State of Maryland

STD 0023

SKILLED SERVICE          BARGAINING UNIT: G

A Department of Information Technology (DoIT) Information Systems Security Specialist is the full performance level of work in the Office of Security Management (OSM) and is tasked with the management of subprograms, evaluation and management of vendor performance and service level agreements (SLAs), development of security accreditation and authorization packages, and/or evaluation of vendor supplied 3rd party audits. Positions in this classification do not supervise other positions.

Employees in this classification receive general supervision from a DoIT Information Systems Security Manager or another higher-level IT Director.

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

The DoIT Information Systems Security Manager differs from the DoIT Information Systems Security Specialist in that the DoIT Information Systems Security Specialist performs the full range of duties under general supervision while the DoIT Information Systems Security Manager has supervisory responsibility for lower-level DoIT Information Systems Security Specialists.

Acquires and manages the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk;

Acquires necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program;

Advises senior management (e.g., Chief Information Officer [CIO]) on risk levels and security posture;

Advises senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements;

Advises appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture;

Collects and maintains data needed to meet system cybersecurity reporting;

Communicates the value of information technology (IT) security throughout all levels of the organization stakeholders;

Collaborates with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance;

Ensures that security improvement actions are evaluated, validated, and implemented as required;

Ensures that cybersecurity inspections, tests, and reviews are coordinated for the network environment;

Ensures that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s);

Ensures that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture;

Establishes overall Enterprise Information Security Architecture (EISA) with the organization's overall security strategy;

Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed;

Evaluates cost/benefit, economic, and risk analysis in decision-making process;

Identifies alternative information security strategies to address organizational security objective;

Identifies information technology (IT) security program implications of new technologies or technology upgrades;

Interfaces with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information;

Interprets and/or approves security requirements relative to the capabilities of new information technologies;

Interprets patterns of noncompliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise's cybersecurity program;

Leads and aligns information technology (IT) security priorities with the security strategy;

Leads and oversees information security budget, staffing, and contracting;

Manages the monitoring of information security data sources to maintain organizational situational awareness;

Manages the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency;

Manages threat or target analysis of cyber defense information and production of threat information within the enterprise;

Monitors and evaluates the effectiveness of the enterprise's cybersecurity safeguards to ensure that they provide the intended level of protection;

Oversees the information security training and awareness program;

Participates in an information security risk assessment during the Security Assessment and Authorization process;

Participates in the development or modification of the computer environment cybersecurity program plans and requirements;

Prepares, distributes, and maintains plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations;

Provides enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans;

Provides leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities;

Provides system-related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents;

Provides technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters;

Recognizes a possible security violation and take appropriate action to report the incident, as required;

Recommends resource allocations required to securely operate and maintain an organization's cybersecurity requirements;

Recommends policy and coordinate review and approval;

Supervises or manages protective or corrective measures when a cybersecurity incident or vulnerability is discovered;

Tracks audit findings and recommendations to ensure that appropriate mitigation actions are taken;

Uses federal and organization-specific published documents to manage operations of their computing environment system(s);

Promotes awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals;

Oversees policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies;

Participates in Risk Governance process to provide security risks, mitigations, and input on other technical risk;

Evaluates the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements;

Identifies security requirements specific to an information technology (IT) system in all phases of the system life cycle;

Ensures that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.;

Assures successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals;

Supports necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs);

Participates in the acquisition process as necessary, following appropriate supply chain risk management practices;

Ensures that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals;

Continuously validates the organization against policies/guidelines/procedures/regulations/laws to ensure compliance;

Forecasts ongoing service demands and ensure that security assumptions are reviewed as necessary;

Defines and/or implements policies and procedures to ensure protection of critical infrastructure as appropriate;

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy;  Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses; Knowledge of applicable business processes and operations of customer organizations; Knowledge of encryption algorithms K0021 Knowledge of data backup and recovery; Knowledge of business continuity and disaster recovery continuity of operations plans; Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists); Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data; Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins); Knowledge of incident response and handling methodologies; Knowledge of industry-standard and organizationally accepted analysis principles and methods; Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions; Knowledge of Risk Management Framework (RMF) requirements; Knowledge of measures or indicators of system performance and availability; Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities; Knowledge of network traffic analysis methods; Knowledge of new and emerging information technology (IT) and cybersecurity technologies; Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]); Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code); Knowledge of resource management principles and techniques; Knowledge of server administration and systems engineering theories, concepts, and methods; Knowledge of server and client operating systems; Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design; Knowledge of system life cycle management principles, including software security and usability; Knowledge of technology integration processes; Knowledge of the organization’s enterprise information technology (IT) goals and objectives; Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities; Knowledge of information security program management and project management principles and techniques; Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161); Knowledge of organization's risk tolerance and/or risk management approach; Knowledge of enterprise incident response program, roles, and responsibilities; Knowledge of current and emerging threats/threat vectors; Knowledge of critical information technology (IT) procurement requirements; Knowledge of system administration, network, and operating system hardening techniques; Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures; Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures; Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations; Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools; Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]); Knowledge of Personally Identifiable Information (PII) data security standards; Knowledge of Payment Card Industry (PCI) data security standards; Knowledge of Personal Health Information (PHI) data security standards; Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures; Knowledge of an organization's information classification program and procedures for information compromise; Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services; Knowledge of penetration testing principles, tools, and techniques; Knowledge of controls related to the use, processing, storage, and transmission of data; Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list);

Skill in creating policies that reflect system security objectives; Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes; Skill in evaluating the trustworthiness of the supplier and/or product;

Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies; Ability to integrate information security requirements into the acquisition process; using applicable baseline security controls as one of the sources for security requirements; ensuring a robust software quality control process; and establishing multiple sources (e.g., delivery routes, for critical system elements); Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Experience:  Nine years experience working on security/networks/systems operations, and directly involved with operations management, policy development, system procurement activities, leadership, and information assurance management.

Notes:

1. Candidates may substitute a Bachelor's degree in information security, computer science, electrical systems, cybersecurity, or related field from an accredited university for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, electrical systems, cybersecurity or related field from an accredited college or university.

Must have an Information Assurance Management (IAM) level 2 or higher certification as described on the Maryland Department of Information Technology website.

1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class specifications are broad descriptions covering groups of positions used by various State departments and agencies. Position descriptions maintained by the using department or agency specifically address the essential job functions of each position.

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

July 1, 2021

June 3, 2024

Director, Division of Classification and Salary