State of Maryland
Governance, Risk and Compliance Analyst
State of Maryland, Maryland Line, Maryland, us, 21105
Introduction
The Department of Information Technology (DoIT) provides support to state agencies, the Executive Office of the Governor, the Governor's coordinating offices, and a variety of independent agencies within the Executive Branch.
Striving to provide the highest level of customer service to its internal and external customers, DoIT supports Maryland's agencies and commissions through its leadership and strategic direction for Information Technology and Telecommunications, establishing a long range, target technology architecture, encouraging cross agency collaboration and advocating best practices for operations and project management.
**This is an internal recruitment for Dept. of Information Technology employees only.**
GRADE
STD 0023
LOCATION OF POSITION
100 Community PlaceCrownsville, Maryland 21032
POSITION DUTIES
The Governance, Risk and Compliance (GRC) Analyst will support the GRC Manager in the execution of risk and controls assessments, system authorization- to-operate (ATO) assessments, and associated processes to manage these programs across units of State government. As part of the risk and controls assessments, the GRC Analyst will support the implementation of a statewide GRC module and system that generates and manages risk registers, issue tracking, corrective action plans (CAPs), and key metric reporting for DoIT operations and security executives, agency leadership, and the Governor's Office. The GRC Analyst will assist with the continued development, maintenance, enhancement, and execution of assessments that fully integrate State of Maryland and DoIT required security standards, NIST control frameworks, and regulatory related compliance standards and data types (PII, PCI, PHI, CJIS, FTI).
Position duties include but are not limited to:
Analyze governance, risk, and compliance (GRC) programs, complex GRC projects, and assessments for large organizations including supporting the building of the GRC program, and developing the program's processes, procedures, and technologies.Conduct system and risk assessments including resolution of discovered issues and development of plan of actions and milestone (POAM) documentation. Update enterprise-level IT and cybersecurity risks; including updating a risk register, quantifying the risk impact, developing risk mitigation strategies, reducing risk and evaluating risk acceptance by management.Assist in the design and use the Agency's GRC software solution to support the organization's cybersecurity and risk assessments, authorization to operate (ATO), processes and procedures, privacy assessments, compliance issue mitigation, and POAMs which align with known or established compliance frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST SP 800-53, Center for Internet Security (CIS) Critical Security Controls (CSC), and International Standardization for Organization (ISO) 27001.Contribute to the Agency's third-party vendor risk management program including assessments and attestations made by such organizations in the form of Service Organization Control (SOC) 2 Type II audits and related vulnerability assessments.Support Agency Privacy Officer functions.MINIMUM QUALIFICATIONS
Experience: Four years of experience in Information security as it relates to policy creation regarding compliance, legislation, governance programs and/or supporting internal audits.
Notes:
1. Candidates may substitute a bachelor's degree in IT security management, IT management, information security, political science, business management, communications, or public administration with cybersecurity experience or a related field for up to two years of the required experience.
DESIRED OR PREFERRED QUALIFICATIONS
Preference will be given to applicants who possess the following preferred qualification(s). Include clear and specific information on your application regarding your qualifications.
Experience performing security or risk assessments.Experience working with industry information security standards, such as NIST, ISO, COBIT, CISExperience with ATOs and developing POA & Ms or remediation plans.
LIMITATIONS ON SELECTION
This is an internal recruitment for Dept. of Information Technology employees only.
SPECIAL REQUIREMENTS
1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.
2. Applicants for this classification may handle sensitive data. This will require a full-scope background investigation before the appointment. A criminal conviction may be grounds for rejection of the applicant.
3. Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. A standard mileage allowance will be paid for the use of a privately owned vehicle.
SELECTION PROCESS
Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.
EXAMINATION PROCESS
The assessment may consist of a rating of your education, training, and experience related to the requirements of the position. It is important that you provide complete and accurate information on your application. Please report all experience and education that is related to this position.
BENEFITS
STATE OF MARYLAND BENEFITS
FURTHER INSTRUCTIONS
Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.
For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.Help@maryland.gov or 410-767-4850, MD TTY Relay Service 1-800-735-2258.
We thank our Veterans for their service to our country.
People with disabilities and bilingual candidates are encouraged to apply.
As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.
