State of Maryland

The State Retirement Agency (SRA) Cybersecurity Systems Engineer II is the full performance level of work administering and maintaining SRA’s security operations that include hardware-based and virtual devices, specialized security software (on-prem and cloud-based) including Security Information and Event Management (SIEM’s), firewalls, log collectors, and other data security-based technologies, tools, and utilities. Employees in this classification apply knowledge of protocols, data encryption models/standards, internet traffic/hand shaking complexities, cloud service architectures, and security policy configurations that support SRA’s internet-based services and devices (e.g. firewalls, load balancers, data encryption, secure file transfers, etc.) in order to provide layers of data security over SRA’s core business applications and internal operations. Employees in this classification serve as an administrator for the virtual server infrastructure and for troubleshooting/remediating complex security incidents or internet traffic disruptions resulting in downtime or disruption to critical Agency business systems and/or services hosted both internally and externally. Employees in this classification create and deploy automated tools and programs via Powershell, Bash Script, SQL, Python, CFML, and KQL. Employees in this classification do not supervise other positions.

Employees in this classification receive general supervision from a Director of Cybersecurity Operations or other designated administrator.

Positions in this classification are evaluated using the classification job evaluation methodology, which involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of this classification specification.

The SRA Cybersecurity Systems Engineer I and the SRA Cybersecurity Systems Engineer II are differentiated based on the degree of supervisory control exercised by the supervisor over these employees. The SRA Cybersecurity Systems Engineer I performs duties under close supervision at times, and under general supervision at other times, depending on the complexity of the specific duty being performed. The SRA Cybersecurity Systems Engineer II performs the full range of duties and responsibilities under general supervision. The SRA Cybersecurity Systems Engineer III is differentiated from the SRA Cybersecurity Systems Engineer II in that the SRA Cybersecurity Systems Engineer III either assigns, reviews and approves the work of and trains SRA Cybersecurity Systems Engineers or serves as a project lead or technical expert in identifying security incidents and gaps.

Provides technical and operational oversight for all aspects of cybersecurity for both on-prem and cloud-based security devices, platforms and services;

Conducts vulnerability security scans for both servers, endpoints and auxiliary network devices to identify, assess and remediate risk exposure;

Conducts web application security assessments (both dynamic & static) to assess risk exposure for SRA’s in-house designed web applications;

Manages and oversees core security devices and services for both on-prem and cloud-based platforms to ensure operational stability and protective effectiveness (e.g., firewalls/WAF, load balancers, DLP, virtual server infrastructure, FTP servers/services, SIEM’s, security audit log management, etc.);

Performs and manages system, platform and data backups for both on-prem and cloud-based core data security services & platforms;

Develops, designs, and assists in the formation of effective and functional incident responses to cyber threats and insider threat risks (e.g., malware intrusion/ransomware, employee abuse of PII, etc.);

Plans, designs, implements and manages the onboarding of both on-prem and cloud-based new data security platforms and/or services to reduce risk exposure and provide effective protections over SRA’s core business processes and services;

Provides design & technical oversight for workflow task management platforms (i.e., Jira);

