Please note: State agencies that contact job applicants do not usually request personal or financial information via text message or over the phone in connection with your response to a job posting. If you are contacted for such information by these methods, or any other method, please verify the identity of the individual before transmitting such information to that person.
Note: For questions about the job posting, please contact the agency that posted this position by using the contact information provided on the "Contact" tab for the position.

Review Vacancy

Date Posted 10/22/19

Applications Due11/01/19

Vacancy ID75255

AgencyInformation Technology Services, Office of

TitleInformation Technology Specialist 4 (Information Security) Ref #18590

Occupational CategoryI.T. Engineering, Sciences

Salary Grade25

Bargaining UnitPS&T - Professional, Scientific, and Technical (PEF)

Salary RangeFrom $81446 to $102661 Annually

Employment Type Full-Time

Appointment Type Permanent

Jurisdictional Class Non-competitive Class

Travel Percentage 0%

Workweek Mon-Fri

Hours Per Week 37.50


From 9 AM

To 5 PM

Flextime allowed? No

Mandatory overtime? No

Compressed workweek allowed? No

Telecommuting allowed? No

County Albany

Street Address W. Averell Harriman State Office Campus, Building 5, 4th Floor

City Albany


Zip Code12207

Minimum Qualifications Bachelor’s degree* in a cyber security, information assurance, or information technology related field, OR bachelor's degree with 15 credit hours in cyber security, information assurance, or informational technology AND three years of information technology experience**.

* Appropriate information security or information assurance experience may substitute for the bachelor’s degree on a year-for-year basis; an associate’s degree requires an additional two years of information technology, information security, or information assurance experience.

**Experience solely in information security or information assurance may substitute for the general information technology experience.

Preferred Qualifications:

• Bachelor’s Degree with a concentration or major in Information Security, Cyber Security, Digital Forensics, Information Assurance, or a related field OR Bachelor's Degree with a concentration or major in Business Intelligence, Data Analytics, Data Science, Data Modeling, or a related field.

• Applicable Information Security certificate(s), including but not limited to:
o Certificate in Information Security Fundamentals (e.g., Security+, GSEC, CISF, GISF)
o Certificate in Information Security Management (e.g., GSLC, GSTRT, GCEIT, CISM, CCISO)
o Certified Information Systems Security Professional (CISSP)

• 1+ years’ experience in the following areas:
o technical writing
o conducting risk assessments and evaluating information technology systems for security controls (SSDLC)
o business intelligence, data analysis, data modeling, data visualization, and data presentation
o developing metrics and key performance indicators

• Working knowledge of:
o computer networks with a strong understanding of networking concepts, protocols, services and operating systems (TCP/IP, UDP, DNS, DHCP, HTTP, SMTP, Windows, UNIX, Linux, etc.)
o technical security solutions (e.g., intrusion detection/prevention systems, firewalls)
o system administration
o vulnerability management
o computer programming and scripting
o government security and privacy mandates/regulatory compliance (e.g., HIPAA, PCI, IRS Pub 1075, CJIS)
o Information Security (CIA triad, Information Classification, Risk Management, Incident Response, Vulnerability Management, Security Architecture & Engineering)
o Information Security Frameworks (NIST Cyber Security Framework, CIS Controls, ISO 2700 series)

• Excellent oral and written communication skills including the ability to clearly articulate information technology and information security concepts to a varied audience to facilitate wide understanding

• Demonstrated critical thinking, problem solving and analytical skills

• Demonstrated skill in facilitating meetings, listening, and negotiating between multiple stakeholders to drive results

