- Hourly / - BiWeekly /
- Monthly / $102,426.00-$165,372.00 Yearly
SKILLED
SERVICE BARGAINING UNIT:
G NCP
A
Department of Information Technology (DoIT) Security Control Assessor II is the
full performance level of work in the Office of Security Management (OSM)
tasked evaluating the effective design and operation of security controls in
the environment. This position may require work outside of regular business
hours, and work in an on-call capacity. Positions
in this classification do not supervise other positions.
Employees
in this classification receive general supervision from an Executive Cyber
Leadership Director or other higher level IT manager or director.
Position
placement in this classification is determined by the Classification Job
Evaluation Methodology. The use of this method involves comparing the assigned
duties and responsibilities of a position to the job criteria found in the
Nature of Work and Examples of Work sections of a classification specification.
The
DoIT Security Control Assessor I and DoIT Security Control Assessor II are
differentiated on the basis of degree of supervisory control exercised by the
supervisor over these employees. The DoIT Security Control Assessor I performs
duties under close supervision at times and under general supervision at other
times depending on the complexity of the specific duty being performed, and the
DoIT Security Control Assessor II performs the full range of duties under
general supervision. The DoIT Security Control Assessor II differs from the
DoIT Security Control Assessor Ld/Adv in that the DoIT Security Control
Assessor Ld/Adv handles cases of a more complex nature or leads lower-level
DoIT Security Control Assessors.
Performs
security reviews, identifies gaps in security architecture, and develops a
security risk management plan;
Performs
security reviews and identifies security gaps in security architecture
resulting in recommendations for inclusion in the risk mitigation strategy;
Performs
risk analysis (e.g., threat, vulnerability, and probability of occurrence)
whenever an application or system undergoes a major change;
Plans
and conducts security authorization reviews and assurance case development for
initial installation of systems and networks;
Provides
input to the Risk Management Framework process activities and related
documentation (e.g., system life-cycle support plans, concept of operations,
operational procedures, and maintenance training materials);
Reviews
authorization and assurance documents to confirm that the level of risk is
within acceptable limits for each software application, system, and network;
Verifies
and updates security documentation reflecting the application/system security
design features;
Verifies
that application software/network/system security postures are implemented as
stated, document deviations, and recommend required actions to correct those
deviations;
Develops
security compliance processes and/or audits for external services (e.g., cloud
service providers, data centers);
Participates
in Risk Governance process to provide security risks, mitigations, and input on
other technical risk;
Ensures
that plans of actions and milestones or remediation plans are in place for
vulnerabilities identified during risk assessments, audits, inspections, etc;
Assures
successful implementation and functionality of security requirements and appropriate
information technology (IT) policies and procedures that are consistent with
the organization's mission and goals;
Defines
and documents how the implementation of a new system or new interfaces between
systems impacts the security posture of the current environment;
Ensures
that security design and cybersecurity development activities are properly
documented (providing a functional description of security implementation) and
updated as necessary;
Supports
necessary compliance activities (e.g., ensure that system security
configuration guidelines are followed, compliance monitoring occurs);
Ensures
that all acquisitions, procurements, and outsourcing efforts address
information security requirements consistent with organization goals;
Assesses
the effectiveness of security controls;
Assesses
all the configuration management (change configuration/release management)
processes;
Establishes
acceptable limits for the software application, network, or system;
Manages
Accreditation Packages (e.g., ISO/IEC 15026-2);
Performs
other related duties.