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses and risk exposure; Knowledge of authentication, authorization, and access control methods; Knowledge of cyber defense and vulnerability assessment tools and their capabilities (e.g., vulnerability scanning, PEN testing; Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks) & the MITRE ATT&CK framework; Knowledge of Internet-based attack methods and techniques (e.g., password spraying/brute-force, phishing/vishing/smishing, DDoS/DoS, XSS, MITM, ransomware, etc.); Knowledge of penetration testing (PEN) tools and technologies (e.g., SAST [static analysis security testing] & DAST [dynamic analysis security testing]); Knowledge of cyber attackers (e.g., insider threat, non-nation/nation sponsored, DoS/DDoS attacks, social engineering-based - frauds/scams/phishing/vishing/smishing, hacktivist, terrorism, etc.); Knowledge of data encryption methodologies, technologies, algorithm types (AES, RSA, etc.) & key management; Knowledge of cryptography & cryptographic key systems (e.g., symmetric/asymmetric, padding, salting, etc.); Knowledge of secure email concepts and protections (e.g., DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication Reporting and Conformance), and SPF (Sender Policy Framework); Knowledge of database security/secure configurations, and DAM [Database Activity Monitoring} technology; Knowledge of data classification/data discovery: Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins, such as Common Vulnerabilities and Exposures (CVE), SANS NewsBites, FBI/InfraGard, CISA (Known Exploited Vulnerability Catalog, CERT, etc.); Knowledge of incident response and handling methodologies; Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc); Knowledge of security industry standards/governance bodies (e.g., NIST 800-53, CSF, State of MD/DoIT, etc.); Knowledge of Next Generation (NextGen) firewall administration, maintenance & operation; Knowledge of intrusion detection/prevention (IDS/IPS) methodologies and techniques for detecting and preventing host and network-based intrusions; Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML); Knowledge of network traffic analysis methods; Knowledge of new and emerging information technology (IT) and cybersecurity technologies; Knowledge of key concepts in security management (e.g., Configuration Management, Patch Management); Knowledge of Virtual Private Network (VPN) security; Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities; Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations; Knowledge of adversarial tactics, techniques, and procedures (TTP’s); Knowledge of network diagnostic/troubleshooting tools (e.g., ping, traceroute, nslookup, whois); Knowledge of defense-in-depth principles and network security architecture; Knowledge of different types of network topologies (e.g., LAN, WAN, MAN, WLAN, WWAN, Wi-Fi, etc.); Knowledge of scripting languages (e.g., PowerShell, Batch Script & Python); Knowledge of SRA cyber defense and information security policies, procedures, and regulations; Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks); Knowledge of server system administration, network, and operating system hardening techniques; Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of CSF (Cybersecurity Framework - Identify, Protect, Detect, Respond & Recover) integration, compliance, and management; Knowledge of signature and behavioral-based technologies for virus, malware, and attack detection/prevention; Knowledge of data backup/restore methodologies/products, practices and configurations; Knowledge of system vulnerability scanning administration, practices, and techniques: Knowledge of Windows/Unix ports and services; Knowledge of OSI model layers, underlying network protocols and applications (e.g., MAC addresses, TCP/IP, SMTP, HTTPS, DNS, LDAP, SNMP, SSH/Telnet, TLS, etc.); Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities; Knowledge of State of MD & SRA Personally Identifiable Information (PII) data security standards; Knowledge of Personal Health Information (PHI) data security standards; Knowledge of countermeasure design for identified security risks; Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump); Knowledge of IP address sub-netting (Class A, B, C) & CIDR (Classless-Inter Domain Routing); Knowledge of Network Address Translation (NAT) use, configuration and application; Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications; Knowledge of virtual technology & infrastructure (VMware, Hyper-V) management and operation; Knowledge of how to use network analysis tools to identify vulnerabilities; Knowledge of data security risk management (e.g., risk exposure, risk calculations, risk management principles, etc.); Knowledge of Application Security Risks (e.g. Open Web Application Security Project (OWASP Top-10); Knowledge of physical security systems and controls (e.g., door security systems, card readers, etc.); Knowledge of data backup and recovery strategies; Knowledge of business continuity and disaster recovery continuity of operations plans;