Duties Description Under the direction of the Manager Information Technology Services 2, SG-29, within the Chief Information Security Office, Integrated Risk Management section, the position will be responsible for leading the Risk Assessment and Risk Tracking (RART) team’s activities related to ITS and hosted agency assets and security requirements, and to enterprise projects, including the Risk Management TRIMS (Threat, Issues, Risk Management System) project initiative.
These activities include overseeing the identification of project milestones and breakdown of milestones into tangible tasks, assigning tasks to staff members, and collaborating with various CISO teams to implement their processes into the system. The position supervises, plans, and coordinates the activities of two or more team members with expertise in understanding the Information Security Program and implementation of effective Risk Management. They ensure alignment with standards, industry best practice, legal and statutory requirements, and Federal and State Mandates. In addition to management responsibilities, this position requires IT experience and technical expertise in Risk Management and Remediation oversight.
Specific duties may include, but are not limited to:
• Oversee the implementation of the ITS GRC Tool, TRIMS, including successful implementation of Risk Management Processes by managing the RART team to enable the following:
o Implementation of a Findings/Risk Register – input from vulnerabilities, risk assessments, audits, asset inventory scans, etc
o Implementation of standardized Risk Assessments (SSDLC, Application, Platforms, Projects)
o Implementation of Policy Management – (creation, modification, review, deletion, assessments, exceptions)
o Implementation of IT Controls – (configuration management, compliance)
o Implementation of Vulnerability Management
o Integrate the ITS vulnerability scanning results (Tenable.IO, Nessus Security Center, Qualys, HP WebInspect) into TRIMS utilizing vendor supplied APIs.
o Implementation of Incident Management
o Ownership of System Development, Test and Production TRIMS systems
o Installation, update and configuration of system – work with Operations to ensure system is regularly being updated
o Development of standard documentation that can be used for Integrated Risk Management Program:
- Business Process Documents
- Data Dictionary Documents
- Business Process Flow Diagrams
- Test Plan Documents
- Risk Assessment templates
o Develop and implement standard Risk scoring:
- Business criticality – availability of business service
- Data Classification – confidentiality / integrity
- Impact on other systems – dependency factor
- Quantitative assessment – loss revenue
- Number of users affected
- Reputational consequences
o Develop and implement standard Risk Assessment reporting & Dashboards
- Risk Assessment Reports – Executive & Detailed
- Dashboards – Measures / Metrics / KPI / KRI
o Develop and implement tracking of identified risk and remediation
o Develop and implement standard remediation recommendation reporting
- Develop workflow to create remediation plans
- Develop and implement prioritization recommendations for remediation
- Standardizing process for risk scoring and remediation recommendation
- Develop ability to parse out and report by portfolio, agency, bureau and business unit

• In addition, the Incumbent will:
o Maintain an adequate level of understanding as to the capabilities of scripting and programming that may assist with the automation of Risk Assessment and Tracking.
o Manage staff and resources dedicated to the unit.
o Monitor progress and manages workload assignments.
o Develop written standard operating procedures and related processes.
o Establish workflows to enhance productivity of the unit
o Perform additional programming and scripting required for unit activities and supervises related tasks for subordinate team members.
o Provide training, guidance, and acts as a mentor to subordinate team members.
o Develop and delivers presentations regarding cyber security threats and response and remediation efforts.
o Supervise subordinate team members performing the full range of administrative responsibilities, including performance evaluations, time sheet approval, etc.
o Characterize and analyze systems and their design and functionality to maintain an understanding of various NYS agency businesses
o Create standard operating procedures (SOPs), user guides, and other documentation to support a process-based approach to team operation
o Participate in development of metrics to measure the effectiveness of the team and program
o Maintain an adequate level of current knowledge and proficiency in general information security through annual Continuing Professional Education (CPE) credits directly related to information security
o Performs additional duties as required.

Additional Comments Approval to fill this position is pending with Division of the Budget (DOB). Background check and fingerprinting are required.

Some positions may require additional credentials or a background check to verify your identity.

Name Krina Homrighaus

Telephone 518-473-0398

Fax 518-402-4924

Email Address


Street Empire State Plaza, Swan Street Building, Core 4

PO Box 2062

City Albany

State NY

Zip Code 12220


Notes on ApplyingTo apply, please submit a resume and cover letter indicating that you are applying for the Information Technology Specialist 4 (Information Security) Ref: #18590. Please clearly indicate how you meet the minimum qualifications for this position. Your Social Security number may be required to confirm your eligibility.

Printable Version