State of Maryland

SKILLED SERVICE          BARGAINING UNIT: G

A Department of Information Technology (DoIT) Security Control Assessor Lead/Advanced is the lead or advanced level of work in the Office of Security Management (OSM) tasked evaluating the effective design and operation of security controls in the environment.  At the Lead level, employees in this classification assign, review, and approve the work and train lower-level DoIT Security Control Assessors. At the Advanced level, employees in this classification either assign, review, approve the work, and train lower-level DoIT Security Control Assessor or serve as a project lead or address the most complex tasks and escalated issues prior to engaging a higher-level IT manager or director. Positions in this classification do not supervise other positions.

Employees in this classification receive general supervision from an Executive Cyber Leadership Director or other higher level IT manager or director. 

Position placement in this classification is determined by the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a classification specification.

The DoIT Security Control Assessor I and DoIT Security Control Assessor II are differentiated on the basis of degree of supervisory control exercised by the supervisor over these employees. The DoIT Security Control Assessor I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT Security Control Assessor II performs the full range of duties under general supervision.  The DoIT Security Control Assessor Lead/Adv differs from the DoIT Security Control Assessor II in that the DoIT Security Control Assessor Lead/Adv performs the most complex tasks and escalated issues prior to engaging a higher-level IT manager or director or leads lower-level DoIT Security Control Assessors.

When functioning at the Lead Level:

Assigns, reviews, and approves the work of DoIT Security Control Assessors;

Trains DoIT Security Control Assessors.

When functioning at the Advanced Level:

Serves as project lead or technical expert in performing security reviews and risk analysis, identifying security gaps in architecture, developing risk management plans, develops security compliance processes and/or audits for external services.

When functioning at All Levels:

Performs security reviews, identifies gaps in security architecture, and develops a security risk management plan;

Performs security reviews and identifies security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy;

Performs risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change;

Plans and conducts security authorization reviews and assurance case development for initial installation of systems and networks;

Provides input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials);

Reviews authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.

Verifies and updates security documentation reflecting the application/system security design features;

Verifies that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations;

Develops security compliance processes and/or audits for external services (e.g., cloud service providers, data centers);

Participates in Risk Governance process to provide security risks, mitigations, and input on other technical risk;

Ensures that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc;

Assures successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals;

Defines and documents how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment;

Ensures that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary;

Supports necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs);

Ensures that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals;

Assesses the effectiveness of security controls;

Assesses all the configuration management (change configuration/release management) processes;

Establishes acceptable limits for the software application, network, or system;

Manages Accreditation Packages (e.g., ISO/IEC 15026-2);

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses; Knowledge of authentication, authorization, and access control methods; Knowledge of applicable business processes and operations of customer organizations; Knowledge of application vulnerabilities; Knowledge of communication methods, principles, and concepts that support the network infrastructure; Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware; Knowledge of cyber defense and vulnerability assessment tools and their capabilities; Knowledge of encryption algorithms; Knowledge of cryptography and cryptographic key management concepts; Knowledge of data backup and recovery; Knowledge of database systems; Knowledge of business continuity and disaster recovery continuity of operations plans; Knowledge of organization's enterprise information security architecture; Knowledge of organization's evaluation and validation requirements; Knowledge of organization's Local and Wide Area Network connections; Knowledge of Security Assessment and Authorization process; Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data; Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins); Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Knowledge of Risk Management Framework (RMF) requirements; Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption); Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities; Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML); Knowledge of new and emerging information technology (IT) and cybersecurity technologies; Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code); Knowledge of structured analysis principles and methods; Knowledge of systems diagnostic tools and fault identification techniques; Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization; Knowledge of the enterprise information technology (IT) architecture; Knowledge of the organization’s enterprise information technology (IT) goals and objectives; Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161); Knowledge of the organization's core business/mission processes; Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures; Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures; Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations; Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]); Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model); Knowledge of Personally Identifiable Information (PII) data security standards; Knowledge of Payment Card Industry (PCI) data security standards; Knowledge of Personal Health Information (PHI) data security standards; Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures; Knowledge of an organization's information classification program and procedures for information compromise; Knowledge of embedded systems; Knowledge of penetration testing principles, tools, and techniques; Knowledge of controls related to the use, processing, storage, and transmission of data; Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list).

Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems; Skill in applying confidentiality, integrity, and availability principles; Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes; Skill in discerning the protection needs (i.e., security controls) of information systems and networks; Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system; Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.); Skill in recognizing and categorizing types of vulnerabilities and associated attacks; Skill in applying security controls; Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises); Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements; Skill in interfacing with customers; Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events; Skill in preparing Test & Evaluation reports; Skill in reviewing logs to identify evidence of past intrusions; Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution; Skill in using manpower and personnel IT systems; Skill in conducting reviews of systems; Skill in secure test plan design (e. g. unit, integration, system, acceptance); Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools; Skill in conducting application vulnerability assessments; Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic); Skill in assessing security systems designs; Skill in integrating and applying policies that meet system security objectives; Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.); Skill in performing impact/risk assessments; Skill in applying secure coding techniques; Skill in using security event correlation tools; Skill in using code analysis tools; Skill in performing root cause analysis; Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures; Skill in analyzing a target's communication networks; Skill in analyzing traffic to identify network devices; Skill in identifying intelligence gaps and limitations; Skill in identifying language issues that may have an impact on organization objectives; Skill in identifying leads for target development; Skill in identifying non-target regional languages and dialects; Skill in identifying the devices that work at each level of protocol models; Skill in identifying, locating, and tracking targets via geospatial analysis techniques; Skill in information prioritization as it relates to operations; Skill in interpreting compiled and interpretive programming languages; Skill in interpreting metadata and content as applied by collection systems; Skill in interpreting traceroute results, as they apply to network analysis and reconstruction; Skill in interpreting vulnerability scanner results to identify vulnerabilities; Skill in knowledge management, including technical documentation techniques (e.g., Wiki page); Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results; Skill in performing target system analysis; Skill in preparing and presenting briefings; Skill in preparing plans and related correspondence; Skill in prioritizing target language material; Skill in processing collected data for follow-on analysis; Skill in providing analysis to aid writing phased after action reports; Skill in reviewing and editing assessment products; Skill in reviewing and editing plans; Skill in tailoring analysis to the necessary levels (e.g., classification and organizational); Skill in target development in direct support of collection operations; Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies); Skill in technical writing; Skill in utilizing feedback to improve processes, products, and services; Skill in accessing information on current assets available, usage; Skill in accessing the databases where plans/directives/guidance are maintained; Skill in analyzing strategic guidance for issues requiring clarification and/or additional guidance; Skill in analyzing target or threat sources of strength and morale; Skill in developing a collection plan that clearly shows the discipline that can be used to collect the information needed; Skill in evaluating requests for information to determine if response information exists; Skill in extracting information from available tools and applications associated with collection requirements and collection operations management; Skill in applying cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Skill in using cyber defense Service Provider reporting structure and processes within one’s own organization; Skill in identifying cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.

Ability to identify systemic security issues based on the analysis of vulnerability and configuration data; Ability to answer questions in a clear and concise manner; Ability to ask clarifying questions; Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means; Ability to communicate effectively when writing; Ability to conduct vulnerability scans and recognize vulnerabilities in security systems; Ability to facilitate small group discussions; Ability to prepare and present briefings; Ability to produce technical documentation; Ability to design valid and reliable assessments; Ability to analyze test data; Ability to collect, verify, and validate test data; Ability to dissect a problem and examine the interrelationships between data that may appear unrelated; Ability to identify basic common coding flaws at a high level; Ability to translate data and test results into evaluative conclusions; Ability to ensure security practices are followed throughout the acquisition process; Ability to apply collaborative skills and strategies; Ability to apply critical reading/thinking skills; Ability to effectively collaborate via virtual teams; Ability to evaluate information for reliability, validity, and relevance; Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products; Ability to exercise judgment when policies are not well-defined; Ability to expand network access by conducting target analysis and collection to identify targets of interest; Ability to focus research efforts to meet the customer’s decision-making needs; Ability to function effectively in a dynamic, fast-paced environment; Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise; Ability to identify external partners with common cyber operations interests; Ability to identify intelligence gaps; Ability to identify/describe target vulnerability; Ability to identify/describe techniques/methods for conducting technical exploitation of the target; Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives; Ability to interpret and translate customer requirements into operational action; Ability to interpret and understand complex and rapidly evolving concepts; Ability to participate as a member of planning teams, coordination groups, and task forces as necessary; Ability to recognize and mitigate cognitive biases which may affect analysis; Ability to think critically; Ability to understand objectives and effects; Ability to utilize multiple intelligence sources across all intelligence disciplines; Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives; Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance; Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target; Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives; Ability to prioritize and allocate cybersecurity resources correctly and efficiently; Ability to relate strategy, business, and technology in the context of organizational dynamics; Ability to understand technology, management, and leadership issues related to organization processes and problem solving; Ability to understand the basic concepts and issues related to cyber and its organizational impact; Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Experience:  Ten years of experience performing IT audits or evaluating the effectiveness of security control design and operation. Managing and documenting security controls on servers, networks, security apparatus, or IoT/OT devices.

Notes:

1. Candidates may substitute a bachelor’s degree in information technology, information security, information systems design, communications, or related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute up to two years of the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.

Must have a Cyber Security Service Provider (CSSP) Auditor certification as described on the Maryland

Department of Information Technology website.

1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

2. Applicants for this classification may handle sensitive data.  This will require a full scope background investigation prior to appointment.  A criminal conviction may be grounds for rejection of the applicant.

3.  Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

July 1, 2021

Director, Division of Classification and Salary