Skill in diagnosing TCP/IP, sFTP, and proprietary application connectivity problems; Skill in maintaining directory services. (e.g., Microsoft Active Directory, Azure AD, LDAP, etc.); Skill in configuring/administering virtual machine technology; (e.g., Microsoft Hyper-V, VMWare vSphere, etc.); Skill in administering both Microsoft Windows-based and Open Source/Linux server operating systems; Skill in administering Next-Generation firewalls (building firewall policies/rules, NAT rules, VPN connectivity, IDS’, URL filtering, log repository management, etc.); Skill in administering web application firewalls (WAF); Skill in administering the physical security environment (e.g., door security systems, card readers, etc.); Skill in administering cloud-based security services and technology platforms (Azure AD, Office365, MS Dynamics/ CRM, etc.); Skill in administering cloud-based & on-prem Security Information Event Management systems (SIEM); Skill in leading and managing successful (Proof-Of-Concept) projects to evaluate and recommend security products & services; Skill in collaborating with internal team members/staff, employing effective oral & written communication skills; Skill in conducting system/server hardware & software planning, management, and maintenance; Skill in correcting physical and technical problems that impact system/server performance; Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems; Skill in installing or upgrading systems and/or components (i.e., virtual machines, memory, disk arrays, etc.); Skill in monitoring and optimizing system/server performance;
Skill in developing and deploying signatures/playbooks/intelligence responses for security devices (SIEM’s) and services; Skill in using incident handling methodologies; Skill in using protocol and traffic analyzers; Skill in assimilating, categorizing and distributing intelligence from various cyber defense resources (e.g., CERT, CVE (Common Vulnerabilities & Exposures), SANS, CISA, NIST, etc.); Skill in recognizing and categorizing types of vulnerabilities and associated attacks; Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., NIST SP 800-53, Cybersecurity Framework, etc.); Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning); Skill in applying cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc.); Skill in identifying, capturing, containing, and reporting malware; Skill in preserving evidence integrity according to standard operating procedures or national standards; Skill in collecting, preserving and formatting/presenting forensic evidence & artifacts;
Skill in using security event correlation tools; Skill in designing incident response for cloud service models;

Ability to detect, isolate, and analyze malware; Ability to conduct vulnerability scans and recognize vulnerabilities in security systems; Ability to accurately and completely source all data used in intelligence, assessment and/or planning products; Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc); Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies; Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute); Ability to design incident response for cloud service models; Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

Education: Graduation from an accredited high school or possession of a high school equivalency certificate.

Experience: Five years of experience as an IT data security practitioner, having a primary focus that includes: network security, internet infrastructure operations/management (e.g. firewalls, load balancers, DNS configurations, data encryption/protocol configuration, secure file transfer operations, etc.), VMware/Hyper-V, server management, and security operations. Two of the four years of required experience is required to have been performing on-prem and cloud-based enterprise security tools, systems and services.

Notes:

1. Candidates may substitute a Bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to two years of the required experience as an IT data security practitioner, having a primary focus that includes: network security, internet infrastructure operations/management (e.g. firewalls, load balancers, DNS configurations, data encryption/protocol configuration, secure file transfer operations, etc.), VMware/Hyper-V, server management, and security operations.

2. Candidates may substitute an Associate’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for one year of the required experience as an IT data security practitioner, having a primary focus that includes: network security, internet infrastructure operations/management (e.g. firewalls, load balancers, DNS configurations, data encryption/protocol configuration, secure file transfer operations, etc.), VMware/Hyper-V, server management, and security operations.

3. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

4. Candidates may substitute the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.

5. Candidates may substitute U.S. Armed Forces military service experience as a non-commissioned officer in Cybersecurity Analyst classifications and Management specialty codes in Information Technology field of work on a year-to-year basis for the required experience.

Employees in this classification may be subject to call-in 24 hours a day and be required to work evenings, weekends, and holidays when systems are down or to work on systems that need to be repaired or replaced during non-business hours and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to the main office during off hours, or field locations, and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class specifications are broad descriptions covering groups of positions used by various State departments and agencies. Position descriptions maintained by the using department or agency specifically address the essential job functions of each position.

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is not assigned to a bargaining unit, as indicated by the designation of S (Supervisor), M (Manager), T (Agency Head), U (Board or Commission Member), W (Student), X (Used by Agency or Excluded by Executive Order), or Z (Confidential). As provided by State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

This classification is one level in a Non-Competitive Promotion (NCP) series. NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series. In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.