State of Maryland

SKILLED SERVICE      BARGAINING UNIT: G    NCP  

A Department of Information Technology (DoIT) Vulnerability Assessment Analyst II is the full performance level of work providing daily oversight of the vulnerability assessment program, communicating the status of vulnerabilities, and ensuring that the vulnerability assessment service is operating as expected in the Office of Security Management (OSM). Additionally, this position is responsible for ensuring that the data from the vulnerability platform is updating other tools (e.g., Asset Inventory), and that the risk management platform is working as expected. Employees in this classification do not supervise

Employees in this classification receive general supervision from an Executive Cyber Leadership Director or other designated IT administrator.  

Positions in this classification are evaluated using the Classification Job Evaluation Methodology. The use of this method involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of a class specification.

This position may require work outside of regular business hours, and work in an on-call capacity.

The DoIT Vulnerability Assessment Analyst I and DoIT Vulnerability Assessment Analyst II are differentiated on the basis of supervisory control by the supervisor over these employees. The DoIT Vulnerability Assessment Analyst I performs duties under close supervision at times and under general supervision at other times depending on the complexity of the specific duty being performed, and the DoIT Vulnerability Management Specialist II performs the full range of duties under general supervision. The DoIT Vulnerability Assessment Analyst II is differentiated from the DoIT Vulnerability Assessment Analyst, Lead/Advanced in that the DoIT Vulnerability Assessment Analyst, Lead/Advanced assigns, reviews and approves the work of and trains lower-level DoIT Vulnerability Assessment Analysts or functions as a project lead or addresses the most complex tasks and escalated issues prior to engaging a higher level IT manager or director.

Analyzes an organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives;

Conducts and/or supports authorized penetration testing on enterprise network assets;

Maintains deployable cyber defense audit toolkit (e.g., specialized cyber defense software and hardware) to support cyber defense audit missions;

Maintains knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing;

Prepares audit reports that identify technical and procedural findings, and provides recommended remediation strategies/solutions;

Conducts required reviews as appropriate within environment (e.g., Technical Surveillance, Countermeasure Reviews [TSCM], Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST)countermeasure reviews).

Performs technical (evaluation of technology) and nontechnical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, enclave boundary, supporting infrastructure, and applications);

Makes recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes);

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of cybersecurity and privacy principles; Knowledge of cyber threats and vulnerabilities; Knowledge of specific operational impacts of cybersecurity lapses; Knowledge of application vulnerabilities; Knowledge of cryptography and cryptographic key management concepts; Knowledge of data backup and recovery; Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists); Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation); Knowledge of network access, identity, and access management (e.g., public key infrastructure, open authentication (Oauth), OpenID, Security Assertion Markup Language (SAML), Services Provisioning Markup Language (SPML); Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]); Knowledge of programming language structures and logic; Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code); Knowledge of systems diagnostic tools and fault identification techniques; Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities; Knowledge of interpreted and compiled computer languages; Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks); Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored); Knowledge of system administration, network, and operating system hardening techniques; Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks); Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model); Knowledge of ethical hacking principles and techniques; Knowledge of data backup and restoration concepts; Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems; Knowledge of infrastructure supporting information technology (IT) for safety, performance, and reliability; Knowledge of an organization's information classification program and procedures for information compromise; Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump); Knowledge of cryptology; Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services; Knowledge of penetration testing principles, tools, and techniques; Knowledge of an organization’s threat environment; Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list).

Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems; Skill in assessing the robustness of security systems and designs; Skill in detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort); Skill in mimicking threat behaviors; Skill in the use of penetration testing tools and techniques; Skill in the use of social engineering techniques. (e.g., phishing, baiting, tailgating, etc.); Skill in using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.); Skill in reviewing logs to identify evidence of past intrusions; Skill in conducting application vulnerability assessments; Skill in performing impact/risk assessments; Skill to develop insights about the context of an organization’s threat environment; Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Ability to identify systemic security issues based on the analysis of vulnerability and configuration data; Ability to apply programming language structures (e.g., source code review) and logic; Ability to share meaningful insights about the context of an organization’s threat environment that improve its risk management posture; Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Experience: Eight years of experience in information assurance, incident handling, information assurance vulnerability management and analysis, and assistance programs.

Notes:

1. Candidates may substitute a bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field for up to four years of the required experience.

2. Candidates may substitute the “Education” requirement listed above, for a High School Diploma or possession of a High School Equivalency certificate and two additional years of experience as described above.

3. Candidates may substitute the “Experience” requirement listed above with a graduate level degree in Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.

Must have a Cybersecurity Service Provider (CSSP) Infrastructure Support certification as described on the Maryland Department of Information Technology website.

Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

Class Descriptions are broad descriptions covering groups of positions used by various State departments and agencies.  Position descriptions maintained by the using department or agency specifically address the essential job functions of each position. 

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is assigned to Bargaining Unit G, Engineering, Scientific and Administrative Professionals classes. As provided by the State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded from collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

This classification is one level in a Non-Competitive Promotion (NCP) series.  NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series.  In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.

July 1, 2021

Director, Division of Classification and Salary