Job Code Pay Scale Group Pay Scale Type Bargaining Unit Civil Service or Non-Civil Service Last Executive Board Change Executive Board Change History
01518 09 ST A3 C 737-08 04/27/2018

JOB TITLE: INFORMATION SECURITY SPECIALIST 2

JOB CODE: 01518

SERIES NATURE OF WORK: The Information Security Specialist job series describes information technology work in the protection of commonwealth systems and data.

DEFINITION: This is highly advanced technical work in the administration of information security programs, policies, and procedures within a centralized information security unit.

An employee in this job performs a broad range of security duties in support of information security. Work involves developing, implementing, administering, and maintaining system security standards, policies, procedures, and access to systems to ensure the confidentiality, integrity, and availability of systems, networks, servers, and data; planning, developing, or modifying security plans and security assessment and auditing policies and procedures; managing the implementation of complex security programs; advising security team members, agency program staff, and information technology (IT) managers on security related matters; identifying security threats and developing counter measures through the use of appropriate technologies; and developing business intelligence security reports to keep senior level managers informed of system-wide security issues and programs. Work also involves providing consultative expertise and making recommendations to higher level information technology staff, agency program staff, and agency heads on information security related matters. Work is performed under the supervision of an Information Security Specialist 3 or other administrative or technical supervisor and is reviewed for compliance with commonwealth security standards.

   DISTINGUISHING CHARACTERISTICS:

      Work at this level is distinguished from the lower level job by the responsibility for one of the following:

      Performing security work involving highly sensitive information, broad security considerations, significant business impacts, and integration with other systems. This work usually involves leading security projects requiring security architecture decisions, responding to and identifying complex security incidents that impact essential business functions and developing appropriate solutions, designing security requirements for complex systems, and/or developing and implementing security solutions, systems, or programs with a significant impact on the security environment.

     Serving as an information security specialist in an organization with the most complex information security needs where the work involves the development of security standards and policies.

     Supervising lower level IT positions performing technical or advanced technical information security work or serving as a lead worker for IT positions performing advanced technical information security work.

EXAMPLES OF WORK: (NOTE: The examples of work are representative of the work, but every position classified to this job may not perform all examples of work listed. Conversely, this is not an all-inclusive list of work examples.):

Oversees compliance reviews by applying legislative and regulatory requirements and technical standards to detect areas of non-compliance and vulnerabilities.

Coordinates with internal and external parties to conduct policy compliance reviews and to monitor and report on the effectiveness and efficiency of information security controls with information security policies.

Collaborates with key stakeholders to determine, justify, document, and monitor exceptions to security policies and procedures.

Identifies critical information assets within the organization that may require additional risk mitigation and develops risk mitigation plans.

Leads follow-up actions after a security incident to assess its cause, enhance security measures, and prevent recurrence of similar incidents.

Identifies and remediates risks or vulnerabilities identified by the scanning of the organization’s infrastructure to meet commonwealth and industry best practices.

Identifies and defines common or discrete threat attributes and the scale used to indicate a threat’s profile level for use in determining potential attack paths and initial mitigation strategies.

Contributes to the development of the privacy program and executes organization privacy procedures to ensure full compliance with privacy laws, regulations, and policies and leads efforts to reevaluate internal privacy procedures to ensure they are comprehensive and current.

Develops procedures on how sensitive information such as Personally Identifiable Information (PII) is collected, used, disseminated, maintained, stored, and disposed.

Analyzes data based on type, who can access it, where it is located, value to the state, and varying levels of sensitivity and legality to sort according to the state data classification schema; proposes data classification procedure and process recommendations; and reevaluates the classification of organizational data to ensure classifications are appropriate based on legal and contractual changes and use of the data or its value.

Provides recommendations and insight on data management and governance procedures applicable to the acquisition, maintenance, validation, utilization, and encryption of data.

Partners with other IT staff to implement secure design principles, develop software that is not susceptible to security breaches, and test security requirements to ensure compliance with security plan, applicable security policies, and the organization’s accreditation processes.

Collaborates with agency procurement to review, document, and escalate information security and privacy risks to ensure internal and external compliance with procedural and contracting requirements.

Evaluates and reports on access control processes (e.g., identification, accountability, authentication, authorization) to determine effectiveness of organization facilities and assets.

Proposes recommended methods to identify and analyze failures within the environment and maps flaws to root causes to enable determination of a mitigation plan.

Evaluates risk assessments against threats and expected outcomes to recommend business continuity and recovery priorities, including additional resources to manage impact of disruptive events.

Monitors and prepares reports for leadership on business continuity including project planning, identified risks, and opportunities to ensure business continuity will be successful.

Designs and develops usable, maintainable, and scalable identity management solutions that adhere to applicable policies and information security requirements, including authentication, access control, and accountability.

Assesses training needs and learning styles and develops security/privacy related training programs based on those needs.

Develops policies, procedures, and guidelines regarding physical and data security safeguards for the protection of computer assets, confidentiality, and integrity of information.

Coordinates the implementation of security programs across platforms.

Participates and provides assistance in the coordination of external audits including the remediation of audit findings.

Directs security monitoring and compliance activities and the response to security incidents.

Oversees the implementation, configuration, and management of security products and solutions.

Participates in network, application, and other IT system designs to ensure implementation of appropriate systems security policies.

Serves as a project leader for information security projects that require making security architecture decisions.

Promotes awareness of security issues among management, employees, and other entities and ensures sound security principles are reflected in the organization’s vision and goals.

Manages outsourced contracts and vendors to implement information security programs and policies.

Functions as a lead worker for advanced technical work by assigning and reviewing work, training employees, and performing quality control functions for the work.

Performs the full range of supervisory duties.

Employees in this job may participate in subordinates’ work consistent with operational or organizational requirements.

Performs related work as required.

ENTRY LEVEL KNOWLEDGES, SKILLS, AND ABILITIES: Knowledge of server and workstation platforms.

Knowledge of industry standards and best practices of information security.

Knowledge of the functions and capabilities of standard security application systems.

Knowledge of the functions and capabilities of security testing tools.

Knowledge of best practices of firewall configurations.

Knowledge of best practices of network administration.

Knowledge of best practices of web content filtering and monitoring.

Knowledge of business process analysis methods.

Knowledge of Federal privacy guidelines such as HIPAA and Sarbanes-Oxley.

Knowledge of information security counter measure resolution techniques.

Ability to read and interpret security logs, system design specifications, and technical manuals to identify potential problems.

Ability to communicate effectively orally.

Ability to communicate effectively in writing.

Ability to establish and maintain effective working relationships.

MINIMUM EXPERIENCE AND TRAINING: (NOTE: Based on the Entry Level Knowledges, Skills, and Abilities):

One year as an Information Security Specialist 1;

                                                                                                                                                                       or

Three years of experience performing technical work in information technology security, and an associate’s degree in any information technology field;

                                                                                                                                                                       or

One year of experience performing technical work in information technology security, and a bachelor’s degree in any information technology field;

                                                                                                                                                                       or

An equivalent combination of experience and training.