POSITION DESCRIPTION

Transcription

1 State of Michigan Civil Service Commission Capitol Commons Center, P.O. Box Lansing, MI Position Code 1. STDDADM1 POSITION DESCRIPTION This position description serves as the official classification document of record for this position. Please complete the information as accurately as you can as the position description is used to determine the proper classification of the position. 2. Employee's Name (Last, First, M.I.) 8. Department/Agency DEPARTMENT OF STATE 3. Employee Identification Number 9. Bureau (Institution, Board, or Commission) Department Services Administration 4. Civil Service Position Code Description 10. Division State Administrative Manager-1 Information Security and Control Division 5. Working Title (What the agency calls the position) 11. Section Information Security and Risk Assessment Manager 6. Name and Position Code Description of Direct Supervisor 12. Unit HDE, GENA A; STATE DIVISION ADMINISTRATOR 7. Name and Position Code Description of Second Level Supervisor 13. Work Location (City and Address)/Hours of Work JAROIS, ROSE M; SENIOR DEPUT DIRECTOR 20 Richard H. Austin Building,430 W. Allegan, Lansing / Monday Friday, 8:00 A.M. to 5:00 P.M. 14. General Summary of Function/Purpose of Position This position will serve as the manager of the Information Security and Risk Assessment Team and provide oversight for the day to day operations. This position is also responsible for providing department-wide direction on information security training and education programs, information security guidance to information system owners, and consultation regarding security awareness, ongoing access management, risk assessment and data classification issues. The incumbent also serves as the organizational liaison for various audits and compliance reviews, develops processes for monitoring the resolution of audit recommendations, and monitors information security compliance regulations to ensure compliance with Industry Best Practices. The position will also provide technical direction and support to the department regarding information security risk assessments and develop processes for monitoring and reporting on the resolution of the identified risks. This position will participate in Statewide workgroups and collaborate on security related concerns.

2 15. Please describe the assigned duties, percent of time spent performing each duty, and what is done to complete each duty. List the duties from most important to least important. The total percentage of all duties performed must equal 100 percent. Duty 1 General Summary: Percentage: 20 Serve as the manager of the Information Security and Risk Assessment Team and provide oversight for the day to day operations. Plan, organize, direct, and control the work activities for Information Security team members. Coordinate work by scheduling assignments and directing the work of Information Security team members. Conduct staff meetings to assure appropriate communications are taking place. Establish performance standards, evaluate staff performance, counsel employees and take appropriate action as required. Advise staff in the resolution of sensitive, complex, or precedent-setting situations. Provide guidance and consultation to the staff to accomplish division goals and initiatives. Select and assign staff, ensuring equal opportunity in hiring, promotion, and other employment practices. Coach employees and assist with their professional development by providing training and workplace opportunities. Promote an environment conducive to high performance resolution, communication and teamwork within the department as well as internal and external entities. Formulate current and long-range programs, plans, and policies for Information Security team members. Other duties as assigned. Duty 2 General Summary: Percentage: 30 Provide department-wide direction on information security training and education programs, information security guidance to information system owners, and provide consultation regarding security awareness, ongoing access management, risk assessment and data classification issues. Manage the Department s Information Security website based on current events and industry best practices. Update Security Policies, Procedures, and Standards as appropriate. Develop and update the Department s security awareness training programs based on current events impacting information technology and data security. Maintain and update the security portion of the New Employee Orientation and the Annual Notification to employees. Maintain the Department s Security Incident Reporting process and implement a tracking mechanism for monitoring Security Incidents. Provide continuous monitoring and reporting for outstanding incidents. Provide direction to the department application owners in developing a security monitoring checklist for their respective applications. Perform periodic reviews to ensure application security is managed in an accurate and timely manner. Provide direction to the department application owners in reviewing and classifying the data in their various software applications using guidance provided by the Federal government and the Department of Technology, Management, and Budget. Provide direction to the department application owners in reviewing and documenting the security associated with the various software applications and related risk assessments using guidance provided by the Federal government, the State Budget Office, and the Department of Technology, Management, and Budget.

