This listing has expired and therefore is not publicly viewable.
|Company||NYS Office of Information Technology Services|
|Preferred GIAC Certifications||GSEC|
|Salary||$81,446 - 102,661|
Under the direction of senior team members within the Chief Information Security Office/Integrated Security Services/Risk Management section, the Incumbent will be responsible for leading the data analytics and process improvement efforts built off of the ITS GRC (Governance, Risk and Compliance) Tool, TRIMS (Threat, Issues, Risk Management System) as well as participating in the operational duties of TRIMS releases in a bugfix/release/development capacity.
The Incumbent will be responsible for supervising, planning, and coordinating the activities of grade 23 and below team members as applicable with the current team sizing. They ensure alignment with standards, industry best practice, legal and statutory requirements, and Federal and State Mandates. In addition to management responsibilities, this position requires IT experience and technical expertise in Risk Management and Remediation oversight.
Specific duties may include, but are not limited to:
• Involvement and demonstrated leadership in the implementation of the GRC Tool including successful implementation of Risk Management Processes by managing the Risk Management team to enable the following:
o Implementation of a Findings/Risk Register – input from vulnerabilities, risk assessments, audits, asset inventory scans, etc.
o Implementation of standardized Risk Assessments (SSDLC, Application, Platforms, Projects)
o Implementation of Policy Management – (creation, modification, review, deletion, assessments, exceptions)
o Implementation of IT Controls – (configuration management, compliance)
o Implementation of Incident Management
o Installation, update and configuration of system – work with Operations to ensure system is regularly being updated
o Development of standard documentation that can be used for Integrated Risk Management Program:
? Business Process Documents
? Data Dictionary Documents
? Business Process Flow Diagrams
? Test Plan Documents
? Risk Assessment templates
o Develop and implement standard Risk scoring:
? Business criticality – availability of business service
? Data Classification – confidentiality / integrity
? Impact on other systems – dependency factor
? Quantitative assessment – loss revenue
? Number of users affected
? Reputational consequences
o Develop and implement standard Risk Assessment reporting & Dashboards
? Risk Assessment Reports – Executive & Detailed
? Dashboards – Measures / Metrics / KPI / KRI
o Develop and implement tracking of identified risk and remediation
o Develop and implement standard remediation recommendation reporting
? Develop workflow to create remediation plans
? Develop and implement prioritization recommendations for remediation
? Standardizing process for risk scoring and remediation recommendation
? Develop ability to parse out and report by portfolio, agency, bureau and business unit
o Monitor and Evaluate the TRIMS data set to propose modifications to the Risk Governance Process and to prepare and present data in a way to support and enhance the Information Security program in ITS and the state as a whole.
• In addition, the Incumbent will:
o Maintain an adequate level of understanding as to the capabilities of scripting and programming that may assist with the automation of Risk Assessment and Tracking.
o Manage staff and resources dedicated to the unit.
o Monitor progress and manages workload assignments.
o Develop written standard operating procedures and related processes.
o Establish workflows to enhance productivity of the unit
o Perform additional programming and scripting required for unit activities and supervises related tasks for subordinate team members.
o Provide training, guidance, and acts as a mentor to subordinate team members.
o Develop and delivers presentations regarding cyber security threats and response and remediation efforts.
o Supervise subordinate team members performing the full range of administrative responsibilities, including performance evaluations, time sheet approval, etc.
o Characterize and analyze systems and their design and functionality to maintain an understanding of various NYS agency businesses
o Create standard operating procedures (SOPs), user guides, and other documentation to support a process-based approach to team operation
o Participate in development of metrics to measure the effectiveness of the team and program
o Maintain an adequate level of current knowledge and proficiency in general information security through annual Continuing Professional Education (CPE) credits directly related to information security
o Performs additional duties as required.
bachelor’s degree* with at least 15 credit hours in cyber security, information assurance, or information technology; and three years of information technology experience, including two years of information security or information assurance experience**.
*Substitution: bachelor's degree candidates without at least 15 course credits in cyber security, information assurance, or information technology require an additional year of general information technology experience to qualify. Appropriate information security or information assurance experience may substitute for the bachelor's degree on a year-for-year basis; an associate's degree requires an additional two years of general
information technology experience.
**Experience solely in information security or information assurance may substitute for the general information technology experience.
• Bachelor's Degree with a concentration or major in Information Security, Cyber Security, Digital Forensics, Information Assurance, Information Technology, or a related field.
• 2+ years’ experience in technical writing
• 1+ years’ experience years’ experience in the following:
o business intelligence, data analysis, data modeling, data visualization, and data presentation.
o developing metrics and key performance indicators
• Possess a working knowledge of:
o Information Security (CIA triad, Information Classification, Risk Management, Incident Response, Vulnerability Management, Security Architecture & Engineering)
o Information Security Frameworks (NIST Cyber Security Framework, CIS Controls, ISO 2700 series)
• Excellent oral and written communication skills including the ability to clearly articulate information technology and information security concepts to a varied audience to facilitate wide understanding.
• Demonstrated critical thinking, problem solving and analytical skills.
• Demonstrated skill in facilitating meetings, listening, and negotiating between multiple stakeholders to drive results.
• Prior expertise and understanding of the ServiceNow ITSM tool and Service Delivery fundamentals
• Prior expertise and development experience in the RSA Archer toolset and methodologies