Information Technology Specialist 4 Information Security

Description
Duties Description
Under the direction of senior team members within the Chief Information Security Office/Governance, Risk, & Compliance/Governance, Compliance, Awareness, & Training (GCAT)/Governance & Compliance Section, the incumbent will be responsible for assisting with the development and implementation of the Chief Information Security Office's GCAT Program. The Program consists of policies, standards, and guidelines to protect New York State information assets, assessing policy exception requests, assessing requests for Internal and External Audit information, and working with ITS and with other State entities to assess and assure compliance with all State and Federal compliance standards. The candidate will also work to promote cybersecurity awareness and information security "best practices".

The position requires communicating orally and in writing with various individuals including management, users, vendors, and other IT staff. The position requires availability during off-shift hours to ensure appropriate response to security incidents or other critical activities that may impact sensitive information, critical systems, NYS agencies, or ITS. Additional information on work schedule will be discussed at time of interview.

Specific Duties Include, But Are Not Limited To

• Develop and maintain statewide information security policies, mechanisms, processes, standards, and procedures that meet current and future state business needs.
• Consult with State Entities regarding interpretation and implementation issues for statewide information security policies, procedures, and best practices.
• Manage the security exception process in GCAT when NYS Policy and Standard compliance cannot be met, review and coordinate efforts to renew security exceptions when necessary.
• Facilitate participation of State Entities in the completion of the annual Nationwide Cybersecurity Review (NCSR) cybersecurity assessment.
• Establish and maintain channels of communication to target audiences (State and local government, education sectors, and citizens).
• Collaborate and advance partnership programs with State and national work groups.
• Manage CISO staff involved in internal and external information security audits across the enterprise. This requires working in conjunction with multiple teams across ITS and State Entities.
• Manage efforts to support, expand, and build efficiencies into the security audit process.
• Receive and Log Policy Exception Requests Act as the primary point of contact for receiving all incoming IT policy exception requests from various departments and stakeholders. Accurately log each request into a dedicated tracking system (e.g., Archer), capturing all essential details such as the requesting party, policy being excepted, reason for exception, duration, and proposed compensating controls.
• Initial Review and Validation: Perform an initial review of submitted requests to ensure completeness and clarity. Follow up with requesters to gather any missing information or clarify details. Verify that the request aligns with the established exception request process and submission guidelines.
• Facilitate Risk Assessment and Approval Workflow: Route exception requests to the appropriate stakeholders for review and approval. Coordinate meetings or communications to facilitate discussions around the exceptions. Ensure all required approvals are obtained and documented within the tracking system.
• Document and Record Exceptions: Maintain a comprehensive and up-to-date central repository of all approved and rejected policy exceptions. Document the justification for the exception, the associated risks, the approved compensating controls, the duration of the exception, and the names of all approvers. Ensure all documentation adheres to internal standards and audit requirements.
• Monitor and Track Exception Lifecycles: Proactively monitor the expiration dates of approved exceptions. Initiate the renewal or closure process for exceptions nearing their expiration, coordinating with the original requester and approvers as needed.
• Reporting and Analysis: Generate regular reports on policy exception trends, including the number of exceptions, common policies excepted, departments requesting exceptions, and reasons for exceptions. Analyze exception data to identify potential systemic issues, policy gaps, or areas requiring increased awareness and training. Present findings to management to support continuous improvement of policies and security controls.
• Process Improvement: Continuously identify opportunities to streamline and improve the policy exception management process, tools, and documentation. Develop and update procedural documentation related to exception handling.
• Audit Support: Assist during internal and external audits by providing accurate and comprehensive documentation related to policy exceptions. Answer auditor inquiries and demonstrate adherence to the exception management process.
• Perform the full range of supervisory responsibilities.

Qualifications
Minimum Qualifications
Non-competitive: seven years of information technology, cybersecurity, or information assurance experience**, including one year at the supervisory level.

• Substitutions:

A bachelor's or higher-level degree in any field including or supplemented by 15 semester credit hours in computer science or related field substitutes for three years of required experience; any bachelor's substitutes for two years of required experience.

An associate degree with 15 semester credit hours in computer science or related field may substitute for one year of required experience. Candidates in a bachelor's degree program with at least 15 semester credit hours in computer science or related field may substitute such credits for one year of required experience.

A master's degree or higher in computer science or related field substitutes for one year of required experience.

Additional Comments
ITS will not offer permanent employment to any candidate unless the candidate provides documentation that they are authorized to accept work in the United States on a permanent basis. It is the policy of ITS not to hire F1 or H1 visa holders for permanent employment or to sponsor non-immigrant aliens for temporary work authorization visas or for permanent residence.

Some positions may require fingerprinting.

Some positions may require up to 25% travel and/or lifting up to 50 lbs. Some positions are pending Civil Service approval. Details of position(s) will be described further if you are selected for an interview.

If eligible, positions located in New York City will receive an additional $3,400 downstate adjustment location pay with regular annual salary. Positions located in the Mid-Hudson will receive an additional $1,650 adjustment location pay.

to permanent non-competitive and the official probationary period will begin.

Benefits of Working for NYS Generous benefits package, worth 65% of salary, including:

Holiday & Paid Time Off

• Thirteen (13) paid holidays annually
• Up to Thirteen (13) days of paid vacation leave annually
• Up to Five (5) days of paid personal leave annually
• Up to Thirteen (13) days of paid sick leave annually for PEF.
• Up to three (3) days of professional leave annually to participate in professional development

Health Care Benefits

• Eligible employees and dependents can pick from a variety of affordable health insurance programs
• Family dental and vision benefits at no additional cost

Additional Benefits

• New York State Employees' Retirement System (ERS) Membership
• NYS Deferred Compensation
• Access to NY 529 and NY ABLE College Savings Programs, as well as U.S. Savings Bonds
• Public Service Loan Forgiveness (PSLF)
• And many more.

The Office of Information Technology Services is an equal opportunity employer, and we recognize that diversity in our workforce is critical to fulfilling our mission. We encourage all individuals with disabilities to apply.