The Department of Information Technology (DoIT) provides support to state agencies, the Executive Office of the Governor, the Governor's coordinating offices, and a variety of independent agencies within the Executive Branch.
Striving to provide the highest level of customer service to its internal and external customers, DoIT supports Maryland's agencies and commissions through its leadership and strategic direction for Information Technology and Telecommunications, establishing a long range, target technology architecture, encouraging cross agency collaboration and advocating best practices for operations and project management.
**This is an internal recruitment for Dept. of Information Technology employees only.**
GRADE
STD 0023
LOCATION OF POSITION
100 Community PlaceCrownsville, Maryland 21032
POSITION DUTIES
The Governance, Risk and Compliance (GRC) Analyst will support the GRC Manager in the execution of risk and controls assessments, system authorization- to-operate (ATO) assessments, and associated processes to manage these programs across units of State government. As part of the risk and controls assessments, the GRC Analyst will support the implementation of a statewide GRC module and system that generates and manages risk registers, issue tracking, corrective action plans (CAPs), and key metric reporting for DoIT operations and security executives, agency leadership, and the Governor's Office. The GRC Analyst will assist with the continued development, maintenance, enhancement, and execution of assessments that fully integrate State of Maryland and DoIT required security standards, NIST control frameworks, and regulatory related compliance standards and data types (PII, PCI, PHI, CJIS, FTI).
Position duties include but are not limited to:
Analyze governance, risk, and compliance (GRC) programs, complex GRC projects, and assessments for large organizations including supporting the building of the GRC program, and developing the program's processes, procedures, and technologies.Conduct system and risk assessments including resolution of discovered issues and development of plan of actions and milestone (POAM) documentation. Update enterprise-level IT and cybersecurity risks; including updating a risk register, quantifying the risk impact, developing risk mitigation strategies, reducing risk and evaluating risk acceptance by management.Assist in the design and use the Agency's GRC software solution to support the organization's cybersecurity and risk assessments, authorization to operate (ATO), processes and procedures, privacy assessments, compliance issue mitigation, and POAMs which align with known or established compliance frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST SP 800-53, Center for Internet Security (CIS) Critical Security Controls (CSC), and International Standardization for Organization (ISO) 27001.Contribute to the Agency's third-party vendor risk management program including assessments and attestations made by such organizations in the form of Service Organization Control (SOC) 2 Type II audits and related vulnerability assessments.Support Agency Privacy Officer functions.MINIMUM QUALIFICATIONS
Experience: Four years of experience in Information security as it relates to policy creation regarding compliance, legislation, governance programs and/or supporting internal audits.
Notes:
1. Candidates may substitute a bachelor's degree in IT security management, IT management, information security, political science, business management, communications, or public administration with cybersecurity experience or a related field for up to two years of the required experience.
DESIRED OR PREFERRED QUALIFICATIONS
Preference will be given to applicants who possess the following preferred qualification(s). Include clear and specific information on your application regarding your qualifications.
Experience performing security or risk assessments.Experience working with industry information security standards, such as NIST, ISO, COBIT, CISExperience with ATOs and developing POA & Ms or remediation plans.
LIMITATIONS ON SELECTION
This is an internal recruitment for Dept. of Information Technology employees only.
SPECIAL REQUIREMENTS
1. Employees in this classification may be subject to call-in 24 hours a day and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.
2. Applicants for this classification may handle sensitive data. This will require a full-scope background investigation before the appointment. A criminal conviction may be grounds for rejection of the applicant.
3. Employees may occasionally be required to travel to field locations and must have access to an automobile in the event a state vehicle cannot be provided. A standard mileage allowance will be paid for the use of a privately owned vehicle.
SELECTION PROCESS
Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.
EXAMINATION PROCESS
The assessment may consist of a rating of your education, training, and experience related to the requirements of the position. It is important that you provide complete and accurate information on your application. Please report all experience and education that is related to this position.
BENEFITS
STATE OF MARYLAND BENEFITS
FURTHER INSTRUCTIONS
Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.
For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.Help@maryland.gov or 410-767-4850, MD TTY Relay Service 1-800-735-2258.
We thank our Veterans for their service to our country.
People with disabilities and bilingual candidates are encouraged to apply.
As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.