Minimum Qualifications Bachelor’s degree* in a cyber security, information assurance, or information technology related field, OR bachelor's degree with 15 credit hours in cyber security, information assurance, or informational technology AND three years of information technology experience**.
* Appropriate information security or information assurance experience may substitute for the bachelor’s degree on a year-for-year basis; an associate’s degree requires an additional two years of information technology, information security, or information assurance experience.
**Experience solely in information security or information assurance may substitute for the general information technology experience.
• Bachelor’s Degree with a concentration or major in Information Security, Cyber Security, Digital Forensics, Information Assurance, or a related field OR Bachelor's Degree with a concentration or major in Business Intelligence, Data Analytics, Data Science, Data Modeling, or a related field.
• Applicable Information Security certificate(s), including but not limited to:
o Certificate in Information Security Fundamentals (e.g., Security+, GSEC, CISF, GISF)
o Certificate in Information Security Management (e.g., GSLC, GSTRT, GCEIT, CISM, CCISO)
o Certified Information Systems Security Professional (CISSP)
• 1+ years’ experience in the following areas:
o technical writing
o conducting risk assessments and evaluating information technology systems for security controls (SSDLC)
o business intelligence, data analysis, data modeling, data visualization, and data presentation
o developing metrics and key performance indicators
• Working knowledge of:
o computer networks with a strong understanding of networking concepts, protocols, services and operating systems (TCP/IP, UDP, DNS, DHCP, HTTP, SMTP, Windows, UNIX, Linux, etc.)
o technical security solutions (e.g., intrusion detection/prevention systems, firewalls)
o system administration
o vulnerability management
o computer programming and scripting
o government security and privacy mandates/regulatory compliance (e.g., HIPAA, PCI, IRS Pub 1075, CJIS)
o Information Security (CIA triad, Information Classification, Risk Management, Incident Response, Vulnerability Management, Security Architecture & Engineering)
o Information Security Frameworks (NIST Cyber Security Framework, CIS Controls, ISO 2700 series)
• Excellent oral and written communication skills including the ability to clearly articulate information technology and information security concepts to a varied audience to facilitate wide understanding
• Demonstrated critical thinking, problem solving and analytical skills
• Demonstrated skill in facilitating meetings, listening, and negotiating between multiple stakeholders to drive results
Duties Description Under the direction of the Manager Information Technology Services 2, SG-29, within the Chief Information Security Office, Integrated Risk Management section, the position will be responsible for leading the Risk Assessment and Risk Tracking (RART) team’s activities related to ITS and hosted agency assets and security requirements, and to enterprise projects, including the Risk Management TRIMS (Threat, Issues, Risk Management System) project initiative.
These activities include overseeing the identification of project milestones and breakdown of milestones into tangible tasks, assigning tasks to staff members, and collaborating with various CISO teams to implement their processes into the system. The position supervises, plans, and coordinates the activities of two or more team members with expertise in understanding the Information Security Program and implementation of effective Risk Management. They ensure alignment with standards, industry best practice, legal and statutory requirements, and Federal and State Mandates. In addition to management responsibilities, this position requires IT experience and technical expertise in Risk Management and Remediation oversight.
Specific duties may include, but are not limited to:
• Oversee the implementation of the ITS GRC Tool, TRIMS, including successful implementation of Risk Management Processes by managing the RART team to enable the following:
o Implementation of a Findings/Risk Register – input from vulnerabilities, risk assessments, audits, asset inventory scans, etc
o Implementation of standardized Risk Assessments (SSDLC, Application, Platforms, Projects)
o Implementation of Policy Management – (creation, modification, review, deletion, assessments, exceptions)
o Implementation of IT Controls – (configuration management, compliance)
o Implementation of Vulnerability Management
o Integrate the ITS vulnerability scanning results (Tenable.IO, Nessus Security Center, Qualys, HP WebInspect) into TRIMS utilizing vendor supplied APIs.
o Implementation of Incident Management
o Ownership of System Development, Test and Production TRIMS systems
o Installation, update and configuration of system – work with Operations to ensure system is regularly being updated
o Development of standard documentation that can be used for Integrated Risk Management Program:
- Business Process Documents
- Data Dictionary Documents
- Business Process Flow Diagrams
- Test Plan Documents
- Risk Assessment templates
o Develop and implement standard Risk scoring:
- Business criticality – availability of business service
- Data Classification – confidentiality / integrity
- Impact on other systems – dependency factor
- Quantitative assessment – loss revenue
- Number of users affected
- Reputational consequences
o Develop and implement standard Risk Assessment reporting & Dashboards
- Risk Assessment Reports – Executive & Detailed
- Dashboards – Measures / Metrics / KPI / KRI
o Develop and implement tracking of identified risk and remediation
o Develop and implement standard remediation recommendation reporting
- Develop workflow to create remediation plans
- Develop and implement prioritization recommendations for remediation
- Standardizing process for risk scoring and remediation recommendation
- Develop ability to parse out and report by portfolio, agency, bureau and business unit
• In addition, the Incumbent will:
o Maintain an adequate level of understanding as to the capabilities of scripting and programming that may assist with the automation of Risk Assessment and Tracking.
o Manage staff and resources dedicated to the unit.
o Monitor progress and manages workload assignments.
o Develop written standard operating procedures and related processes.
o Establish workflows to enhance productivity of the unit
o Perform additional programming and scripting required for unit activities and supervises related tasks for subordinate team members.
o Provide training, guidance, and acts as a mentor to subordinate team members.
o Develop and delivers presentations regarding cyber security threats and response and remediation efforts.
o Supervise subordinate team members performing the full range of administrative responsibilities, including performance evaluations, time sheet approval, etc.
o Characterize and analyze systems and their design and functionality to maintain an understanding of various NYS agency businesses
o Create standard operating procedures (SOPs), user guides, and other documentation to support a process-based approach to team operation
o Participate in development of metrics to measure the effectiveness of the team and program
o Maintain an adequate level of current knowledge and proficiency in general information security through annual Continuing Professional Education (CPE) credits directly related to information security
o Performs additional duties as required.
Some positions may require additional credentials or a background check to verify your identity.
PO Box 2062
Notes on ApplyingTo apply, please submit a resume and cover letter indicating that you are applying for the Information Technology Specialist 4 (Information Security) Ref: #18590. Please clearly indicate how you meet the minimum qualifications for this position. Your Social Security number may be required to confirm your eligibility.