Skip to Main Content

Governance, Risk & Compliance Manager (GRC)

DoIT Cyber Policy and Strategy Planner Manager

Recruitment #24-004730-0001

Go Back View Benefits

Introduction

The Department of Information Technology (DoIT) leads the State in the creation and implementation of information technology solutions that improve IT infrastructure and government services across units of State government and keeps Maryland current within IT industry trends.

GRADE

STD 0025

LOCATION OF POSITION

Dept. of Information Technology
100 Community Place
Crownsville, MD  21032

Main Purpose of Job

The GRC Manager will manage the creation and execution of risk and controls assessments, system authorization-to-operate (ATO) assessments, and associated processes to manage and execute these programs across units of State gov. within the Executive branch.

As part of the risk and controls assessments, the GRC Manager will assist the GRC Director and support the implementation of a statewide GRC module and system that generates and manages risk registers, issue tracking, corrective action plans (CAPs), and key metric reporting for DoIT operations and security executives, agency leadership, and the Governor’s Office. The GRC Manager will ensure the continued development, maintenance, enhancement, and execution of assessments that fully integrate the State of Maryland and DoIT required security standards, NIST control frameworks, and regulatory related compliance with PII, PCI, PHI, CJIS, FTI and other regulated data types.

***This is a Management Service position which serves at the pleasure of the Appointing Authority***

POSITION DUTIES

  • Manage governance, risk, and compliance (GRC) programs, complex GRC projects, ATO program development and management, and assessments for units of State Government within the Executive branch, including supporting the building of the GRC program, managing respective program and budget and staff, and developing the program’s processes, procedures, and technologies.
  • Build and use the Agency’s GRC software solution to manage the organization’s cybersecurity and risk assessments, authorization to operate (ATO), processes and procedures, privacy assessments, compliance issue mitigation, and plan of actions and milestones (POAMs) which align with known or established compliance frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST SP 800-53, Center for Internet Security (CIS) Critical Security Controls (CSC), and International Standardization for Organization (ISO) 27001.
  • Manage and execute system and risk assessments including resolution of discovered issues and development of POAM documentation. Update enterprise-level IT and cybersecurity risks; including updating a risk register, quantifying the risk impact, developing risk mitigation strategies, reducing risk and evaluating risk acceptance by management.
  • Contribute to the Agency’s third-party vendor risk management program including assessments and attestations made by such organizations in the form of Service Organization Control (SOC) 2 Type II audits and related security assessments.
  • Supervise the work of respective GRC staff, including, but not limited to the GRC Analyst and ATO Assessor in the performance of his/her daily job duties.
  • Support Agency privacy officer functions. 

MINIMUM QUALIFICATIONS

Education:  A bachelor's degree from an accredited college or university in cybersecurity, information technology, or related field.


Experience:
1. Two years’ experience working in a governance, risk, and compliance (GRC) role which includes managing programs, projects, and assessments, using GRC tools/platforms, such as ServiceNow or another similar technology platform and a working knowledge of the Authorization to Operate (ATO) process. 

2. One of the two years of this experience must have been in a supervisory capacity.

DESIRED OR PREFERRED QUALIFICATIONS

Preference will be given to candidates who have one or more of the following skillsets or experience:

  • Understanding and working knowledge in each of the following areas: regulatory and security requirements regarding specific data types including Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry (PCI), and Criminal Justice Information Systems (CJIS).
  • Strong understanding of: National Institute of Standards and Technology (NIST) SP 800-53 (including a mapping of Rev.4 to Rev.5), Internal Revenue Service (IRS) Publication 1075 Cybersecurity Guidelines, NIST Cybersecurity Framework, Center for Internet Security (CIS) Top 20 - Critical Security Controls, Information Technology Infrastructure Library (ITIL) Concepts, and relevant cybersecurity and IT laws and regulations.

  • Experience managing cybersecurity governance, risk and compliance in a Federal, State or Local Government environment.

  • Certifications - One or more of the following: CISSP, CISM, GEIT, GRCP, CRISC, PMI or RMP.

SELECTION PROCESS

Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.

EXAMINATION PROCESS

The assessment may consist of a rating of your education, training, and experience related to the requirements of the position. It is important that you provide complete and accurate information on your application. Please report all experience and education that is related to this position.

BENEFITS

FURTHER INSTRUCTIONS

Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.

For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.Help@maryland.gov or 410-767-4850, MD TTY Relay Service 1-800-735-2258.

We thank our Veterans for their service to our country.

People with disabilities and bilingual candidates are encouraged to apply.

As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.

For education obtained outside the U.S., a copy of the equivalent American education as determined by a foreign credential evaluation service must be provided prior to hire.




Powered by JobAps