Skip to Main Content

Director of Governance, Risk and Compliance

DoIT Cyber Policy and Strategy Planner Manager

Recruitment #23-004730-0002


The Office of Security Management (OSM) within the Department of Information Technology (DoIT) provides units of State and Local government with a common strategy for secure, effective, and technically-sound use of the information technology resources. The Office of Security Management is responsible for the establishment of security policies, guidance, awareness, and technology to protect the confidentiality, integrity, and availability of state data and systems. OSM is also the source of IT security information for State agencies and aids local government entities to improve their cybersecurity preparedness and resiliency. ​


STD 0025


Dept. of Information Technology
100 Community Place
Crownsville, MD  21032

Main Purpose of Job

The Director of Governance, Risk, and Compliance (GRC) will oversee the creation, management, and execution of risk and controls assessments, including but not limited to state agency maturity assessments, vendor risk assessments, and system authorization-to-operate (ATO) assessments. As part of the risk and controls assessments, the Director of GRC will implement a statewide GRC module and system that generates and manages risk registers, issue tracking, corrective action plans (CAPs), and key metric reporting for DoIT operations and security executives, agency leadership, and the Governor's Office.

The Director of GRC will ensure the continued development, maintenance, enhancement, and execution of assessments that fully integrate Maryland- and DoIT-required security standards, NIST control frameworks, and regulatory requirements related compliance with PII, PCI, PHI, CJIS, FTI, and other regulated data types.

**This is a Contractual position with limited benefits**


Education: A bachelor's degree from an accredited college or university.

Experience: Three years' experience in one of the following areas:

Managing governance, risk, and compliance (GRC) programs or assessments for large organizations.  

Building or using GRC platforms that align with known or established compliance frameworks such as NIST SP 800-53, NIST CSF, CIS CSC, and ISO 27001.

Developing and implementing IT and cybersecurity policy including writing and managing updates to policies, procedures, and standards documentation.

Management and execution of system assessments, risk assessments, or vulnerability assessments, including, resolution of discovered issues and development of POAM documentation.


Our Preferred Candidate Will Have the Following:

Certifications - One Or More of the Following

- Certified Information Systems Security Professional (CISSP)

- Certified Information Security Manager (CISM)

- Certified Information Systems Auditor (CISA) Governance of Enterprise Information Technology (GEIT)

- GRC Professional (GRCP) Certification

- Certified in Risk and Information Systems Control (CRISC)

- Certification in Risk Management Assurance (CRMA)

- Project Management Institute – Risk Management Professional (PMI-RMP)


Experience - In Each of These Three Areas

Experience with regulatory and security requirements regarding specific data types including Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry (PCI), and Criminal Justice Information Systems (CJIS).

Experience managing cybersecurity governance, risk, and compliance programs in Federal, State, or Local Government organizations.

Experience using or developing a GRC platform or program.


Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.


The assessment may consist of a rating of your education, training, and experience related to the requirements of the position. It is important that you provide complete and accurate information on your application. Please report all experience and education that is related to this position.


Contractual employees who work for an agency and have a current employment contract of 30 or more hours a week (or on average 130 hours per month) will be eligible for subsidized health benefits coverage for themselves and their dependents. As a contractual employee, you will be responsible for paying 25% of the premiums for your medical and prescription coverage, including any eligible dependents you have enrolled. The State of Maryland will subsidize the remaining 75% of the cost for these benefits. You can also elect to enroll in dental coverage, accidental death and dismemberment insurance, and life insurance, but will be responsible to pay the full premium for these benefits.

You can view the Health Benefit rates on the Dept. of Budget & Management website, State Employees, Health Benefits, Contractual/Variable Rates. 

Paid leave will accrue at a rate of one hour for every 30 hours worked.


Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.

For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at or 410-767-4850, MD TTY Relay Service 1-800-735-2258.

We thank our Veterans for their service to our country.

People with disabilities and bilingual candidates are encouraged to apply.

As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.

For education obtained outside the U.S., a copy of the equivalent American education as determined by a foreign credential evaluation service must be provided prior to hire.

Powered by JobAps