Agency Information Security Professional 2

· The final candidate selected for this position will be required to undergo a criminal background check as well as other investigative reviews. Criminal convictions do not necessarily preclude an applicant from consideration for a position, unless restricted under state or federal law or federal restrictions. An individual assessment of an applicant's prior criminal convictions will be made before excluding an applicant from consideration.

· The Ohio Department of Education and Workforce is an Equal Opportunity/Affirmative Action Employer that values diversity and seeks talented individuals from diverse backgrounds. Candidates are considered for employment without regard to race, color, sex, sexual orientation, gender identity, religion, creed, national or ethnic origin, citizenship status, age, disability, veteran status or any other legally protected class. Questions or concerns about this should be directed to the Office of Human Resources ().

Ohio is a Disability Inclusion State and strives to be a model employer of individuals with disabilities. The State of Ohio is committed to providing access and inclusion and reasonable accommodation in its services, activities, programs and employment opportunities in accordance with the Americans with Disabilities Act (ADA) and other applicable laws.

The State of Ohio is a drug-free workplace which prohibits the use of marijuana (recreational marijuana/non-medical cannabis). Please note, this position may be subject to additional restrictions pursuant to the State of Ohio Drug-Free Workplace Policy (HR-39), and as outlined in the posting.

48 mos. exp. in computer data security either through monitoring system/network traffic for anomalous activity, systems development or controlling accessibility of data.

-Or completion of associate core program in computer science; 30 mos. trg. or 30 mos. exp. in computer data security either through monitoring system/network traffic for anomalous activity, systems development or controlling accessibility of data.

-Or completion of undergraduate core program in computer science; 24 mos. trg. or 24 mos. exp. in computer data security either through monitoring system/network traffic for anomalous activity, systems development or controlling accessibility of data.

-Or completion of graduate core program in computer science; 12 mos. trg. or 12 mos. exp. in computer data security either through monitoring system/network traffic for anomalous activity, systems development or controlling accessibility of data.

-Or 12 mos. exp. as Agency Information Security Professional 1, 69991.

-Or equivalent of Minimum Class Qualifications For Employment noted above. Job Skill\: Cybersecurity

About Us:

The Ohio Department of Education and Workforce is a diverse team of passionate, education-focused professionals responsible for overseeing and enhancing the quality of education for each of Ohio’s 1.7 million students. The Department provides the resources and supports essential to raising student achievement and accelerating learning opportunities, advancing the connectivity between K-12 and postsecondary learning, creating programs to support and expand workforce experiences, and ensuring students have the necessary supports to be ready each day to learn.

As the governing body responsible for overseeing and enhancing the quality of education within the State of Ohio, the Department of Education and Workforce is dedicated to promoting educational excellence and ensuring equal access to learning opportunities for all students. The Department is committed to collaborating with schools, districts, educators, students, families, businesses, nonprofits and all stakeholders to achieve our educational goals.

The Ohio Department of Education and Workforce is seeking an experienced information security professional to help us expand, improve, and secure the applications and services we provide to our workforce and to schools and families.

Information Technology Office

The Information Technology Office (ITO) provides technology services to Ohio’s schools and districts, students and families, and the agency workforce. By joining our team, you will become a contributor to some of the most important services in the Ohio K-12 education system. We create and maintain the systems that fund schools and districts, provide school choice opportunities and scholarships to parents, help students obtain college credit while still in high school, and much more. Your work can directly impact the education of Ohio’s children!

What You’ll Do

The primary role of the Agency Information Security Professional is to ensure that the agency’s applications and services, both internal and public facing, are secure from exploitation, fraud, and intrusion. The successful candidate will have a growth mindset to help the agency balance the risks of new and fast-changing technology with the exciting opportunities it creates. Excellent communication skills are a must to enable team collaboration and information sharing with the CIO, other IT leaders, and the state enterprise information security team.

Key responsibilities include:

· Serve as the agency’s information security and privacy subject matter expert

· Manage incident response activities, including maintaining and proactively testing the plan and playbooks

· Configure, monitor, and support enterprise security tools

· Maintain and enforce security policies and procedures

· Review vendor contracts, terms, etc. to ensure alignment to agency and state requirements

Key tools in use today that the successful candidate will use include Qualys, CrowdStrike, BlueCoat, and Azure Advisor. Tools related to security used by other IT teams include Github Advanced Security and SonarQube for app developers, and SCCM and InTune by IT Operations.

