Information Systems Security Officer - Helena, United States - State of Montana

Description

Why live in Helena, Montana?

Helena is surrounded by rolling hills and lofty mountains and is tucked below the Continental Divide. Located halfway between Glacier National Park and Yellowstone National Park, Helena is a where small-town living collides with outdoor adventure. Learn more about moving to and/or living in Helena, Montana .

Why should you keep reading and consider working here?

Security Services is a fun place to do serious work.We utilize best practice standards and frameworks to deliver high quality security services to state agencies.We use sophisticated technologies to solve complex problems.We value collaboration, teamwork, and respect.We promote a culture where our employees can both learn and teach.We provide professional development opportunities that lead to career advancement and fulfillment. Our mission is to protect citizens' data.

What is this career opportunity?

We are hiring one or more mid-level and senior-level Information System Security Officer (ISSO) positions.We are looking for people that have a background in security or risk management seeking to advance their career and protect citizens' data.Success in this role will require you to proactively develop and implement effective security solutions in a dynamic Enterprise information technology environment facing sophisticated and persistent threats from global cyber threat actors.This position leads security assessment and planning activities and partners with business and technology employees in state agencies to categorize information systems and to select, implement, assess, authorize and monitor complex security controls. Additionally, this position serves as the subject-matter-expert to mentor other ISSOs and advise external stakeholders on policy as well as State and Federal rules and regulations.The extent of leadership scope and responsibility depends on education, experience and expertise.

The ISSO position is primarily responsible for performing the steps in the NIST Risk Management Framework; other responsibilities include, but are not limited to:

·Communicate effectively with business and technical stakeholders;

·Establish security plans, policies, procedures, and guidelines;

·Utilize security scanning tools to identify vulnerabilities, analyze results, and make recommendations to stakeholders to mitigate risks;

·Perform continuous monitoring activities in accordance with agency and NIST Continuous Monitoring requirements;

·Compile, report, and track security metrics, including key performance indicators and key risk indicators;

·Perform Risk Management Framework steps;

·Cultivate close working relationships with agency employees and management;

·Monitor and manage behavior-based anti-virus alerts;

·Monitor and manage security incident and event management alerts;

·Lead business continuity and disaster recover planning and testing; and

·Lead security self-assessments such as the Nationwide Cyber Security Review (NCSR).

What are we looking for?

We are looking for people that have a passion for cybersecurity, a commitment to continuous learning, and a desire to protect citizen's data.

Education, Experience, and Expertise:

This position can be hired as a mid-level or senior-level ISSO, depending on experience, education, and expertise.

Mid-level Required:

·Associate degree or higher in a Risk Management related field; AND

·2+ years of fulltime experience in a Risk Management-related role.

·Alternate combinations of education, experience and certifications will be considered on a case-by-case basis.

Senior-level Required:

·Associate degree or higher in a Risk Management related field; AND

·4+ years of fulltime experience in a Risk Management-related role; AND

·Either the CAP or the CGRC certifications.

·Alternate combinations of education, experience and certifications will be considered on a case-by-case basis.

Preferred:

·Bachelor degree or higher in a Risk Management related field; AND

·6+ years of fulltime experience in a Risk Management-related role; AND

·One or more professional certifications: CAP/CGRC, SSCP, GIAC GCLD, CISSP, CISM, or other security certifications.

If hired as a mid-level ISSO, you will be required to take the CGRC exam during the first year of your employment if you do not already have the CAP or CGRC certification.If hired as a senior-level ISSO, you will be required to already have the CAP or CGRC certification.Additional training requirements will vary based on your specific skillsets and the team's specific needs at the time of hiring.Training courses may include the ISC2 Governance, Risk and Compliance course, RSA Archer courses, SANS cybersecurity courses, or other training related to this role.Specific training requirements will be discussed at the time of hiring.

Competencies:

This position is classified by the NICE Framework as Risk Management: Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.

The following knowledge, skills, and abilities are required to be successful in this job:

Knowledge of:

·Risk Management Framework (NIST 800-37, 39, and requirements;

·Information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption);

·Computer networking concepts and protocols, and network security methodologies; and

·Authentication, authorization, and access control methods.

Skill in:

·Using RSA Archer Governance, Risk and Compliance suite;

·Interfacing with information system owners;

·Writing security assessment reports, accreditation packages, and Plan of Actions and Milestones;

·Developing computer or information security policies or procedures;

·Maintaining knowledge about emerging industry or technology trends;

·Reviewing system security plan documentation;

·Implementing security measures for computer or information systems;

·Developing systems security plans;

·Testing computer system operations to ensure proper functioning; and

·Collaborating with others to resolve information technology issues.

Ability to:

·Identify systemic security issues based on the analysis of vulnerability and configuration data;

·Communicating complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means;

·Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation);

·Interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives;

·Work with Information System Owners (ISOs) to complete system categorization, select security controls, and perform self-assessments;

·Identify risks, prioritize those risks, and maintain a Plan of Action and Milestones for escalating and presenting those risks to senior leadership;

·Gather the information necessary to maintain security and establishes functioning external barriers, including firewalls, and other security measures;

·Review systems to identify potential security weaknesses, recommend improvements to amend vulnerabilities, implement changes, and document upgrades;

·Ensure security assessments and authorizations (A&A) of information systems are completed in accordance with the published Policies, Standards and Procedures, providing appropriate level of support for A&A activities; and

·Review security assessment reports (SAR) and assist audit teams throughout the assessment and authorization process.

This position resides in a Montana Federation of Public Employees bargaining unit.