- Hourly / - BiWeekly /
- Monthly / $95,798.00-$160,555.00 Yearly
A
Department of Information Technology (DoIT) IT Program Auditor II is the full
performance level of work in the Office of Security Management (OSM) tasked
evaluating the effective design and operation of security controls in the
environment, both independently and holistically in the context of the system.
This position may require work outside of regular business hours, and work in
an on-call capacity. Positions in this classification do not supervise other
positions.
Employees
in this classification receive general supervision from an IT Program Auditor
Manager or other higher level IT Director.
Position
placement in this classification is determined by the Classification Job
Evaluation Methodology. The use of this method involves comparing the assigned
duties and responsibilities of a position to the job criteria found in the
Nature of Work and Examples of Work sections of a classification specification.
The
DoIT IT Program Auditor I and DoIT IT Program Auditor II are differentiated on
the basis of the degree of supervisory control exercised by the supervisor over
these employees. The DoIT IT Program Auditor I performs duties under close
supervision at times and under general supervision at other times depending on
the complexity of the specific duty being performed, and the DoIT IT Program
Auditor II performs the full range of duties under general supervision.
Develops
methods to monitor and measure risk, compliance, and assurance efforts;
Provides
ongoing optimization and problem-solving support;
Provides
recommendations for possible improvements and upgrades;
Reviews
or conducts audits of information technology (IT) programs and projects;
Evaluates
the effectiveness of procurement function in addressing information security
requirements and supply chain risks through procurement activities and
recommend improvements;
Reviews
service performance reports identifying any significant issues and variances,
initiating, where necessary, corrective actions and ensuring that all
outstanding issues are followed up;
Conducts
import/export reviews for acquiring systems and software;
Ensures
that supply chain, system, network, performance, and cybersecurity requirements
are included in contract language and delivered;
Performs
other related duties.
Knowledge of computer
networking concepts and protocols, and network security methodologies;
Knowledge of risk
management processes (e.g., methods for assessing and mitigating risk);
Knowledge of laws, regulations,
policies, and ethics as they relate to cybersecurity and privacy;
Knowledge of cybersecurity
and privacy principles;
Knowledge of cyber threats
and vulnerabilities;
Knowledge of specific
operational impacts of cybersecurity lapses;
Knowledge of
industry-standard and organizationally accepted analysis principles and
methods;
Knowledge of information
technology (IT) architectural concepts and frameworks;
Knowledge of Risk
Management Framework (RMF) requirements;
Knowledge of resource
management principles and techniques;
Knowledge of system life
cycle management principles, including software security and usability;
Knowledge of how
information needs and collection requirements are translated, tracked, and
prioritized across the extended enterprise; Knowledge of Supply Chain Risk
Management Practices (NIST SP 800-161);
Knowledge of import/export
control regulations and responsible agencies for the purposes of reducing
supply chain risk; Knowledge of supply chain risk management standards, processes,
and practices.
Knowledge of risk threat
assessment; Knowledge of information technology (IT) supply chain security and
supply chain risk management policies, requirements, and procedures; knowledge
of organizational process improvement concepts and process maturity models
(e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for
Services, and CMMI for Acquisitions); Knowledge of service management concepts
for networks and related standards (e.g., Information Technology Infrastructure
Library, current version [ITIL]);
Knowledge of how to
leverage research and development centers, think tanks, academic research, and
industry systems; Knowledge of information technology (IT)
acquisition/procurement requirements; Knowledge of the acquisition/procurement
life cycle process.
Skill in identifying
measures or indicators of system performance and the actions needed to improve
or correct performance, relative to the goals of the system; Skill in
conducting audits or reviews of technical systems;
Skill in translating
tracking, and prioritizing information needs and intelligence collection
requirements across the extended enterprise.
Ability to ensure security
practices are followed throughout the acquisition process.
Experience: Nine years of experience in information assurance or in a role performing IT Audits or evaluating the effectiveness of security control design and operation.
Notes:
1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.
2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.
3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.
Must have a Cyber
Security Service Provider (CSSP) Auditor certification as described on the
Maryland
Department of
Information Technology website.
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
Class
Descriptions are broad descriptions covering groups of positions used by
various State departments and agencies. Position descriptions maintained
by the using department or agency specifically address the essential job
functions of each position.
This is a Skilled Service
classification in the State Personnel Management System. All positions in this classification
are Skilled Service positions. Some positions in Skilled Service
classifications may be designated Special Appointment in accordance with the
State Personnel and Pensions Article, Section 6-405, Annotated Code of
Maryland.
This classification is assigned to Bargaining Unit G, Engineering, Scientific
and Administrative Professionals classes. As provided by the State Personnel
and Pensions Article, Section 3-102, special appointment, temporary,
contractual, supervisory, managerial and confidential employees are excluded
from collective bargaining. Additionally, certain executive branch agencies are
exempt from collective bargaining and all positions in those agencies are
excluded from collective bargaining.
This classification is one
level in a Non-Competitive Promotion (NCP) series. NCP promotions are
promotions by which employees may advance in grade and class level from trainee
to full performance level in a classification series. In order to be
non-competitively promoted to the next level in a NCP series, an employee must:
1) perform the main purpose of the class, as defined by the Nature of Work
section of the class specification; 2) receive the type of supervision defined
in the class specification and 3) meet the minimum qualifications of the
classification.
July 1, 2021
Director, Division of
Classification and Salary