Logo

Information Security and Compliance Officer (#MADZ27)
$66,489.00 Yearly Min / $83,111.00 Yearly Mid / $99,733.00 Yearly Max




Summary Statement

This class is responsible for optimizing and maintaining operational Information Technology (IT) security for an information security/risk management policy program for one or more state agencies to ensure information systems, IT security policies, standards and procedures are established and followed in compliance with department, state and federal mandates for properly securing electronic information. 

Nature and Scope

 Under the direction of an administrative supervisor, a class incumbent is responsible for developing, implementing, and enforcing information IT security policies, standards, best practices and procedures to keep departmental systems and data secure. Work includes conducting IT security assessments and developing IT security measures to safeguard information against accidental or unauthorized violations and disclosures.  A class incumbent is responsible for evaluating IT security solutions to confirm the proposed product will meet state and federal IT security requirements for the processing and storage of sensitive information.  A significant aspect of the work includes providing technical expertise to management in ensuring overall IT security policy program objectives are executed consistent with program expectations and support all business and regulatory requirements.  Some agency systems may require compliance with various regulating authorities such as the Health Insurance Portability and Accountability Act (HIPAA), Social Security Administration (SSA), Internal Revenue Service (IRS) and/or other regulations, and the storage and transmission of electronic Protected Health Information (ePHI) and/or Federal Tax Information (FTI).   Via IT security policy development, technical expertise, and familiarity with compliance requirements, a major responsibility of this role is to ensure the integrity of data and systems relating to access, storage, and transmission of data both within internal systems and to external systems. In addition, this role participates in all information security audits, investigations and incident management in response to perceived threats and attempted and successful IT security breaches by staff, hackers and malicious or misdirected software. Contacts include department management, staff, Department of Technology and Information (DTI), business leaders, contractual staff and others to provide expert IT security policy assistance and coordinate IT security activities department wide.

Essential Functions

Essential functions are fundamental, core functions common to all positions in the class series and are not intended to be an exhaustive list of all job duties for any one position in the class.  Since class specifications are descriptive and not restrictive, incumbents can complete job duties of similar kind not specifically listed here.
  • Develops, implements, and enforces information security policies, standards, best practices and procedures for complex systems and data including that which requires compliance with federal and state regulations department-wide. 
  • Conducts IT security risk assessments and gap analysis on systems and operational requirements to evaluate effectiveness and identify vulnerabilities and non-compliance.
  • Makes recommendations on corrective action to IT security requirements and system designs to resolve issues; evaluates IT security solutions to confirm they meet department, state and federal IT security requirements for processing confidential and sensitive information. 
  • Develops IT security policies and procedures for reviewing and approving new requirements and specifications for procurement of major systems.
  • Develops and updates systems IT security plans and reports such as but not limited to the Corrective Action Plan (CAP), System Security Plans (SSP), Safeguards Procedures Report (SPR) and/or the Safeguard Security Report (SSR).
  • Performs IT security and internal control reviews on sensitive systems and develops unique security tools and techniques for assessment of complex/non-standard systems and operational requirements.
  • Completes IT security authorization packages for systems users to include security plans, assessment reports and a continuous monitoring plan/assessment schedule.
  • Assists department staff on IT security policy and conducts IT security related training.
  • Ensures compliance of department IT security operations with external entities such as but not limited to, the Center for Medicare and Medicaid Services, Internal Revenue Service (IRS), Payment Card Industry Data Security Standards (PCIDSS), Social Security Administration (SSA), State of Delaware Information Security Policy (DISP), and Delaware State Personally Identifiable Information (PII) data security requirements.  Prepares policies and procedures to ensure the secure transmission of State data to external entities.
  • Prepares and coordinates IT security audits, investigations and incident management. 
  • Supports a 24x7 operational environment.  The operating environment will require extended hours, including engagement outside normal working hours.
  • May complete the Primary Information Security Officer (ISO) or Alternate Information Security Officer (ISO) duties, as outlined by DTI.
  • Ensures effective, stable and reliable information systems and business operations, while remaining in compliance with department, state and federal laws, rules and regulations, as well as the DTI defined strategic direction, including keeping all components of systems under vendor warranty, support/service plans, backup, Continuity of Operations Planning (COOP).
  • Performs other duties of equal or lower complexity as assigned.

Knowledge, Skills and Abilities

The intent of the listed knowledge, skills and abilities is to give a general indication of the core requirements for all positions in the class series; therefore, the KSA’s listed are not exhaustive or necessarily inclusive of the requirements of every position in the class.
  • Knowledge of concepts, processes, platforms, and best practices of department information technology systems and IT data security.
  • Knowledge of information technology systems areas that interface with IT security platforms and processes.
  • Knowledge of department, state and federal mandates as they apply to the storage and transmission of electronic information.
  • Skill in evaluating IT security solutions to meet state IT security requirements for processing and storing sensitive information.
  • Skill in conducting IT security risk assessments and gap analysis on systems and operational requirements.
  • Skill in identifying and articulating appropriate IT security measures and issues as they relate to department information technology systems and data.
  • Ability to create, interpret and maintain IT security policies.
  • Ability to work with conceptual IT security structures, outlines, and models.
  • Ability to understand and interpret federal and state IT security requirements and the impact of IT security requirements on component systems and department mission.
  • Ability to communicate effectively orally and in writing.
  • Ability to write clear, concise and informative reports
  • Ability to elicit information, evaluate findings and recommend corrective action.

Job Requirements

 JOB REQUIREMENTS for Information Security and Compliance Officer
Applicants must have education, training and/or experience demonstrating competence in each of the following areas:

  1. Three years' experience in developing, implementing, and enforcing Federal and State IT security policies, standards, best practices and procedures.
  2. Three years' experience in maintaining information security by conducting assessments/audits and analysis of information systems to identify security risks,  changes/upgrades, evaluating IT security measures along with performing internal security control reviews;  developing security reports; preparing corrective actions to audit and other findings; and recommending improvements to security solutions.

CLASS:
MADZ27
EST:
10/15/2013
REV: