A full-time IT Security Officer (ITSO) to perform the below tasks and lead the development and maturity of the agency’s enterprise-wide cybersecurity posture.
Developing and maintaining agency-specific security plans, policies, and procedures.
b. Interacting with ITS as the primary contact for security related issues.
c. Ensuring that agency is adhering to the State of Mississippi Enterprise Security Policy.
d. Participating in the state information security listserv.
e. Researching IT industry for security related issues and how it affects the agency specifically.
f. Monitoring security issues within the agency’s IT resources.
g. Facilitating the State Auditor’s Information Systems Audit and the Third-Party Risk Assessment.
The ITSO will also be responsible for leading and coordinating the security effort among all agency’s vendors and systems. The ITSO will require a combination of technical skillsets, including an in-depth understanding of architecture, security, and privacy, as well as proficiency in written and verbal communication abilities.
The ITSO must also maintain a strong understanding of risk management and governance practices and the use of risk management methodologies.
The ITSO is responsible for strengthening and maintaining the agency’s information security program, including hands-on execution and day-to-day management of the enterprise network, as well as responsibility for all aspects of IT security audits.
1.1. Security Framework, Security Planning, and Regulatory Expertise
1.1.1. Implement a security framework for AGENCY that will enable the agency to maintain compliance with federal and state security regulatory requirements and security controls.
1.1.2. Map processes, policies, procedures, and appropriate documentation to the
appropriate security controls within the security framework.
1.1.3. Maintain an in-depth knowledge about the AGENCY technical environment and ensure ongoing security controls are maintained following regulatory requirements and industry best practices.
1.1.4. Keep abreast of the ever-changing security technology in computer systems, network environment, and telecommunication products, including federal and state security protocols such as: NIST, Information Technology Services (ITS) Enterprise Security Policy, etc.
1.1.5. Provide subject matter network and technical expertise in the
acquisition/procurement, implementation, configuration, and management of various security products including but not limited to GRC system, Managed Security Services, IDS/IPS, firewalls, email/web filtering devices as well as other security appliances, hardware, and software.
1.1.6. Provide subject matter security expertise across all AGENCY projects to ensure security and privacy compliance with state and federal requirements.
1.1.7 Evaluate technical architecture in multiple environments and make recommendations based on regulatory compliance, best practices, and experience.
1.1.8 Ensure that Agency’s information systems enterprise security planning efforts
encompass disaster recovery and business continuity.
1.1.9 Establish security priorities, in collaboration with appropriate AGENCY and vendor personnel and the AGENCY
1.1.10 Represent Information Security at senior leadership meetings and as a member of the Information Security Management Council (ISMC).
1.2 Security Policies and Documentation
1.2.1 Conduct annual review of security policies and update them as needed.
1.2.2 Analyze and refine existing security policies as needed to maintain compliance.
1.2.3 Create additional policies as necessary to address all the control families within the security framework.
1.2.4 Create and maintain standard contractual language concerning security
requirements for use in competitive instruments and contracts.
1.2.5 Direct and participate in the preparation and maintenance of reports, policies, process, procedures, audit logs, and gathering of evidence as necessary to carry out the information security functions of AGENCY
1.2.6 Prepare regular reports for management, as necessary or requested, to track strategic goals related to the information security posture of AGENCY
1.2.7 Review security documentation and deliverables submitted by agency
partners and provide guidance and feedback as necessary to protect Agency’s confidential information and maintain compliance with state and federal regulations.
1.2.8 Coordinate with AGENCY vendors and staff in response to writing security related documentation/reports for other state and federal entities including Advanced Planning Documents, Plans of Actions and Milestones (POAMs) reports to governmental agencies, Safeguard Security Reports, and System Design Plans.
1.2.9 Update and maintain the System Security Plans (SSP) and coordinate other Vendors’ updates to SSPs for each system.
1.3 Data Classification / Access Control
1.3.1 Establish/maintain system inventories and data classification protection profiles and assign control element settings for each category of data for which AGENCY is responsible.
1.3.2 Ensure access to confidential information within the AGENCY enterprise systems follows regulatory compliance, and that access is immediately terminated upon the departure of staff members.
1.3.3 Perform periodic review and analysis of active users in AGENCY systems to
the terminated and new hire employee lists provided by Human Resources to ensure users have the minimal access necessary to perform their job duties and that terminated employees are removed from systems in a timely manner.
1.4 Workforce Security Training and Collaboration with AGENCY Offices and Agency’s Business Partners
1.4.1 Establish and maintain a security awareness program for Agency’s workforce to include roles with access to Personal Identifiable Information (PII), and Federal Tax Information (FTI).
1.4.2 Manage Agency’s security training efforts.
1.4.3 Foster a culture of security among Agency’s workforce.
1.4.4 Promote the ongoing goal of increasing the overall security and privacy posture of Agency’s enterprise on premise and vendor-hosted and managed systems.
1.4.5 Coordinate security activities between other business units within agency,
vendors, partners, state, and federal agencies.
