State of Maryland

DoIT IT Program Auditor I (#004734)

- Hourly / - BiWeekly /
- Monthly / $89,727.00-$150,415.00 Yearly


STD 0023




The Department of Information Technology (DoIT) IT Program Auditor I is the intermediate level tasked with evaluating the effective design and operation of security controls in the environment, both independently and holistically in the context of the system. This position may require work outside of regular business hours, and work in an on-call capacity. Positions in this classification do not supervise other positions.


Employees in this classification receive moderate supervision from a DoIT IT Program Auditor Manager or other higher level IT Director.


Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.


The DoIT IT Program Auditor I and DoIT IT Program Auditor II are differentiated on the basis of the degree of supervisory control exercised by the supervisor over these employees. The DoIT IT Program Auditor I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT IT Program Auditor II performs the full range of duties under general supervision.


Develops methods to monitor and measure risk, compliance, and assurance efforts;


Provides ongoing optimization and problem-solving support;


Provides recommendations for possible improvements and upgrades;


Reviews or conducts audits of information technology (IT) programs and projects;


Evaluates the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements;


Reviews service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up;


Conducts import/export reviews for acquiring systems and software;


Ensures that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered;


Performs other related duties.


Knowledge of computer networking concepts and protocols, and network security methodologies;

Knowledge of risk management processes (e.g., methods for assessing and mitigating risk);

Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy;

Knowledge of cybersecurity and privacy principles;

Knowledge of cyber threats and vulnerabilities;

Knowledge of specific operational impacts of cybersecurity lapses;

Knowledge of industry-standard and organizationally accepted analysis principles and methods;

Knowledge of information technology (IT) architectural concepts and frameworks;

Knowledge of Risk Management Framework (RMF) requirements;

Knowledge of resource management principles and techniques;

Knowledge of system life cycle management principles, including software security and usability;

Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise; Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161);

Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk; Knowledge of supply chain risk management standards, processes, and practices.

Knowledge of risk threat assessment; Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures; knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions); Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]);

Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems; Knowledge of information technology (IT) acquisition/procurement requirements; Knowledge of the acquisition/procurement life cycle process.

Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system; Skill in conducting audits or reviews of technical systems;

Skill in translating tracking, and prioritizing information needs and intelligence collection requirements across the extended enterprise.

Ability to ensure security practices are followed throughout the acquisition process.


Experience:  Eight years of experience in information assurance or in a role performing IT Audits or evaluating the effectiveness of security control design and operation.


1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.


Must have a Cyber Security Service Provider (CSSP) Auditor certification as described on the Maryland

Department of Information Technology website.


1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.


Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.


This classification is one level in a Non-Competitive Promotion (NCP) series.  NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series.  In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

Date Established

July 1, 2021

Approved By

Director, Division of Classification and Salary

CLASS: 004734; EST: 7/1/2021; REV: 1/3/2022;

Powered by JobAps