Description of Work:
This position is the Division’s IS Security Officer for the North Carolina Department of Commerce to ensure the overall information security posturing of the agency. The primary responsibilities are as follows:
- Establish the current security baseline.
- Create an information security improvement plan and implement the plan by closely collaborating with other IT teams.
- Ensure consistent information security practices aligned with agency risk appetite
- Create and maintain information security score card.
- Establish Information Security and Risk Management programs. Some of the responsibilities include developing, implementing and maintaining DES information security enterprise standards, processes, procedures, regulations, and guidelines based on federal and state laws and mandates (e.g. NIST 800-53, IRS Publication 1075, FedRAMP, etc.).
- Participates in formal risk assessments for new systems and significant system revisions.
- Performs information security self-assessments and facilitates third party independent security verification and validation for ensuring compliance as required by other state/federal agencies.
- Assists with the selection of cost-effective security solutions and controls to mitigate risk (e.g., protection of information, systems and processes).
- Works with other IT teams to ensure physical safeguards for information system assets.
- Correlates incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.
- Performs agency network defense incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation.
- Conducts system configuration and operations audits of discrete applications, network, and computing resources to identify potential vulnerabilities (e.g. Port Scans, Intrusion Detection and Prevention, Network Scans and Perimeter Security).
- Provides leadership and guidance in information security and enterprise risks to business owners and agency staff.
- Provides technical documents, incident reports, and findings from computer examinations, summaries, and other situational awareness information to leadership.
- Conducts information security awareness sessions (e.g. Lunch-and-learn, team presentations, postings on Intranet site, etc.) to both technical and non-technical agency staff.
- Coordinates and facilitates IS audits conducted by Internal, State and Federal auditors and assists with responses to and remediation of audit findings.
- Track and facilitate requests from auditors to ensure that they are assigned to the correct individual(s) and completed in a timely manner.
- Assist with the responses to and remediation of audit findings.
- Create awareness and educate IT staff on audits and their purpose, frequency, process & procedures.
- Publish audit calendar and keep the calendar current.
- Maintain repository of audit responses for future reference
- Conducts analysis of state and federal security standards and assesses DES compliance.
- Conducts 3rd party vendor risk management procedures. Ensures vendor initial and annual compliance with State and Federal mandates
- Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions to senior management.
- Develops the Division’s Disaster Recovery/Business Continuity Plan (BCP) and ensures timely submission to the State CIO.
- Coordinate the review of the various documents that go into the Disaster Recovery Plan.
- Update information in the Living Disaster Recovery Plan System (LDRPS) hosted by DIT to keep the plans current and accurate.
- Prepare the annual BCP/DR plan for management approval and submission to the State CIO.
- Answer questions and responds to reviews by the State CIO.
- Participate in the semi-annual Disaster Recovery test performed by DIT.
- Coordinates the development and update of the Division’s Business Impact Analysis (BIA).
- Collaborate with Infrastructure teams to ensure accurate asset inventory
- Perform table top exercises across senior leadership teams and IT teams.
This position is physically located in Raleigh, North Carolina, Wake County. The work schedule for this position is 8 a.m. – 5 p.m. and may require working beyond work schedule to meet business need.
Knowledge, Skills and Abilities / Competencies
Qualified applicants must submit an application that clearly reflects work experience that demonstrates the following:
- Demonstrated work experience developing and implementing Information Security and Enterprise Risk management programs.
- Demonstrated work experience developing, implementing, and maintaining information security standards, processes, procedures, regulations, and guidelines based upon industry standard frameworks and best practices.
- Demonstrated work experience developing and implementing security improvement plans with effective results that are tracked and reported.
- Demonstrated work experience configuring, implementing and managing various information security solutions: firewalls, intrusion detection/prevention systems, end-point protection, identity management, content filtering, event/log management, datacenter physical/infrastructure security, network security, operating systems hardening, database security, application/middleware security.
- Knowledge of the latest cybersecurity frameworks, principles, application threats/vulnerabilities, and secure coding practices.
- Knowledge of cloud security best practices in the areas of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS).
- Demonstrated work experience working with third party auditors to remediate audit findings.
- Demonstrated work experience in planning, developing and maintaining enterprise level Disaster Recovery and Business Continuity Plans.
- Demonstrated work experience in effectively communicating and preparing professional presentations to both technical and non-technical audience at different levels of organizational hierarchy.
- Ability to engage/manage third party contractors effectively on specialized technical work.
Applicant must meet both the minimum education and experience requirements and all posted Knowledge, Skills and Abilities / Competencies requirements to be considered Qualified for the position.
Minimum Education and Experience Requirements
Bachelor’s degree in Computer Science, Computer Information Systems, Computer Engineering, Math, Engineering or other related technical degree from an appropriately accredited institution and four years progressive experience in the field of information technology; or Bachelor’s degree from an appropriately accredited institution and five years progressive experience in the field of information technology; or an equivalent combination of education and experience.
Current security certification in one of the following:
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA) (ISACA)
Certified Information Security Manager (CISM)
Certified Ethical Hacker (CEH), GIAC/SANS certified tracks, etc.)
Supplemental and Contact Information
For consideration for this vacancy, all applicants must complete an on-line application using this link https://www.governmentjobs.com/Applications/Index/northcarolina. If multiple applications are submitted to an individual posting only the most recent application received prior to the posting close date will be evaluated for consideration. Applications for positions requiring specific coursework must be accompanied by a copy of the applicant’s transcript.
** INCLUDE ALL RELEVANT EDUCATION, WORK EXPERIENCE IN THE DESIGNATED EDUCATION AND WORK HISTORY SECTION ON THE FORMAL APPLICATION.**
Applications with “see attached” or resumes in lieu of completed education and work experience on the formal application will be deemed incomplete and will not be eligible for consideration for the vacancy. All attachments, unless specifically requested in the vacancy announcement (i.e. transcripts, proof of licensure or certification, etc.), are considered optional and will not be reviewed during initial screening to determine applicant eligibility for the vacancy.
Applicants requesting and receiving an accommodation under the Americans with Disabilities Act (ADA) are eligible to submit paper applications via mail or by fax.
Applicants seeking Veteran’s Preference must submit a DD Form 214, Certificate of Release or Discharge from Active Duty. This information may be attached to the on-line application or may be faxed.
Applicants may check the status of their application for a vacancy at any time by logging in to the government jobs system using the above link. Once the applicant has logged in, the status of each submitted application is documented next to each vacancy for which he/she has applied.
All applicants recommended for hire will be subject to a criminal background check.
For technical issues with your application, please call the NeoGov Help Line at 1-855-524-5627.
Due to the volume of applications received, we are unable to provide information regarding the status of your application over the phone. To check the status of your application, please log in to your account. Processing applications will take an average of 6 – 8 weeks due to the high volume of applications received. It is not necessary to contact the Human Resources Office to check the status of an application.