Agency Risk Management Supervisor - Hybrid (66661)

Why live in Helena Montana

Helena is surrounded by rolling hills and lofty mountains and is tucked below the Continental Divide. Located halfway between Glacier National Park and Yellowstone National Park Helena is a where small-town living collides with outdoor adventure. Learn more about moving to and/or living in Helena Montana here.

In this position you will be afforded the opportunity to telework however there will be required weekly in-office day(s) in Helena. Specific conditions will be outlined as part of the job offer and must adhere to state policy.

Why should you keep reading and consider working here

The State Information Technology Services Division - Office of the CISO (Security Services) provides security services and support to all state government agencies our mission is to protect citizens data. We utilize best practice standards and frameworks to deliver high quality security services to state agencies. We value collaboration teamwork and respect; and we promote a culture of diversity equity and inclusion to provide a safe environment for our employees to grow their skills. We invest in our employees by providing professional development opportunities that lead to career advancement and fulfillment. We use exciting technologies and solve complex issues. Our team has visibility into the States network and systems and our actions have a direct impact on the States cybersecurity posture. Security Services is a fun place to do serious work. (You can learn more about SITSD here.)

What is this career opportunity

Do you have a background in security or risk management and a desire to make a difference in protecting Montana citizens data We are hiring an Agency Risk Management Supervisor. Success in this role will require you to work with a team to proactively develop and implement effective security solutions in a dynamic Enterprise information technology environment facing sophisticated and persistent threats from global cyber threat actors. This position will lead a team conducting security assessment and planning activities and partners with business and technology employees in state agencies to categorize information systems and to select implement assess authorize and monitor complex security controls. Additionally this position serves as the subject-matter-expert to mentor staff and advise external stakeholders on policy as well as State and Federal rules and regulations.

The Agency Risk Management Supervisory position is primarily responsible for ensuring the NIST Risk Management Framework is utilized and effective throughout the enterprise; other responsibilities include but are not limited to:

• Communicate effectively with business and technical stakeholders;
• Perform personnel functions such as recruit provide guidance conduct performance evaluations discipline etc.
• Develop and track training programs for the team;
• Review and approve priorities for team members;
• Maintain alignment with division and bureau priorities in developing work plans
• Develop and track objectives goals and measures for team
• Establish security plans policies procedures and guidelines
• Utilize security tools to identify vulnerabilities analyze results and make recommendations to stakeholders to mitigate risks
• Perform continuous monitoring activities in accordance with agency and NIST Continuous Monitoring requirements
• Compile report and track security metrics including key performance indicators and key risk indicators;
• Perform Risk Management Framework steps;
• Cultivate close working relationships with agency employees and management;
• Lead security self-assessments such as the Nationwide Cyber Security Review (NCSR).

What are we looking for

We are looking for subject matter experts with a demonstrated passion for cybersecurity a commitment to continuous learning and a desire to protect citizens data.

Education Experience and Expertise:

• Bachelor degree or higher in a Risk Management related field; AND
• 6 years of fulltime experience in a Risk Management-related role; AND
• 2 years of fulltime supervisory experience; AND
• One or more professional certifications: CAP/CGRC SSCP GIAC GCLD CISSP CISM or other security certifications.
• Alternate combinations of education experience and certifications will be considered on a case-by-case basis.

Additional training requirements will vary based on your specific skillsets and the teams specific needs at the time of hiring. Training courses may include the ISC2 Governance Risk and Compliance course RSA Archer courses SANS cybersecurity courses or other training related to this role. Specific training requirements will be discussed at the time of hiring.

Competencies:

This position is classified by the NICE Framework as Risk Management: Oversees evaluates and supports the documentation validation assessment and authorization processes necessary to assure that existing and new information technology systems meet the organizations cybersecurity and risk requirements. Ensures appropriate treatment of risk compliance and assurance from internal and external perspectives.

The following knowledge skills and abilities are required to be successful in this job:

Knowledge of:

• Risk Management Framework (NIST 800-37 39 and 800-53) requirements;
• Information technology (IT) security principles and methods (e.g. firewalls demilitarized zones encryption);
• Computer networking concepts and protocols and network security methodologies; and
• Authentication authorization and access control methods.

Skill in:

• Excellent organizational skills;
• Strong interpersonal written and verbal communication skills;
• Strong decision-making and conflict-resolution skills;
• Using RSA Archer Governance Risk and Compliance suite;
• Interfacing with information system owners;
• Writing security assessment reports accreditation packages and Plan of Actions and Milestones;
• Developing computer or information security policies or procedures;
• Maintaining knowledge about emerging industry or technology trends;
• Reviewing system security plan documentation;
• Implementing security measures for computer or information systems;
• Developing systems security plans;
• Testing computer system operations to ensure proper functioning; and
• Collaborating with others to resolve information technology issues.

Ability to:

• Identify systemic security issues based on the analysis of vulnerability and configuration data;
• Communicating complex information concepts or ideas in a confident and well-organized manner through verbal written and/or visual means;
• Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality integrity availability authentication non-repudiation).
• Interpret and apply laws regulations policies and guidance relevant to organization cyber objectives;
• Guide Information System Owners (ISOs) in completing system categorization selecting security controls and performing self-assessments;
• Identify risks prioritize those risks and maintain a Plan of Action and Milestones for escalating and presenting those risks to senior leadership;
• Gather the information necessary to maintain security and establishes functioning external barriers including firewalls and other security measures
• Review systems to identify potential security weaknesses recommend improvements to amend vulnerabilities implement changes and document upgrades;
• Ensure security assessments and authorizations (A&A) of information systems are completed in accordance with the published Policies Standards and Procedures providing appropriate level of support for A&A activities; and
• Review security assessment reports (SAR) and assist audit teams throughout the assessment and authorization process.

The successful incumbent must successfully complete a background check as a final consideration for employment.

Does this sound like you

Please tell us how and why by submitting your resume and cover letter. (Please Note: You do not need to complete the work experience or the education & certifications portion of the application process in our recruiting system. You only need to upload the requested documentation.)

What can you expect from us in return for your hard work