Knowledge
of computer networking concepts and protocols, and network security
methodologies; Knowledge of risk management processes (e.g., methods for
assessing and mitigating risk); Knowledge of laws, regulations, policies, and
ethics as they relate to cybersecurity and privacy; Knowledge of cybersecurity
and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge
of specific operational impacts of cybersecurity lapses; Knowledge of
authentication, authorization, and access control methods; Knowledge of
applicable business processes and operations of customer organizations; Knowledge
of application vulnerabilities; Knowledge of communication methods, principles,
and concepts that support the network infrastructure; Knowledge of capabilities
and applications of network equipment including routers, switches, bridges,
servers, transmission media, and related hardware; Knowledge of cyber defense
and vulnerability assessment tools and their capabilities; Knowledge of
encryption algorithms; Knowledge of cryptography and cryptographic key
management concepts; Knowledge of data backup and recovery; Knowledge of
database systems; Knowledge of business continuity and disaster recovery
continuity of operations plans; Knowledge of organization's enterprise
information security architecture; Knowledge of organization's evaluation and
validation requirements; Knowledge of organization's Local and Wide Area
Network connections; Knowledge of Security Assessment and Authorization process;
Knowledge of cybersecurity and privacy principles used to manage risks related
to the use, processing, storage, and transmission of information or data; Knowledge
of vulnerability information dissemination sources (e.g., alerts, advisories,
errata, and bulletins); Knowledge of cybersecurity and privacy principles and
organizational requirements (relevant to confidentiality, integrity,
availability, authentication, non-repudiation); Knowledge of Risk Management
Framework (RMF) requirements; Knowledge of information technology (IT) security
principles and methods (e.g., firewalls, demilitarized zones, encryption); Knowledge
of current industry methods for evaluating, implementing, and disseminating
information technology (IT) security assessment, monitoring, detection, and
remediation tools and procedures utilizing standards-based concepts and
capabilities; Knowledge of network access, identity, and access management
(e.g., public key infrastructure, Oauth, OpenID, SAML, SPML); Knowledge of new
and emerging information technology (IT) and cybersecurity technologies; Knowledge
of system and application security threats and vulnerabilities (e.g., buffer
overflow, mobile code, cross-site scripting, Procedural Language/Structured
Query Language [PL/SQL] and injections, race conditions, covert channel,
replay, return-oriented attacks, malicious code); Knowledge of structured
analysis principles and methods; Knowledge of systems diagnostic tools and
fault identification techniques; Knowledge of the cyber defense Service
Provider reporting structure and processes within one’s own organization; Knowledge
of the enterprise information technology (IT) architecture; Knowledge of the
organization’s enterprise information technology (IT) goals and objectives; Knowledge
of Supply Chain Risk Management Practices (NIST SP 800-161); Knowledge of the
organization's core business/mission processes; Knowledge of applicable laws,
statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential
Directives, executive branch guidelines, and/or administrative/criminal legal
guidelines and procedures; Knowledge of information technology (IT) supply
chain security and supply chain risk management policies, requirements, and
procedures; Knowledge of critical infrastructure systems with information
communication technology that were designed without system security
considerations; Knowledge of network security architecture concepts including
topology, protocols, components, and principles (e.g., application of
defense-in-depth); Knowledge of security architecture concepts and enterprise
architecture reference models (e.g., Zachman, Federal Enterprise Architecture
[FEA]); Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity
model, Clark-Wilson integrity model); Knowledge of Personally Identifiable
Information (PII) data security standards; Knowledge of Payment Card Industry
(PCI) data security standards; Knowledge of Personal Health Information (PHI)
data security standards; Knowledge of laws, policies, procedures, or governance
relevant to cybersecurity for critical infrastructures; Knowledge of an
organization's information classification program and procedures for
information compromise; Knowledge of embedded systems; Knowledge of penetration
testing principles, tools, and techniques; Knowledge of controls related to the
use, processing, storage, and transmission of data; Knowledge of Application
Security Risks (e.g. Open Web Application Security Project Top 10 list).
