Must have experience in the following –
- Compliance and Controls
- Review Policies created and implemented.
- SDLC Phases and Experience
- GCC
- Certifications
Deliverables:
- Conduct the most complex Risk Assessments (RAs)
- Provide in depth security knowledge and consultation when analyzing security risks (e.g., analyzing security related reports; evaluating security risks impacting State Fund; and making recommendations to all State Fund programs including Enterprise Procurement)
- Develop and maintain security policies and standards based on security frameworks and industry standards including the identification of risk rating for each security control
- Train/mentor new/existing ESEC team members on RAs/BRDs/TDDs/security defects (e.g., identify applicable security risks and mitigating controls; review for adherence to the System Engineering Handbook/Security Policies & Standards)
- Develop/maintain procedures (e.g., RA/BRD/TDD/security defects)
- Perform analysis on the most complex Security Incident Response (SIR) tickets as needed
- Attend meetings/Represent Information Security for all security matters
- Act as Lead/Co-Lead/Backup on assigned Information Security projects
- Other duties, to be assigned as needed.
Job Description:
- Five (5) years of information technology experience, including Two (2) years of lead/management experience performing a variety of progressively responsible technical and analytical work
- Minimum of 5+ years of security practices
- Technical security project management skills
- Working experience using best practices standards and frameworks: iso 27001/27002, PCI: DSS v3; GLBA; HIPPA/Hitech; NIST 800-53; CIS Controls, NIST CSF, CIS RAM
- Hardware: network switches, routers, load balancers, servers, storage systems, end-user systems, mobile devices, or other devices that enable the organization to complete its mission
- Operating systems: UNIX, Linux, Windows network: LAN, WAN, Internet,
- Proxy/Filtering, Firewall, VPN, DMZ
- Network Protocols such as TCP/IP, SNMP, SMTP, NTP, DNS, LDAP, NFS, Samba, etc.
- Databases: Oracle, SQL, MYSQL
- Cloud platforms: IaaS, PaaS, SaaS
- Security concepts such as encryption, hardening, etc.
- GRC
- Active Directory
- Programming languages are a plus
Professional Skills:
- Working experience in Security, Compliance, and Governance frameworks including the NIST-800 series, PCI, ISO 27001/27001, ITIL, and COBIT
- Expert knowledge in security project management practices
- CISA, CISM, OR CISSP CERTIFICATION IS REQUIRED
