topology, protocols, components, and
principles (e.g., application of defense-in-depth); Knowledge of network
systems management principles, models, methods (e.g., end-to-end systems
performance monitoring), and tools; Knowledge of security architecture concepts
and enterprise architecture reference models (e.g., Zachman, Federal Enterprise
Architecture [FEA]); Knowledge of Personally Identifiable Information (PII)
data security standards; Knowledge of Payment Card Industry (PCI) data security
standards; Knowledge of Personal Health Information (PHI) data security
standards; Knowledge of laws, policies, procedures, or governance relevant to
cybersecurity for critical infrastructures; Knowledge of an organization's
information classification program and procedures for information compromise;
Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration,
Domain Name System (DNS), and directory services; Knowledge of penetration
testing principles, tools, and techniques; Knowledge of controls related to the
use, processing, storage, and transmission of data; Knowledge of Application
Security Risks (e.g. Open Web Application Security Project Top 10 list);
Skill in creating policies that reflect
system security objectives; Skill in determining how a security system should
work (including its resilience and dependability capabilities) and how changes
in conditions, operations, or the environment will affect these outcomes; Skill
in evaluating the trustworthiness of the supplier and/or product;
Ability to apply techniques for
detecting host and network-based intrusions using intrusion detection
technologies; Ability to integrate information security requirements into the
acquisition process; using applicable baseline security controls as one of the
sources for security requirements; ensuring a robust software quality control
process; and establishing multiple sources (e.g., delivery routes, for critical
system elements); Ability to identify critical infrastructure systems with
information communication technology that were designed without system security
considerations.
Experience: Nine years experience working on security/networks/systems operations, and directly involved with operations management, policy development, system procurement activities, leadership, and information assurance management.
Notes:
1. Candidates may substitute a Bachelor's degree in information security, computer science, electrical systems, cybersecurity, or related field from an accredited university for up to four years of the required experience.
2. Candidates may
substitute the “Education” requirement listed above, for a High School Diploma
or possession of a High School Equivalency certificate and two additional years
of experience as described above.
3. Candidates may substitute up to two
years of the “Experience” requirement listed above for a graduate level degree
in computer science, electrical systems, cybersecurity or related field from an
accredited college or university.
Must have an Information Assurance Management (IAM) level
2 or higher certification as described on the Maryland Department of
Information Technology website.
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
Class
Descriptions are broad descriptions covering groups of positions used by
various State departments and agencies. Position descriptions maintained
by the using department or agency specifically address the essential job
functions of each position.