Skill
in conducting vulnerability scans and recognizing vulnerabilities in security
systems; Skill in applying confidentiality, integrity, and availability
principles; Skill in determining how a security system should work (including
its resilience and dependability capabilities) and how changes in conditions,
operations, or the environment will affect these outcomes; Skill in discerning
the protection needs (i.e., security controls) of information systems and
networks; Skill in identifying measures or indicators of system performance and
the actions needed to improve or correct performance, relative to the goals of
the system; Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare
vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.); Skill
in recognizing and categorizing types of vulnerabilities and associated attacks;
Skill in applying security controls; Skill in utilizing or developing learning
activities (e.g., scenarios, instructional games, interactive exercises); Skill
in identifying Test & Evaluation infrastructure (people, ranges, tools,
instrumentation) requirements; Skill in interfacing with customers; Skill in
managing test assets, test resources, and test personnel to ensure effective
completion of test events; Skill in preparing Test & Evaluation reports; Skill
in reviewing logs to identify evidence of past intrusions; Skill in
troubleshooting and diagnosing cyber defense infrastructure anomalies and work
through resolution; Skill in using manpower and personnel IT systems; Skill in
conducting reviews of systems; Skill in secure test plan design (e. g. unit,
integration, system, acceptance); Skill in network systems management
principles, models, methods (e.g., end-to-end systems performance monitoring),
and tools; Skill in conducting application vulnerability assessments; Skill in
using Public-Key Infrastructure (PKI) encryption and digital signature
capabilities into applications (e.g., S/MIME email, SSL traffic); Skill in
assessing security systems designs; Skill in integrating and applying policies
that meet system security objectives; Skill in assessing security controls
based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53,
Cybersecurity Framework, etc.); Skill in performing impact/risk assessments; Skill
in applying secure coding techniques; Skill in using security event correlation
tools; Skill in using code analysis tools; Skill in performing root cause
analysis; Skill in administrative planning activities, to include preparation
of functional and specific support plans, preparing and managing
correspondence, and staffing procedures; Skill in analyzing a target's
communication networks; Skill in analyzing traffic to identify network devices;
Skill in identifying intelligence gaps and limitations; Skill in identifying
language issues that may have an impact on organization objectives; Skill in
identifying leads for target development; Skill in identifying non-target
regional languages and dialects; Skill in identifying the devices that work at
each level of protocol models; Skill in identifying, locating, and tracking
targets via geospatial analysis techniques; Skill in information prioritization
as it relates to operations; Skill in interpreting compiled and interpretive programming
languages; Skill in interpreting metadata and content as applied by collection
systems; Skill in interpreting traceroute results, as they apply to network
analysis and reconstruction; Skill in interpreting vulnerability scanner
results to identify vulnerabilities; Skill in knowledge management, including
technical documentation techniques (e.g., Wiki page); Skill in managing client
relationships, including determining client needs/requirements, managing client
expectations, and demonstrating commitment to delivering quality results; Skill
in performing target system analysis; Skill in preparing and presenting
briefings; Skill in preparing plans and related correspondence; Skill in
prioritizing target language material; Skill in processing collected data for
follow-on analysis; Skill in providing analysis to aid writing phased after
action reports; Skill in reviewing and editing assessment products; Skill in
reviewing and editing plans; Skill in tailoring analysis to the necessary
levels (e.g., classification and organizational); Skill in target development
in direct support of collection operations; Skill in target network anomaly
identification (e.g., intrusions, dataflow or processing, target implementation
of new technologies); Skill in technical writing; Skill in utilizing feedback
to improve processes, products, and services; Skill in accessing information on
current assets available, usage; Skill in accessing the databases where
plans/directives/guidance are maintained; Skill in analyzing strategic guidance
for issues requiring clarification and/or additional guidance; Skill in analyzing
target or threat sources of strength and morale; Skill in developing a
collection plan that clearly shows the discipline that can be used to collect
the information needed; Skill in evaluating requests for information to
determine if response information exists; Skill in extracting information from
available tools and applications associated with collection requirements and
collection operations management; Skill in applying cybersecurity and privacy
principles to organizational requirements (relevant to confidentiality,
integrity, availability, authentication, non-repudiation); Skill in using cyber
defense Service Provider reporting structure and processes within one’s own
organization; Skill in identifying cybersecurity and privacy issues that stem
from connections with internal and external customers and partner
organizations.
