State of Maryland

SKILLED SERVICE          BARGAINING UNIT: G

A DoIT Cyber Defense Incident Responder Lead/Advanced is the advanced or lead level of work in the Office of Security Management (OSM).  Responsibilities include the handling of escalated security incidents and supporting the investigation and remediation of these events, the proactive threat hunting, capability development, and operational continuous improvement. At the Lead level, employees in this classification assign, review, and approve the work and train lower-level DoIT Cyber Defense Incident Responders. At the Advanced level, employees in this classification either assign, review, approve the work, and train lower-level DoIT Cyber Defense Incident Responders or serve as a project lead or address the most complex tasks and escalated issues prior to engaging a Cyber Defense Incident Responder Manager. Employees in this classification do not supervise lower-level positions.

Employees in this classification receive general supervision from a DoIT Cyber Defense Incident Responder Manager or an Executive Cyber Leadership Director. 

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

DoIT Cyber Defense Incident Responder I and the DoIT Cyber Defense Incident Responder II are differentiated on the basis of the degree of supervisory control exercised by the manager over these employees. The DoIT Cyber Defense Incident Responder I performs these duties under moderate supervision. The DoIT Cyber Defense Incident Responder II performs the full range of duties under general supervision. The DoIT Cyber Defense Incident Responder II differs from the DoIT Cyber Defense Incident Responder Ld/Adv in that the DoIT Cyber Defense Incident Responder Ld/Adv serves as a project lead or addresses the most complex tasks and escalated issues prior to engaging the Cyber Defense Incident Responder Manager or higher-level IT director or they may lead lower-level DoIT Cyber Defense Incident Responder Analysts.

When functioning at the Lead Level:

Assigns, reviews, and approves the work of DoIT Cyber Defense Incident Responders;

Trains DoIT Cyber Defense Incident Responders.

When functioning at the Advanced Level:

Serves as project lead or technical expert in identifying and resolving incidents and vulnerabilities. Recommends defense techniques and guidance to state agencies and law enforcement.

When functioning at All Levels:

Coordinates and provides expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents;

Correlates incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation;

Performs analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security;

Performs cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation;

Performs cyber defense trend analysis and reporting;

Performs initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems;

Performs real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs);

Receives and analyzes network alerts from various sources within the enterprise and determine possible causes of such alerts;

Tracks and documents cyber defense incidents from initial detection through final resolution;

Writes and publishes cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies;

Employs approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness);

Collects intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise;

Serves as technical expert and liaison to law enforcement personnel and explain incident details as required;

Coordinates with intelligence analysts to correlate threat assessment data;

Writes and publishes after action reviews;

Monitors external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise;

Coordinates incident response functions;

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies;

Knowledge of risk management processes (e.g., methods for assessing and mitigating risk);

Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy;

Knowledge of cybersecurity and privacy principles;

Knowledge of cyber threats and vulnerabilities;

Knowledge of specific operational impacts of cybersecurity lapses;

Knowledge of data backup and recovery;

Knowledge of business continuity and disaster recovery continuity of operations plans;

Knowledge of host/network access control mechanisms (e.g., access control list, capabilities);

Knowledge of network services and protocols interactions that provide network communications;

Knowledge of incident categories, incident responses, and timelines for responses;

Knowledge of incident response and handling methodologies;

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions;

Knowledge of network traffic analysis methods;

Knowledge of packet-level analysis;

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code);

Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities;

Knowledge of cyber defense and information security policies, procedures, and regulations;

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks);

Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored);

Knowledge of system administration, network, and operating system hardening techniques;

Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks);

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth);

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP);

Knowledge of cloud service models and how those models can limit incident response;

Knowledge of malware analysis concepts and methodologies;

Knowledge of an organization's information classification program and procedures for information compromise;

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. K0565 Knowledge of the common networking and routing protocols (e.g., TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications;

Knowledge of Application Security Risks (e.g., Open Web Application Security Project Top 10 list);

Skill in identifying, capturing, containing, and reporting malware;

Skill in preserving evidence integrity according to standard operating procedures or national standards;

Skill in securing network communications;

Skill in recognizing and categorizing types of vulnerabilities and associated attacks;

Skill in protecting a network against malware. (e.g., NIPS, anti-malware, restrict/prevent external devices, spam filters);

Skill in performing damage assessments;

Skill in using security event correlation tools;

Skill in designing incident response for cloud service models;

Ability to design incident response for cloud service models;

Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

Education: A graduate degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field.

Experience:  Six years of experience in malware analysis, digital forensics, data/network analysis, penetration testing, information assurance, trends analysis, quality control analysis, and information assurance vulnerability management.

Notes:

1. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and four additional years of experience as described above.

2. Candidates may substitute up to two years of the “Experience” requirement listed above for a Ph.D. level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.

Must have a Cyber Security Service Provider (CSSP) Incident Responder certification and an Information Assurance Management (IAM) Level III certification as described on the Maryland Department of Information Technology website.

1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

July 1, 2021

Director, Division of Classification and Salary