3 Duty 3 General Summary: Percentage: 25 Serve as an organizational liaison for various audits and compliance reviews; develop processes for monitoring the resolution of audit recommendations, and monitor information security compliance regulations to ensure compliance with Industry Best Practices. Assist the Division Director in serving as Audit Liaison for audits conducted by the Office of the Auditor General and Office of Internal Audit Services. Attend onsite and offsite meetings regarding audit engagements being performed by agencies external to the Department of State. Track the status of ongoing audit engagements, assist program areas in the development of responses to audit findings, and prepare reports related to ongoing audits, audit findings, and corrective actions. Development and implement a tracking mechanism for monitoring Office of the Auditor General and Office of Internal Audit Services audit recommendations. Provide continuous monitoring and reporting for outstanding recommendations. Manage, coordinate, and document the Third Party Service Organization Reviews, the SSA Security Compliance Reviews, and other security related compliance reviews. Research and monitor updates to information security compliance regulations impacting the Department of State information systems for PCI-DSS (Payment Card Industry Data Security Standard), NIST (National Institute of Standards and Technology) 800, COBIT (Control Objectives for Information and Related Technology), FISMA (Federal Information Security Management Act), FedRAMP (Federal Risk and Authorization Management Program), Office of Auditor General (OAG) audits, Internal Control Evaluation (ICE), Risk, Control Activity and Monitoring (RCAM) resolution and Industry Best Practices. Duty 4 General Summary: Percentage: 25 Provide technical direction and support to the department regarding information security risk assessments and develop processes for monitoring and reporting on the resolution of the identified risks. Participate in Statewide workgroups and collaborate on security related concerns. Develop and implement a tracking mechanism for monitoring Information System Security Plan and Risk Assessments Plan of Action and Milestones. Provide continuous monitoring and reporting for outstanding risks. Provide technical assistance to help ensure that the internal control evaluation and biennial reporting processes are conducted in accordance with the general framework as provided by the State Budget Office. Develop and implement a tracking mechanism for monitoring the completion of the internal control evaluation and biennial reporting processes. Provide continuous monitoring and reporting for outstanding risks. Participate in the Department s information technology initiatives to ensure that new processes or systems meet high standards and do not jeopardize Department records or assets. Collaborate with Michigan Cyber Security on security related concerns. Prepare executive summaries, publications, and reports. Participate in statewide security workgroups. Create, review, and approve documentation for security and audit compliance including: Policy, Standards, and Procedures for DTMB Policy, Standards, and Procedures for MDOS 16. Describe the types of decisions made independently in this position and tell who or what is affected by those decisions. Decisions made within existing Department policies and procedures. 17. Describe the types of decisions that require the supervisor's review. Decisions that impact Department, Administration, or Division policies and procedures. Discovery of improper or illegal use of Department records or access to Department information systems.

4 18. What kind of physical effort is used to perform this job? What environmental conditions in this position physically exposed to on the job? Indicate the amount of time and intensity of each activity and condition. Refer to instructions. Normal Office Environment. Periodic Travel to Operations Center and Secretary of State Secondary Complex. 19. List the names and position code descriptions of each classified employee whom this position immediately supervises or oversees on a fulltime, on-going basis. NAME CLASS TITLE NAME CLASS TITLE DEPARTMENTAL SUPERVISOR-2-FZN 11 DEPARTMENTAL ANALST- E 10 DEPARTMENTAL ANALST- E 10 Additional Subordinates 20. This position's responsibilities for the above-listed employees includes the following (check as many as apply): Complete and sign service ratings. Assign work. Provide formal written counseling. Approve work. Approve leave requests. Review work. Approve time and attendance. Provide guidance on work methods. Orally reprimand. Train employees in the work. 22. Do you agree with the responses for items 1 through 20? If not, which items do you disagree with and why? es 23. What are the essential functions of this position? The essential duties of this position are to serve as the manager of the Information Security and Risk Assessment Team and to provide oversight for the day to day operations. This position provides department-wide direction on information security training and education programs, information security guidance to information system owners, and consultation regarding security awareness, ongoing access management, risk assessment and data classification issues. The position also serves as the organizational liaison for various audits and compliance reviews, develops processes for monitoring the resolution of audit recommendations, and monitors information security compliance regulations to ensure compliance with Industry Best Practices. The position also provides technical direction and support to the department regarding information security risk assessments and develops processes for monitoring and reporting on the resolution of the identified risks. This position also participates in Statewide workgroups and collaborates on security related concerns. This position must understand information security compliance regulations impacting the Department of State information systems for PCI-DSS (Payment Card Industry Data Security Standard), NIST (National Institute of Standards and Technology) 800, COBIT (Control Objectives for Information and Related Technology), FISMA (Federal Information Security Management Act), FedRAMP (Federal Risk and Authorization Management Program), Office of Auditor General (OAG) audits, Internal Control Evaluation (ICE), Risk, Control Activity and Monitoring (RCAM) resolution and Industry Best Practices. This position will be responsible for ensuring that the Department of State IT applications adhere to security requirements. 24. Indicate specifically how the position's duties and responsibilities have changed since the position was last reviewed. New Position 25. What is the function of the work area and how does this position fit into that function?

