Information Systems Security Officer- Hybrid (66652)

What are we looking for

We are looking for people that have a passion for cybersecurity a commitment to continuous learning and a desire to protect citizens data.

Education Experience and Expertise:

This position can be hired as a mid-level or senior-level ISSO depending on experience education and expertise.

Mid-level Required:

• Associate degree or higher in a Risk Management related field; AND
• 2 years of fulltime experience in a business technology or any other field .
• Alternate combinations of education experience and certifications will be considered on a case-by-case basis.

Senior-level Required:

• Bachelors degree or higher in a Risk Management or Information Technology related field; AND
• 4 years of fulltime experience in a risk management security or technology-related role; AND
• Either the CAP or the CGRC certifications.
• Alternate combinations of education experience and certifications will be considered on a case-by-case basis.

Preferred:

• Bachelor degree or higher in Information Technology; AND
• 6 years of fulltime experience in Information Technology; AND

• One or more professional certifications: CAP/CGRC SSCP GIAC GCLD CISSP CISM or other security certifications

  If hired as an ISSO you will be required to take the CGRC exam during the first year of your employment if you do not already have the CAP or CGRC certification. Additional training requirements will vary based on your specific skillsets and the teams specific needs at the time of hiring. Training courses may include the ISC2 Governance Risk and Compliance course RSA Archer courses SANS cybersecurity courses or other training related to this role. Specific training requirements will be discussed at the time of hiring

  Competencies: This position is classified by the NICE Framework as Risk Management: Oversees evaluates and supports the documentation validation assessment and authorization processes necessary to assure that existing and new information technology systems meet the organizations cybersecurity and risk requirements. Ensures appropriate treatment of risk compliance and assurance from internal and external perspectives.

  The following knowledge skills and abilities are required to be successful in this job:

  Knowledge of:

• Risk Management Framework (NIST 800-37 39 and 800-53) requirements;
• Information technology (IT) security principles and methods (e.g. firewalls demilitarized zones encryption);
• Computer networking concepts and protocols and network security methodologies; and
• Authentication authorization and access control methods

Skill in:

• Using a Governance Risk and Compliance platform;
• Interfacing with information system owners;
• Writing security assessment reports accreditation packages and Plan of Actions and Milestones;
• Developing computer or information security policies or procedures;
• Maintaining knowledge about emerging industry or technology trends;
• Reviewing and developing system security plans;
• Implementing security measures for computer or information systems; and
• Collaborating with others to resolve information technology issues.

Ability to:

• Identify systemic security issues based on the analysis of vulnerability and configuration data;
• Communicating complex information concepts or ideas in a confident and well-organized manner through verbal written and/or visual means;
• Apply cybersecurity principles to organizational requirements (relevant to confidentiality integrity availability authentication non-repudiation);
• Interpret and apply laws regulations policies and guidance relevant to organization cyber objectives;
• Work with Information System Owners (ISOs) to complete system categorization select security controls and perform self-assessments;
• Identify risks prioritize those risks and maintain a Plan of Action and Milestones for escalating and presenting those risks to senior leadership;
• Gather the information necessary to maintain security and establishes functioning external barriers including firewalls and other security measures;
• Review systems to identify potential security weaknesses recommend improvements to amend vulnerabilities implement changes and document upgrades;
• Ensure security assessments and authorizations (A&A) of information systems are completed in accordance with the published Policies Standards and Procedures providing appropriate level of support for A&A activities; and
• Review security assessment reports (SAR) and assist audit teams throughout the assessment and authorization process.

Does this sound like you

Please tell us how and why by submitting your resume and cover letter

What can you expect from us in return for your hard work

Ø Benefits include:

o Work/life Balance

o Health Coverage

o Retirement plans

o Paid Vacation and Sick Leave and Holidays

o And more

Ø Public Service Loan Forgiveness (PSLF) Employment with the State of Montana may qualify you to receive student loan forgiveness under the PSLF.

Other important information to be aware of.

• This position requires the successful completion of a criminal background check.

• Only online applications are accepted. By applying online you are able to receive updates and monitor the status of your application.

Why should you keep reading and consider working here

We know you have other work options but we ask you to consider working with us at the State of Montana Department of Administration in theState Information Technology Services Division (SITSD). Our mission to provide shared IT services to support the needs of the state and citizens of offer an innovative and collaborative work environment where employees are valued and addition our employees have the opportunityto be involved insome of the most exciting and innovative ITprojects and initiatives in developmentwithin Montana state government.

What is this career opportunity

We are hiring an Information System Security Officer (ISSO) with expertise in cybersecurity or risk management. We are looking for someone with a background in cybersecurity or risk management seeking to advance their career and protect citizens data from global cyber threat actors and threats. Success in this role will require the selected candidate to proactively develop and implement effective security solutions in a dynamic Enterprise environment by using robust protection strategies against advanced persistent threats. This position leads security assessment and planning activities and partners with business and technology employees in state agencies to categorize and select complex security controls for information systems in accordance with NIST and federal standards. Additionally this position serves as the subject-matter-expert to advise external stakeholders on complex security policy requirements for compliance with State and Federal regulations. ISSOs will also engage stakeholders and technology partners to develop security awareness and ensure effective collaboration to protect critical assets.

The ISSO position is primarily responsible for performing the steps in the NIST Risk Management Framework; other responsibilities include but are not limited to:

• Communicate effectively with business and technical stakeholders;

• Establish security plans policies procedures and guidelines;

• Utilize security scanning tools to identify vulnerabilities analyze results and make recommendations to stakeholders to mitigate risks;

• Perform continuous monitoring activities in accordance with agency and NIST Continuous Monitoring requirements;

• Perform the Risk Management Framework steps for managing risk;

• Cultivate close working relationships with agency employees and management;

• Monitor and manage security incident and event management alerts;

• Lead business continuity and disaster recover planning and testing; and

• Lead security self-assessments