|Company||NYS Office of Information Technology Services|
|Preferred GIAC Certifications||GSEC|
|Salary||$56,604 - $71,980|
Under the direction of an upper level Lead Security Analysts within the Chief Information Security Office/Integrated Security Services Bureau, this position will be a member of a Security Services Team that provides security services to one or more ITS Portfolios and their client agencies. The incumbent will provide in-depth information security consulting and services aligned with business needs of the client agencies to ensure confidentiality, integrity, and availability of information and systems.
The position requires communicating orally and in writing with various individuals including management, users, vendors, and other IT staff. The incumbent will have to work with ITS teams and upper-level agency management to resolve technically complex and politically sensitive issues under pressure.
The position requires availability during off-shift hours to ensure appropriate response to security incidents or other critical activities that may impact sensitive information, critical systems, NYS agencies, or ITS.
Specific duties include, but are not limited to:
• Serves as information security expert, and evaluates systems and contracts for alignment with agency and State information security policies:
o Acts as information security liaison to agency and portfolio staff, maintaining close relationships to ensure security services align with business needs;
o Provides information security expertise to information security staff, ITS, and ITS-served agencies on a broad range of information security standards and best practices;
o Acts as Information Security Lead on ITS Projects and Initiatives to ensure security by design through implementation of the Secure Systems Development Lifecycle (SSDLC);
o Reviews the current and proposed architectures to meet security requirements for portfolio-served agencies;
o Assists staff with technical and security issues as necessary;
o Develops and maintains familiarity with client agency business functions and requirements;
o Develops and maintains expertise in cyber security compliance domains including, but not limited to, FISMA, NIST SP 800-53 and other 800 series guidelines, IRS Pub 1075, PCI DSS, HIPAA, HITECH;
o Develops and maintains expertise in cyber security frameworks including, but not limited to, CIS Top 20 CSC, NCSF, and ISO/IEC 27000 series.
• Supports the management and resolution of security threats to agency information systems:
o Assists with implementing information security incident response plans, and reports;
o Assists with response to potential security incidents;
o Escalates security concerns and report incidents to the applicable entities for review and action.
• Implements information security and compliance programs:
o Participates in the development, interpretation, review and communication of NYS information security policies, procedures and standards;
o Assists with analyzing the impact of proposed policy and legislation as they pertain to information systems and makes recommendations as appropriate;
o Supports the implementation of information security procedures and protocols and participates in security risk reviews and remediation activity including producing written reports;
o Writes progress reports to management and users outlining what was done, what needs to be done and timeframes for accomplishing tasks.
• Monitors and stays aware of information security industry trends, tools and techniques:
o Represents the agency at internal and external information security meetings and conferences to maintain awareness, and evaluates the applicability of the latest information security techniques and tools to the agency’s security program;
o Collaborates with peers to develop a multilayered and adaptive approach to counter a dynamic information security threat environment;
o Researches relevant laws and regulations in consultation with agency counsel that could affect the security controls and classification of information assets and approves adjustments to meet legal and regulatory requirements.
o Maintains an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) credits directly related to information security;
• Performs additional duties as required.
Bachelor’s degree* with at least 15 credit hours in cyber security, information assurance, or information technology.
*Substitution: Bachelor's degree candidates without at least 15 course credits in cyber security, information assurance, or information technology require an additional year of general information technology experience to qualify. Appropriate information security or information assurance experience may substitute for the bachelor's degree on a year-for-year basis; an associate's degree requires an additional two years of general information technology experience.
Preferred Qualification: Bachelor’s degree** in a computer-related area.
**Appropriate information technology, information security, or information assurance experience may be substituted for the bachelor’s degree on a year-for-year basis; an associate degree requires an additional two years of information technology, information security, or information assurance experience.