Review Vacancy
AgencyInformation Technology Services, Office of
TitleProject Assistant/Risk Assessment, NS, Ref. #18430R, Equated to SG23
Occupational CategoryI.T. Engineering, Sciences
Bargaining UnitPS&T - Professional, Scientific, and Technical (PEF)
Salary RangeFrom $0 to $90876 Annually
Minimum Qualifications Seven years of experience in Information Security, including at least three years of specialized experience performing Risk Assessments and Security Management.
The following degrees, preferably in Information or Cyber Security, Business, Computer Science, or related field, may substitute for the general experience as indicated:
• Associate’s degree and five years of experience
• Bachelor’s degree and three years of experience
• Master’s degree and two years of experience
• Doctorate and one year of specialized experience
Preferred Qualifications:
In addition to the technical background, the ideal candidate will possess at least six months of experience in the following:
• Application Risk Assessments at an Enterprise Level
• Business intelligence, dashboard creation and maintenance, automated report generation, and data analytics
Duties Description Within Risk Management of the Enterprise Information Security Office located in Albany, the Project Assistant, NS, SGE23, item 18430 will function as part of a specialized risk management team, charged with analyzing security data on high-profile application systems and data and the supporting infrastructure for ITS Core services. The incumbent will engage in data mining, baselining, and predictive and prescriptive analysis to detect and defend against information and system cyber attacks.
Specific duties include, but are not limited to, the following:
• Assist with the development, maintenance, and support of a standardized NIST-based Risk Assessment process, performing Risk Assessments on the 370 highest-profile application systems supported by ITS;
• Write Risk Assessments and perform Risk Assessment Reviews with Cluster, Chief Technology Office (CTO), and Chief Operations Office (COO) staff members;
• Develop, test, and rollout comprehensive "Level 3" Risk Assessment to be aligned with National Institute of Standards and Technology (NIST) 800-53 controls. Guide cluster Subject Matter Expert staff through this approximately two-month deep-dive process for the 50 Application systems determined to be the most vulnerable;
• Work with team to implement Enterprise-wide GRC tool, including developing the process of utilizing GRC tool to perform Risk Assessments, ingestion of data from existing Risk Assessment System, and Administering a Risk Management program through this tool. Determine how the data collected can be ingested and utilized to/from this GRC tool to perform Data Analytics;
• Work with team to create processes to assess the IT Security Risk of Enterprise Core Services and perform risk assessment on 50 core services in an effort to tie together ITSM Incident, Problem, and Change tickets along with Asset Inventory information, log files, and scanning results as they relate to these core services;
• Ensure secure development by leveraging Secure Systems Development Lifecycle (SSDLC) and implemented internal controls;
• Review privileged account use, providing recommendations and oversight to ensure data is accessible on a least privilege and need to know basis;
• Develop and manage a tracking system for Risk Remediation efforts integrated into dashboards and automated Risk Scoring;
• Assist members of CTO in the design and creation of a security risk data cube to ensure information needed for security analytics is available in a standardized manner;
• Perform data analytics and produce dashboards to display the prevalence of risk across all applications;
• Work with a team to create a BI online solution to suit customer requirements and needs;
• Analyze collected data including assessing prioritization of risk, risk control implementation of ROI, assessing probability and impact of risk, and visualization of data in clear and understandable fashion;
• Contribute to the determination of how EISO can utilize BI and data analytics to effectively measure the maturity of organizations in implementing SSDLC practices;
• Participate in the integration of multiple data sets from disparate tools into a single repository GRC tool.
Additional Comments This position is pending DOB approval. Some positions may require additional credentials, fingerprinting, or a background check to verify your identity.
Some positions may require additional credentials or a background check to verify your identity.