Ability
to identify systemic security issues based on the analysis of vulnerability and
configuration data; Ability to answer questions in a clear and concise manner; Ability
to ask clarifying questions; Ability to communicate complex information,
concepts, or ideas in a confident and well-organized manner through verbal, written,
and/or visual means; Ability to communicate effectively when writing; Ability
to conduct vulnerability scans and recognize vulnerabilities in security
systems; Ability to facilitate small group discussions; Ability to prepare and
present briefings; Ability to produce technical documentation; Ability to
design valid and reliable assessments; Ability to analyze test data; Ability to
collect, verify, and validate test data; Ability to dissect a problem and
examine the interrelationships between data that may appear unrelated; Ability
to identify basic common coding flaws at a high level; Ability to translate
data and test results into evaluative conclusions; Ability to ensure security
practices are followed throughout the acquisition process; Ability to apply
collaborative skills and strategies; Ability to apply critical reading/thinking
skills; Ability to effectively collaborate via virtual teams; Ability to
evaluate information for reliability, validity, and relevance; Ability to
evaluate, analyze, and synthesize large quantities of data (which may be
fragmented and contradictory) into high quality, fused targeting/intelligence
products; Ability to exercise judgment when policies are not well-defined; Ability
to expand network access by conducting target analysis and collection to
identify targets of interest; Ability to focus research efforts to meet the
customer’s decision-making needs; Ability to function effectively in a dynamic,
fast-paced environment; Ability to function in a collaborative environment,
seeking continuous consultation with other analysts and experts—both internal
and external to the organization—to leverage analytical and technical expertise;
Ability to identify external partners with common cyber operations interests; Ability
to identify intelligence gaps; Ability to identify/describe target
vulnerability; Ability to identify/describe techniques/methods for conducting
technical exploitation of the target; Ability to interpret and apply laws,
regulations, policies, and guidance relevant to organization cyber objectives; Ability
to interpret and translate customer requirements into operational action; Ability
to interpret and understand complex and rapidly evolving concepts; Ability to
participate as a member of planning teams, coordination groups, and task forces
as necessary; Ability to recognize and mitigate cognitive biases which may
affect analysis; Ability to think critically; Ability to understand objectives
and effects; Ability to utilize multiple intelligence sources across all intelligence
disciplines; Ability to work across departments and business units to implement
organization’s privacy principles and programs, and align privacy objectives
with security objectives; Ability to monitor advancements in information
privacy technologies to ensure organizational adaptation and compliance; Ability
to develop or procure curriculum that speaks to the topic at the appropriate
level for the target; Ability to work across departments and business units to
implement organization’s privacy principles and programs, and align privacy
objectives with security objectives; Ability to prioritize and allocate
cybersecurity resources correctly and efficiently; Ability to relate strategy,
business, and technology in the context of organizational dynamics; Ability to
understand technology, management, and leadership issues related to
organization processes and problem solving; Ability to understand the basic
concepts and issues related to cyber and its organizational impact; Ability to
apply cybersecurity and privacy principles to organizational requirements
(relevant to confidentiality, integrity, availability, authentication,
non-repudiation); Ability to identify critical infrastructure systems with
information communication technology that were designed without system security
considerations.
Experience: Nine years of experience performing IT audits or evaluating the effectiveness of security control design and operation. Managing and documenting security controls on servers, networks, security apparatus, or IoT/OT devices.
Notes:
1. Candidates may substitute a bachelor’s degree in information technology, information security, information systems design, communications, or related field for up to four years of the required experience.
2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.
3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.
Must have an Information Assurance Management (IAM) level
3 or higher certification as described on the Maryland Department of
Information Technology website.
1. Employees in this classification may be subject to call-in 24
hours a day and, therefore, may be required to provide the employing agency
with a telephone number where the employee can be reached. Employees may be
furnished with a pager or cell phone.
2. Applicants for this classification may handle
sensitive data. This will require a full
scope background investigation prior to appointment. A criminal conviction may be grounds for
rejection of the applicant.
3. Employees
may occasionally be required to travel to field locations and must have access
to an automobile in the event a state vehicle cannot be provided. Standard
mileage allowance will be paid for use of a privately owned vehicle.
Class
Descriptions are broad descriptions covering groups of positions used by
various State departments and agencies. Position descriptions maintained
by the using department or agency specifically address the essential job
functions of each position.
This is a Skilled Service
classification in the State Personnel Management System. All positions in this
classification are Skilled Service positions. Some positions in Skilled Service
classifications may be designated Special Appointment in accordance with the
State Personnel and Pensions Article, Section 6-405, Annotated Code of
Maryland.
This classification is assigned to Bargaining Unit G, Engineering, Scientific
and Administrative Professionals classes. As provided by the State Personnel
and Pensions Article, Section 3-102, special appointment, temporary,
contractual, supervisory, managerial and confidential employees are excluded
from collective bargaining. Additionally, certain executive branch agencies are
exempt from collective bargaining and all positions in those agencies are
excluded from collective bargaining.
This classification is one
level in a Non-Competitive Promotion (NCP) series. NCP promotions are
promotions by which employees may advance in grade and class level from trainee
to full performance level in a classification series. In order to be
non-competitively promoted to the next level in a NCP series, an employee must:
1) perform the main purpose of the class, as defined by the Nature of Work
section of the class specification; 2) receive the type of supervision defined
in the class specification and 3) meet the minimum qualifications of the
classification.
July 1, 2021
Director, Division of
Classification and Salary