1.4.6 Establish and manage a security/compliance committee comprised of a good representative cross-section of AGENCY stakeholders.
1.4.7 Collaborate with Legal, Privacy, Human Resources, OHIT management and staff, and other personnel as appropriate in matters relevant to information security.
1.4.8 Coordinate and collaborate extensively with the AGENCY
2 Refine, strengthen, and maintain a security governance risk management and compliance program encompassing operational, procedural, technical, architectural and physical access components.
2.1 Risk Management
2.1.1 Ensure agency, partners, and vendors meet or exceed all AGENCY security and privacy requirements and contractual obligations related to information security and that any risks or deficiencies are documented, and a corrective action plan is agreed upon and followed.
2.1.2 Evaluate technical systems, generate written reports documenting
vulnerabilities and configuration deficiencies, design defects, or other risks to the security of AGENCY information systems environments and engagement findings.
2.1.3 Biannually conduct risk analyses of all systems involved in compliance with federal regulations to identify and implement necessary safeguards.
2.1.4 Perform and coordinate risk analysis tasks related to the security and privacy of Agency’s enterprise IT environment, including risk mitigation plans, risk prioritization, and the elimination or minimization of risks.
2.1.5 Manage Agency’s Security Risk Strategy.
2.2.1 Monitor and advise OHIT and the Office of Data Governance in the creation of the contractual requirements of partner and vendor security and privacy requirements for federal, state, and OHIT policy, regulatory, and legal compliance.
2.2.2 Perform network-based infrastructure scans, database scans, web application scans, and penetrations tests when necessary to determine that Agency’s technical environment meets security control requirements.
2.2.3 Identify security vulnerabilities and ensure Agency’s compliance with the major security guidelines such as NIST, and other applicable security safeguards.
2.2.4 Regularly assess threat levels and recommend needed adjustments to existing security policies. Work with appropriate AGENCY vendor personnel and AGENCY to prioritize and schedule remediation tasks necessary to address audit findings timely.
2.2.5 Test firewalls/routers/systems/database configurations and access control rules to ensure compliance with required standards and documented standards and policies.
2.2.6 Implement, manage, and administer a solution once it has been procured.
2.2.7 Evaluate security-related tasks to be outsourced and provide subject matter
expertise for procuring Managed Security Services (MSS).
2.2.8 Provide oversight and administration of Agency’s managed security service provider(s) once procured.
2.3.1 Lead ongoing audit or assessment activities by managing and
responding to all IT audits (regular and ad-hoc) involving technology and security matters by facilitating, gathering, and supplying documentation when required, reviewing findings, and developing and managing to completion remediation plans for those findings. These audits by state and federal entities include but are not limited to Mississippi Office of the State Auditor, Internal Auditors, IRS, Office of the Inspector General (OIG), etc.
2.3.2 Participate in each audit entry and exit meeting and work with auditor to
establish their requirements.
2.3.3 Consolidate Agency’s responses into a cohesive and understandable
response to the auditor’s requests for information.
2.3.4 Respond to audit findings/questions and manage all remediation efforts.
2.3.5 Develop and manage an enterprise-wide approach and process for managing security remediation tasks from all audit findings which includes the analysis and inspection of Agency’s enterprise technical environment.
3 Manage and be accountable for responses to breaches/security incidents with the AGENCY Incident Response Team/Information Security Management Council:
3.1 Alongside the Incident Response Team, immediately review any security events including any potential incident or breach.
3.2 Provide reports when necessary on security events.
3.3 Escalate security events to AGENCY leadership, Office of General Counsel, and follow-up on suspected or actual violations/intrusions that affect the confidentiality, integrity, and availability of Agency’s enterprise information systems.
3.4 Assess potential breaches and respond accordingly.
3.5 Upon report of an incident, work with the AGENCY and other parties as necessary to gather and validate the facts.
3.6 Evaluate the facts surrounding an incident and weigh to assess whether a breach has occurred.
3.7 Follow security protocols for reporting the incident/breach to the appropriate authorities, as necessary.
4 Typical Projects
4.1 Assessing incidents for potential breaches.
4.2 Performing risk assessments.
4.3 Reviewing and modifying security policies.
4.4 Performing regular security vulnerability scans on the AGENCY enterprise.
4.5 Managing and updating the status of risk mitigations and remediations.
4.6 Reviewing and providing security subject matter expertise to Agency’s third party contracts and other deliverable documents to ensure that adequate security controls are in place to protect Agency’s data.
4.7 Managing all audits involving technology and security matters, including facilitating, gathering and supplying documentation.
4.8 Management and administration of managed System Security Plan (SSP).
5 Complexity of Work
5.1 Work requires competency with security issues and the ability to understand how hackers access multiple operating systems and different types of computer hardware and software as well as multiple architectures (on premise, hybrid, and cloud-based).
5.2 Ability to use tools and diagnostics to evaluate the security threats to Agency’s network.
5.3 Typical Team Size:
5.3.1 The IT Security Officer will work collaboratively with the Chief of HDOR,