State of Maryland
DoIT IT Program Auditor II (#004735)
- Hourly / - BiWeekly /
- Monthly / $102,426.00-$165,372.00 Yearly
Notify Me when a Job Opens for the above position(s)GRADE
CLASS ATTRIBUTES
NATURE OF WORK
Employees in this classification receive general supervision from an IT Program Auditor Manager or other higher level IT Director.
Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.
The DoIT IT Program Auditor I and DoIT IT Program Auditor II are differentiated on the basis of the degree of supervisory control exercised by the supervisor over these employees. The DoIT IT Program Auditor I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT IT Program Auditor II performs the full range of duties under general supervision.
EXAMPLES OF WORK
Provides ongoing optimization and problem-solving support;
Provides recommendations for possible improvements and upgrades;
Reviews or conducts audits of information technology (IT) programs and projects;
Evaluates the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements;
Reviews service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up;
Conducts import/export reviews for acquiring systems and software;
Ensures that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered;
Performs other related duties.
KNOWLEDGE, SKILLS AND ABILITIES
Knowledge of computer
networking concepts and protocols, and network security methodologies;
Knowledge of risk
management processes (e.g., methods for assessing and mitigating risk);
Knowledge of laws, regulations,
policies, and ethics as they relate to cybersecurity and privacy;
Knowledge of cybersecurity
and privacy principles;
Knowledge of cyber threats
and vulnerabilities;
Knowledge of specific
operational impacts of cybersecurity lapses;
Knowledge of
industry-standard and organizationally accepted analysis principles and
methods;
Knowledge of information
technology (IT) architectural concepts and frameworks;
Knowledge of Risk
Management Framework (RMF) requirements;
Knowledge of resource
management principles and techniques;
Knowledge of system life
cycle management principles, including software security and usability;
Knowledge of how
information needs and collection requirements are translated, tracked, and
prioritized across the extended enterprise; Knowledge of Supply Chain Risk
Management Practices (NIST SP 800-161);
Knowledge of import/export
control regulations and responsible agencies for the purposes of reducing
supply chain risk; Knowledge of supply chain risk management standards, processes,
and practices.
Knowledge of risk threat
assessment; Knowledge of information technology (IT) supply chain security and
supply chain risk management policies, requirements, and procedures; knowledge
of organizational process improvement concepts and process maturity models
(e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for
Services, and CMMI for Acquisitions); Knowledge of service management concepts
for networks and related standards (e.g., Information Technology Infrastructure
Library, current version [ITIL]);
Knowledge of how to
leverage research and development centers, think tanks, academic research, and
industry systems; Knowledge of information technology (IT)
acquisition/procurement requirements; Knowledge of the acquisition/procurement
life cycle process.
Skill in identifying
measures or indicators of system performance and the actions needed to improve
or correct performance, relative to the goals of the system; Skill in
conducting audits or reviews of technical systems;
Skill in translating
tracking, and prioritizing information needs and intelligence collection
requirements across the extended enterprise.
Ability to ensure security
practices are followed throughout the acquisition process.
MINIMUM QUALIFICATIONS
Experience: Nine years of experience in information assurance or in a role performing IT Audits or evaluating the effectiveness of security control design and operation.
Notes:
1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.
2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.
3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.
LICENSES, REGISTRATIONS AND CERTIFICATIONS
Must have a Cyber
Security Service Provider (CSSP) Auditor certification as described on the
Maryland
Department of
Information Technology website.
SPECIAL REQUIREMENTS
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
ACKNOWLEDGEMENTS
This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.
This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.
This classification is one level in a Non-Competitive Promotion (NCP) series. NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series. In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.
Date Established
July 1, 2021
Date Revised
Approved By
Director, Division of
Classification and Salary
CLASS: 004735; EST: 7/1/2021; REV: 6/3/2024;
