State of Maryland

A State Retirement Agency (SRA) Cybersecurity Defense Compliance Specialist II is the full performance level of work coordinating, organizing, and managing activities related to security audits, security policy development and compliance, security awareness training, overseeing data security program hygiene within the Agency. Employees in this classification ensure the security program maintains compliance to State SRA-specific, NIST, and Cybersecurity Framework (CSF) standards by following the Capability Maturity Model Integration (CMMI) framework to: promote organizational accountability within the IS data security program, help sustain an acceptable maturity level over data security operations, coordinate tasks and activities related to data security audits, serve as the chief administrator for SRA’s Governance, Risk and Compliance (GRC) platform, and serve as the primary administrator for SRA’s security awareness training program. Employees in this class do not supervise.

Employees in this classification receive general supervision from a SRA Cybersecurity Operations Manager or other IT Director.

Positions in this classification are evaluated by using the classification job evaluation methodology. The use of this method involves comparing the assigned duties and responsibilities of the position to the job criteria found in the Nature of Work and Examples of Work sections of the classification specification.

The SRA Cybersecurity Defense Compliance Specialist I and the SRA Cybersecurity Defense Compliance Specialist II are differentiated based on the degree of supervisory control exercised by the supervisor over these employees. The SRA Cybersecurity Defense Compliance Specialist I performs the duties under close supervision at times, and under general supervision at other times, depending on the complexity of the specific duty being performed. The SRA Cybersecurity Defense Compliance Specialist II performs the full range of duties under general supervision. The SRA Cybersecurity Defense Compliance Specialist II differs from the SRA Cybersecurity Defense Compliance Specialist III in that the SRA Cybersecurity Defense Compliance Specialist III either assigns, reviews, and approves the work of and trains lower-level SRA Cybersecurity Defense Compliance Specialists or serves as a technical expert and handles cases of a more complex nature.

Manages, orchestrates, and responds to data security audits within Information Systems conducted from internal & external sources;

Manages, administers, and coordinates activities for the GRC platform;

Administers, manages, and coordinates activities/tasks associated with the security awareness training program;

Manages security policy lifecycle tasks (e.g., formulation/modification, authorization & deprecation) within IS;

Tracks & evaluates enterprise security control & policy compliance across multiple frameworks and/or standards bodies (e.g., NIST 800-53, MD State/DoIT, SRA-specific, CSF, SOC-2, etc.);

Evaluates 3rd party vendor risk exposure via questionnaire, SOC-2 reviews, vendor risk reporting services, etc.;

Develops and reports on key performance metrics to track compliance maturity with established policies and standards;

Evaluates overall security posture using the Capability Maturity Model Integration (CMMI) model to assess maturity levels for all 5 components of the CSF framework (i.e., identify, protect, detect, respond & recover);

Performs other related duties.

Knowledge of data security auditing processes (e.g., auditing methods, artifact gathering/collection, audit repository management, etc.);

Knowledge of risk management processes (e.g., methods for assessing and mitigating risk);

Knowledge of GRC methodology, practices & compliance;

Knowledge of the Capability Maturity Model Integration (CMMI) framework;

Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy;

Knowledge of 3rd Party Risk Management processes;

Knowledge of specific operational impacts of cybersecurity lapses and risk exposure;

Knowledge of authentication, authorization, and access control methods;

Knowledge of security awareness training services or products;

Knowledge of the security policy formation process (authoring, authorizing & lifecycle maintenance);

Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc);

Knowledge of security industry standards/governance bodies (e.g., NIST 800-53, CSF, State of MD/DoIT, etc.);

Knowledge of cyber defense and information security policies, procedures, and regulations;

Knowledge of CSF (Cybersecurity Framework - Identify, Protect, Detect, Respond & Recover) integration, compliance, and management;

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities;

Knowledge of State of MD & SRA Personally Identifiable Information (PII) data security standards;

Knowledge of Personal Health Information (PHI) data security standards;

Knowledge of data security risk management (e.g., risk exposure, risk calculations, risk management principles, etc.);

Knowledge of business continuity and disaster recovery continuity of operations plans;

Skill in collaborating with internal team members/staff and strong interpersonal skills;

Skill in employing effective oral & written communication skills;

Skill in office productivity software to generate reports, analytics and presentations using effective visual presentation tactics & clear communication styles;

Skill in recognizing and categorizing types of vulnerabilities and associated attacks;

Skill in assessing security control compliance based on cybersecurity frameworks and/or standards bodies. (e.g., NIST SP 800-53, Cybersecurity Framework, etc.);

Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc).

Education: Graduation from an accredited high school or possession of a high school equivalency certificate.

Experience: Three years of experience in the data security compliance discipline, working knowledge of Governance, Risk and Compliance (GRC) platforms, security audit management and procedures, compiling reports and analytics from completed security audits and risk assessments (internal and external sources), and administering security awareness training services/products.

Notes:

1. Candidates may substitute the possession of a Bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for two years of the required experience.

2. Candidates may substitute an Associate’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for one year of the experience.

3. Candidates may substitute a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for the required experience.

Employees in this classification may be subject to call-in 24 hours a day and be required to work evenings, weekends, and holidays when systems are down or to work on systems that need to be repaired or replaced during non-business hours and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to the main office during off hours, or field locations, and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

The work may require moving computers, printers and other IT related equipment weighing up to 80 pounds.

Class specifications are broad descriptions covering groups of positions used by various State departments and agencies. Position descriptions maintained by the using department or agency specifically address the essential job functions of each position.

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is not assigned to a bargaining unit, as indicated by the designation of S (Supervisor), M (Manager), T (Agency Head), U (Board or Commission Member), W (Student), X (Used by Agency or Excluded by Executive Order), or Z (Confidential). As provided by State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

This classification is one level in a Non-Competitive Promotion (NCP) series. NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series. In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

July 1, 2023