State of Maryland

MANAGEMENT SERVICE          BARGAINING UNIT: M

A Department of Information Technology (DoIT) Information Systems Security Manager is the managerial level of work in the Office of Security Management (OSM) and is tasked with the management of subprograms, evaluation and management of vendor performance and service level agreements (SLAs), development of security accreditation and authorization packages, and/or evaluation of vendor supplied 3rd party audits. Positions in this classification supervise DoIT Information Systems Security Specialists.

Employees in this classification receive managerial supervision from a DoIT Executive Cyber Leadership Director or another higher-level IT Director.

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

The DoIT Information Systems Security Manager differs from the DoIT Information Systems Security Specialist in that the DoIT Information Systems Security Specialist performs the full range of duties under general supervision while the DoIT Information Systems Security Manager has supervisory responsibility for lower-level DoIT Information Systems Security Specialists.

Plans, coordinates, supervises, and evaluates the work of DoIT Information Systems Security Specialists and related support staff;

Acquires and manages the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk;

Acquires necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program;

Advises senior management (e.g., Chief Information Officer [CIO]) on risk levels and security posture;

Advises senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements;

Advises appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture;

Collects and maintains data needed to meet system cybersecurity reporting;

Communicates the value of information technology (IT) security throughout all levels of the organization stakeholders;

Collaborates with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance;

Ensures that security improvement actions are evaluated, validated, and implemented as required;

Ensures that cybersecurity inspections, tests, and reviews are coordinated for the network environment;

Ensures that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s);

Ensures that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture;

Establishes overall Enterprise Information Security Architecture (EISA) with the organization's overall security strategy;

Evaluates and approves development efforts to ensure that baseline security safeguards are appropriately installed;

Evaluates cost/benefit, economic, and risk analysis in decision-making process;

Identifies alternative information security strategies to address organizational security objective;

Identifies information technology (IT) security program implications of new technologies or technology upgrades;

Interfaces with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information;

Interprets and/or approves security requirements relative to the capabilities of new information technologies;

Interprets patterns of noncompliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise's cybersecurity program;

Leads and aligns information technology (IT) security priorities with the security strategy;

Leads and oversees information security budget, staffing, and contracting;

Manages the monitoring of information security data sources to maintain organizational situational awareness;

Manages the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency;

Manages threat or target analysis of cyber defense information and production of threat information within the enterprise;

Monitors and evaluates the effectiveness of the enterprise's cybersecurity safeguards to ensure that they provide the intended level of protection;

Oversees the information security training and awareness program;

Participates in an information security risk assessment during the Security Assessment and Authorization process;

Participates in the development or modification of the computer environment cybersecurity program plans and requirements;

Prepares, distributes, and maintains plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations;

Provides enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans;

Provides leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities;

Provides system-related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents;

Provides technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters;

Recognizes a possible security violation and take appropriate action to report the incident, as required;

Recommends resource allocations required to securely operate and maintain an organization's cybersecurity requirements;

Recommends policy and coordinate review and approval;

Supervises or manages protective or corrective measures when a cybersecurity incident or vulnerability is discovered;

Tracks audit findings and recommendations to ensure that appropriate mitigation actions are taken;

Uses federal and organization-specific published documents to manage operations of their computing environment system(s);

Promotes awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals;

Oversees policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies;

Participates in Risk Governance process to provide security risks, mitigations, and input on other technical risk;

Evaluates the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements;

Identifies security requirements specific to an information technology (IT) system in all phases of the system life cycle;

Ensures that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.;

Assures successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals;

Supports necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs);

Participates in the acquisition process as necessary, following appropriate supply chain risk management practices;

Ensures that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals;

Continuously validates the organization against policies/guidelines/procedures/regulations/laws to ensure compliance;

Forecasts ongoing service demands and ensure that security assumptions are reviewed as necessary;

Defines and/or implements policies and procedures to ensure protection of critical infrastructure as appropriate;

Performs other related duties.

Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Management Service classification in the State Personnel Management System.  All positions in this classification are Management Service positions. 

This classification is not assigned to a bargaining unit, as indicated by the designation of S (Supervisor), M (Manager), T (Agency Head), U (Board or Commission Member), W (Student), X (Used by Agency or Excluded by Executive Order), or Z (Confidential).  As provided by State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded collective bargaining.  Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.