Deputy Ciso, Agency Information Security Officers (Data Systems Administrator)

Deputy CISO, Agency Information Security Officers (Data Systems Administrator)

About Us:

The Ohio Department of Administrative Services (DAS), Office of Information Technology (OIT) is seeking an experienced and motivated professional to serve as our Lead Agency Information Security Officer (Enterprise Information Security Manager)for the Office of Information Security and Privacy within the Office of Information Technology at DAS.

What You'll Do:

The Office of Information Security and Privacy (OISP) provides cybersecurity and privacy services to all state agencies, boards, and commissions, and collaborates with the non-executive branch offices (i.e., Secretary of State).

The Lead Agency Information Security Officers has strategic and operational oversight of cybersecurity risk management services provided to agencies, including: risk assessments, cybersecurity and privacy framework, training and awareness, audit responses, vendor risk assessments, and state agency cybersecurity reporting. Additionally, the Lead AISO Team Management: Provide leadership, guidance, and supervision to team of Agency Information Security Officers (AISOs) responsible for guiding agency implementation and monitoring Information Security and privacy activities at state agencies.

• Cybersecurity Program Development: Drive the development and implementation of the agency's Information Security program, policies, and procedures, ensuring compliance with applicable laws, regulations, and industry standards. Coordinate OISP tools and services with AISOs and their assigned agencies.
• Risk Assessment and Mitigation: Conduct risk assessments to identify potential vulnerabilities and threats to state data and systems and develop appropriate strategies and implement necessary controls to mitigate identified risk. Collaborate with AISOs to implement risk mitigation measures.
• Reporting. Develop and maintain agency cybersecurity reporting to agency CIO, State CISO, and other stakeholders
• Security Awareness and Training: Support agency security awareness and training programs to educate employees and contractors/staff aug on security measures, policies, and best practices.
• Incident Response Management: Support agency incident response planning and ensure AISOs are trained on incident response procedures. Participate in agency incident response, including containment, investigation, restoration, and remediation
• Compliance and Audit: Support agency compliance with internal and external regulations, standards, and frameworks. Collaborate with AISOs to support agency cybersecurity and privacy audits, assessments, remediation plans, and security reviews.
• Security Architecture: Collaborate with agency IT teams and architects to ensure that security requirements are incorporated into system and network designs. Provide guidance on secure configurations, identity and access management, infrastructure, and technologies.
• Vendor and Third-Party Risk Management: Collaborate with agency to perform due diligence, contract review, and ongoing security assessment of vendors.
• Incident Reporting and Communication: Prepare and present reports on the organization's security posture, incidents, and remediation efforts to senior management and relevant stakeholders. Communicate effectively with internal and external audiences.
• Industry Knowledge and Research: Stay updated on emerging trends, technologies, threats, and best practices in the cybersecurity field. Conduct research and share relevant knowledge with the ISO team to enhance their capabilities.
• Technical Expertise: Maintain a deep understanding of technical concepts and industry standards in cyber security, including network security, encryption, access controls, threat intelligence, and incident management tools.

Adheres to OISP Values.

Performs other administrative functions as required:

• Performs management duties to include, staff evaluations, staff coverage during absences, payroll approvals, and scheduling;
• Provides support for team members to pursue certifications and training;
• Assists in hiring processes and makes hiring recommendations;
• Provides recommendations for organizational improvement in the cybersecurity program;
• Provides input in the OISP Cybersecurity Risk Assessment, Strategy, and related materials;
• Provides technical advice and guidance to the CISO, IT Managers, and IT staff; and
• Maintains cybersecurity professional and manager expertise.

What’s in it for you:

At the State of Ohio, we take care of the team that cares for Ohioans. We provide a variety of quality, competitive benefits to eligible full-time and part-time employees. For a list of all the State of Ohio Benefits, visit our Total Rewards website! Our benefits package includes:

Medical Coverage

• Quality, affordable, and competitive medical benefits are offered through the available Ohio Med plans.

Dental, Vision and Basic Life Insurance

• Dental, vision, and basic life insurance premiums are free after completed eligibility period. Length of eligibility period is dependent on union representation.

Time Away From Work and Work/Life Balance

• Paid time off, including vacation, personal, and sick leave
• 11 paid holidays per year
• Childbirth/Adoption leave

Employee Development Funds

• The State of Ohio offers a variety of educational and professional development funding that varies based on whether you are a union-exempt employee or a union-represented employee.

Ohio Public Employees Retirement System

• OPERS is the retirement system for State of Ohio employees. The employee contributes 10% of their salary towards their retirement. The employer contributes an amount equal to 14% of the employee’s salary. Visit the OPERS website for more information.

Deferred Compensation

• The Ohio Deferred Compensation program is a 457(b) voluntary retirement savings plan. Visit the Ohio Deferred Compensation website for more information.

Minimum Qualifications:

9 yrs. exp. commensurate with job duties to be performed & knowledges & skills required as outlined in approved position description on file for position to be filled as advertised in job posting; 2 yrs. (30 mos.) supervisory or project management exp.; 3 courses or 9 mos. exp. in budgeting.
Or completion of undergraduate core coursework in computer science, business or public administration, data processing, engineering, geology, mathematics or comparable academic major which included at least one course in each of following: advanced computer programming language (e.g., COBOL, Delphi, Java, Powerbuilder, Visual Basic), logic-based mathematics, data base processing concepts (e.g., Oracle, Microsoft Access, Paradox, Sybase, IMS DB, DB 2) & basic data processing concepts; additional 8 yrs. education or exp. commensurate with job duties to be performed & knowledges & skills required as outlined in approved position description on file for position to be filled as advertised in job posting; 2 yrs. (30 mos.) supervisory or project management exp.; 3 courses or 9 mos. exp. in budgeting. Note: Associate degree in one named or comparable academic majors may be substituted for required undergraduate core coursework.
Or equivalent of Minimum Class Qualifications For Employment noted above.

Knowledge, Skills, and Abilities:

Knowledge:

• Applicable business processes and operations of customer organizations
• Applicable laws (e.g.., Federal and State computer security and privacy laws)
• Procurement procedures
• Current and emerging threats/threat vectors
• Current industry methods for evaluating, implementing, and disseminating IT security assessment, monitoring, detection and remediation tools and procedures utilizing standards-based concepts and capabilities
• Enterprise incident response program, roles, and responsibilities
• Information Assurance principles used to manage risks related to the use, processing, storage, and transmission of information or data
• Industry-standard and organizationally accepted analysis principles and methods
• Known vulnerabilities from alerts, advisories, errata, and bulletins
• Measures or indicators of system performance and availability
• Network security architecture concepts including topology, protocols, components, and principles (e.g., application of Defense-in-Depth)
• Network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools
• New and emerging IT and Information Security technologies
• Personally Identifying Information (PII), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST) 800-53, and personal Payment Card Industry (PCI) data security standards
• Risk management processes, including steps and methods for assessing risk
• Server and client operating system;
• Systems lifecycle management principles, including software security and usability
• The organization*.

• Creating policies that reflect system security objectives
• Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes

Abilities:

• Create & read flowcharts
• Interpret extensive variety of technical material in books, manuals, & network/system diagrams
• Cooperate with coworkers on projects & group activities
• Define problems, collect data, establish facts and draw valid conclusions
• Read and understand a variety of technical and non-technical matters.
• Maintain confidentiality of sensitive information

• developed after employment.

Job Skills: Cybersecurity, Information Technology, Technical Writing, Public Speaking, Customer Focus

Ohio is a Disability Inclusion State and strives to be a model employer of individuals with disabilities. The State of Ohio is committed to providing access and inclusion and reasonable accommodation in its services, activities, programs and employment opportunities in accordance with the Americans with Disabilities Act (ADA) and other applicable laws.

The State of Ohio is a drug-free workplace which prohibits the use of marijuana (recreational marijuana/non-medical cannabis). Please note, this position may be subject to additional restrictions pursuant to the State of Ohio Drug-Free Workplace Policy (HR-39), and as outlined in the posting.

Applying for position:

• When completing your online Ohio Civil Service Application, be sure to clearly describe how you meet the minimum qualifications outlined on this job posting.
• All answers to the supplemental questions must be supported by the work experience/education provided on your civil service application.
• If you require a reasonable accommodation for the application process, please email the Human Resources contact on this posting so arrangements can be made.

Hybrid Telework Schedule: 2 days a week in-office and 3 days a week from remote primary home location. This schedule is subject to change at any time based on business need.

The final candidate selected for this position will be required to undergo a criminal background check. Criminal convictions do not necessarily preclude an applicant from consideration for a position. An individual assessment of an applicant's prior criminal convictions will be made before excluding an applicant from consideration.