5 The Information Security and Control Division is responsible for the security and control of departmental information, programs, systems, and applications. This position will serve as the manager of the Information Security and Risk Assessment Team and provide oversight for the day to day operations. This position is also responsible for providing department-wide direction on information security training and education programs, information security guidance to information system owners, and consultation regarding security awareness, ongoing access management, risk assessment and data classification issues. The position also serves as the organizational liaison for various audits and compliance reviews, develops processes for monitoring the resolution of audit recommendations, and monitors information security compliance regulations to ensure compliance with Industry Best Practices. The position will also provide technical direction and support to the department regarding information security risk assessments and develop processes for monitoring and reporting on the resolution of the identified risks. 26. What are the minimum education and experience qualifications needed to perform the essential functions of this position. EDUCATION: Possession of a bachelor s degree in any major. Preferred candidate would possess a bachelor s degree in one of the following areas: forensic accounting, auditing, information security, or information systems. EXPERIENCE: State Administrative Manager 15 Four years of professional experience, including two years equivalent to the experienced (P11) level or one year equivalent to the advanced (12) level. Alternate Education and Experience State Administrative Manager 15 Education level typically acquired through completion of high school and two years of safety and regulatory or law enforcement experience at the 14 level; or, one year of safety and regulatory or law enforcement experience at the 15 level, may be substituted for the education and experience requirements. Licensure/certification as a Certified Public Accountant, Certified Internal Auditor, and/or Certified Information Systems Auditor desirable, but not required. KNOWLEDGE, SKILLS, AND ABILITIES: Extensive knowledge of the principles and practices of research and analysis. Extensive knowledge of professional guidance related to information security/privacy and internal controls. Extensive knowledge of COBIT, NIST 800, PCI, FISMA, FedRAMP, ICE, RCAM and Industry Best Practices. Extensive knowledge of Software Development Life Cycle (SDLC) methodology. Extensive knowledge of office software programs, particularly Microsoft Word, Access, Excel and PowerPoint. Extensive knowledge of Federal and State laws associated with information security and privacy. Extensive knowledge of Federal, State, and Local relationships that impact the operations of a department. Extensive knowledge of internal controls. Extensive knowledge of employee, Department, and Statewide policies and procedures. Ability to be organized, creative, adaptable to changing priorities, and dedicated to the security and data management responsibilities of the position. Strong skills to analyze multiple and highly complex security and internal control policy issues and opportunities. Strong skills to effectively communicate complex system details and issues to both technical and business audiences. Ability to interpret laws, rules, and regulations relative to work. Ability to plan, resource and lead highly complex projects with broad scope and high impact to Agency business. Ability to quickly learn and implement new procedures. Ability to work collaboratively and establish and maintain good rapport with agency staff at all levels. CERTIFICATES, LICENSES, REGISTRATIONS: Position requires incumbent possess and maintain a valid driver s license, in accordance with agency s driving record standards. NOTE: Civil Service approval does not constitute agreement with or acceptance of the desired qualifications of this position.

6 I certify that the information presented in this position description provides a complete and accurate depiction of the duties and responsibilities assigned to this position. Supervisor Date TO BE FILLED OUT B APPOINTING AUTHORIT Indicate any exceptions or additions to the statements of employee or supervisors. N/A I certify that the entries on these pages are accurate and complete. Appointing Authority Date I certify that the information presented in this position description provides a complete and accurate depiction of the duties and responsibilities assigned to this position. Employee Date