For more details, see the complete position description below.

Complete Position Description

Primary Technology: Security Monitoring

Secondary Technology: Security Software and Hardware

Monitor and ensure cybersecurity posture for the agency. (50%)

· Acts as the agency’s primary administrator for state enterprise security tools (e.g. Qualys, Crowdstrike, BlueCoat, Azure Advisor), including establishing access levels for and monitoring use by other agency personnel.

· Review user authorization reports, vulnerability management reports, and/or other security reports and logs from state enterprise and/or agency tools. Identify significant gaps. Develop and coordinate remediation efforts with other IT teams.

· Conduct and administer security tests (e.g. tabletop exercises, penetration tests, backup/restore, resiliency and failover, scheduled scans).

· Participate in and/or coordinate risk assessments. Coordinate remediation efforts for IT risks.

· Maintain the agency Incident Response Plan. Design new and update existing incident response playbooks with other IT teams.

· Assist other IT teams (developers, IT operations, DBAs, data professionals) in analyzing, identifying, and implementing the security requirements for new systems.

· Develop and review authorization and assurance documents, including privacy impact assessments, to confirm acceptable risk for software applications and systems.

· Provide guidance to agency development staff on best practices on coding and using state enterprise tools to create secure code.

· Evaluate requests for security exceptions. Submit and coordinate exception requests with the state enterprise security office.

Act as the security and privacy subject matter expert. (30%)

· Develops, maintains, and enforces information security and privacy policies and procedures for the agency. Monitor changes in state enterprise policy that impacts agency security or privacy policy.

· Review vendor contracts, terms of service, security documents, and other resources during product/service procurement and/or proposal review to determine alignment to state and agency security requirements.

· Participate in state enterprise security and privacy workgroups, conferences, or other collaboratives.

· Liaisons with the state enterprise security office.

Manage incident response activities. (10%)

· Performs triage of potential security incidents to determining scope, urgency, potential impact, summarizing findings, and recommending whether an incident should be declared.

· Coordinate incident response activities according to the agency’s Incident Response Plan and playbooks.

· Facilitate communications with agency leadership, state enterprise security, and others according to the Plan.

· Collects and analyzes evidence and artifacts (e.g., equipment, logs, files, source code, malware, trojans) as needed for state enterprise security, Legal, or others. Documents original condition of digital &/or associated evidence. Ensures chain of custody is followed.

Professional Development (5%)

With the supervisor, creates and follows a professional development plan.

Maintains and updates job related skills using available resources, including (but not limited to) online training provided by the agency and partner agencies or companies; relevant books, articles, webinars, forums, and conferences; or other resources deemed appropriate by the supervisor.

Shares acquired knowledge with peers and co-workers, in both informal (one-on-one, team meetings) and structured settings (trainings, mentorships, etc.) as appropriate. Plans and conducts knowledge transfer activities for peers and/or co-workers via verbal instruction, technical documentation, presentations, or other means.

Other duties as assigned. (5%)

The work location of this position is 25 South Front Street, Columbus, Ohio 43215. You will be required to report to this work location full-time, if selected.

At the State of Ohio, we take care of the team that cares for Ohioans. We provide a variety of quality, competitive benefits to eligible full-time and part-time employees*. For a list of all the State of Ohio Benefits, visit our Total Rewards website! Our benefits package includes:

Medical Coverage

Free Dental, Vision and Basic Life Insurance premiums after completion of eligibility period

Paid time off, including vacation, personal, sick leave and 11 paid holidays per year

Childbirth, Adoption, and Foster Care leave

Education and Development Opportunities (Employee Development Funds, Public Service Loan Forgiveness, and more)

Public Retirement Systems (such as OPERS, STRS, SERS, and HPRS) & Optional Deferred Compensation (Ohio Deferred Compensation)

*Benefits eligibility is dependent on a number of factors. The Agency Contact listed above will be able to provide specific benefits information for this position.