Job Code Pay Scale Group Pay Scale Type Bargaining Unit Civil Service or Non-Civil Service Last Executive Board Change Executive Board Change History
01519 10 ST A3 C 737-09 04/27/2018

JOB TITLE: INFORMATION SECURITY SPECIALIST 3

JOB CODE: 01519

SERIES NATURE OF WORK: The Information Security Specialist job series describes information technology work in the protection of commonwealth systems and data.

DEFINITION: This is responsible administrative work in the administration of security programs, policies, and procedures within a centralized information security unit.

An employee in this job is responsible for serving as a high level security architect and consultant for an information security program with the most complex information security needs or for supervising positions performing highly advanced technical work. Work involves developing, implementing, administering, and maintaining system security standards, policies, procedures, and access to systems to ensure the confidentiality, integrity, and availability of systems, networks, servers, and data; developing or modifying security plans and security assessment and auditing policies and procedures; managing project implementations; advising security team members, agency program staff, and information technology (IT) managers on security related matters; identifying security threats and developing counter measures through the use of appropriate technologies; and developing business intelligence security reports to keep senior level managers informed of system-wide security issues and programs. Work involves providing consultative expertise to the highest level of management on the most complex information security related matters. Work is performed under the supervision of an administrative supervisor and is reviewed for compliance with agency and commonwealth security standards.

   DISTINGUISHING CHARACTERISTICS:

     Work at this level is distinguished from the lower level job by the responsibility for one of the following:

     Supervising highly advanced technical IT work.

     Nonsupervisory duties that involve administrative and consultative responsibilities as an expert technical architect requiring a mastery of security systems, design, requirements, and policies that impact multiple areas of the organization’s IT functions; and providing expertise and technical guidance to the highest level of management to address or resolve sensitive and highly complex security problems or conditions of unusual complexity.

EXAMPLES OF WORK: (NOTE: The examples of work are representative of the work, but every position classified to this job may not perform all examples of work listed. Conversely, this is not an all-inclusive list of work examples.):

Provides information security advice and guidance to leadership and employees in the organization.

Manages the review of adherence to legislative and regulatory requirements and technical standards and works on corrective action plans to meet the organization’s business requirements.

Prioritizes risks according to relevant criteria for acceptable risks, ensures that risk assessments are implemented in accordance with policy, and collaborates with leadership to develop risk mitigation strategies and ensure sustainability of risk mitigation processes.

Develops and manages an organization’s privacy program to ensure full compliance with privacy laws, regulations, and policies.

Manages the design, development, implementation, and operations of enterprise identity and access management systems or infrastructure.

Develops or manages the development of data management and governance procedures applicable to the acquisition, maintenance, validation, utilization, and encryption of data.

Provides expertise to support negotiations of contracts and preparation of agreements, ensuring that constraints and risks associated with information security and privacy are addressed appropriately.

Champions the incorporation of emerging technologies into new solutions to meet the organization’s evolving security needs.

Recognizes implications of the changing business environment and new environmental threats to define appropriate countermeasures that balance considerations of cost, effectiveness, and value of information being protected.

Advises leadership on capabilities the organization needs to detect, prepare for, and respond to a crisis.

Develops and implements information security policies, procedures, and programs to ensure the confidentiality, integrity, and availability of systems, networks, and data.

Defines the scope and level of detail for security plans and policies applicable to the security program.

Manages and develops information technology self-assessment tools for internal security auditing and compliance and makes recommendations for enterprise security best practices.

Manages or oversees the inspection of commonwealth systems and their contents for evidence or supportive evidence of cybercrimes or other computer use that is being inspected and contains compromised services and maintains evidence.

Communicates and coordinates with executive leadership in response to security incidents including the status of the response, resolution, and final root cause analysis and prepares technical summaries of findings in accordance with established reporting procedures.

Directs the successful development, implementation, maintenance, and operations of information security systems within designated timeframes and budgetary requirements.

Oversees or manages the design, development, and implementation of enterprise systems or infrastructure.

Directs internal and external resources in the resolution of information security incidents.

Promotes awareness of security issues among management, employees, and other entities and ensures sound security principles are reflected in the organization’s vision and goals.

Manages outsourced contracts and vendors to implement information security programs and policies.

Performs the full range of supervisory duties.

Employees in this job may participate in subordinates’ work consistent with operational or organizational requirements.

Performs related work as required.

ENTRY LEVEL KNOWLEDGES, SKILLS, AND ABILITIES:

Knowledge of server and workstation platforms.

Knowledge of industry standards and best practices of information security.

Knowledge of the functions and capabilities of standard security application systems.

Knowledge of the functions and capabilities of security testing tools.

Knowledge of best practices of firewall configurations.

Knowledge of best practices of network administration.

Knowledge of best practices of web content filtering and monitoring.

Knowledge of business process analysis methods.

Knowledge of Federal privacy guidelines such as HIPAA and Sarbanes-Oxley.

Knowledge of information security counter measure resolution techniques.

Knowledge of the principles and practices of project management.

Ability to read and interpret requirements of laws and regulations.

Ability to read and interpret security logs, system design specifications, and technical manuals to identify potential problems.

Ability to communicate effectively orally.

Ability to communicate effectively in writing.

Ability to establish and maintain effective working relationships.

FULL PERFORMANCE KNOWLEDGES, SKILLS, AND ABILITIES: (NOTE: These are expected of an employee performing the work of this job at the full performance level. These may not be evaluated by the State Civil Service Commission or used for Civil Service examination purposes and are not position-specific performance standards.):

• Knowledge of the principles and practices of effective employee supervision.

MINIMUM EXPERIENCE AND TRAINING: (NOTE: Based on the Entry Level Knowledges, Skills, and Abilities):

One year as an Information Security Specialist 2;

                                                                                                                                                                             or

Four years of experience performing technical work in information technology security, and an associate’s degree in any information technology field;

                                                                                                                                                                             or

Two years of experience performing technical work in information technology security, and a bachelor’s degree in any information technology field;

                                                                                                                                                                             or

An equivalent combination of experience and training.