Security Analyst II

Maintain contacts and productive relations with IT managers and staff as a means of

providing assistance with audit and compliance needs and areas of potential risk.

A3. Provide technical guidance, as requested, to department managers in appropriate IT

areas, such as development and implementation of internal control systems;

development of policies and procedures; establishing benchmarks to measure the

effectiveness of an IT application or function; and enhancing security features

governing access to applications, IT Infrastructure (e.g., servers, firewall,

LAN/WAN, databases, etc.) and physical IT operations.

A4. Identify audit topics that should be considered for audit or limited review, based on

indicators of any significant system changes, risks faced by the department and/or

possible benefits of conducting such assessments.

A5. Assist department and agency managers in developing responses to audits by

external (state and federal) auditors, and in tracking responses to ensure that

corrective actions are taken.

A6. Plan and conduct follow-up reviews to determine whether recommendations have

been implemented to adequately address the findings.

A7. Focus on IT systems issues, functions or activities when identifying risks facing the

department and potential audits issues, such as management controls, applications,

IT operations and data management.

A8. Perform research and analysis and provide feedback on physical security of the data

centers as requested.

B. Administration of the documentation, communication, and assessment of the

adequacy of security controls for information systems

B1. Participate in meetings with agency customers to review and understand their

requirements as they relate to enterprise security. Develop plans to raise security

awareness.

B2. Perform appropriate tests of general IT controls and specific application controls to

verify that controls being audited are functioning as intended.

B3. Recommend to management changes that are necessary to improve the design and

operating effectiveness IT security controls.

B4. Draft correspondence, finding sheets and audit reports that clearly explain the

findings and conditions disclosed during the audit, the basis for the audit

conclusions and specific recommendations for corrective action. Participate in

discussions related to the IT audit findings and potential recommendations.

B5. Review assessments or Service Organization Controls (SOC) reports of business

associates and provide guidance to program areas on how they can use these to

monitor the operations that are outsourced.

B6. Develop an audit or limited review work plan detailing specific audit objectives,

audit tasks to be performed, the criteria to be used in assessing whether the IT

system, function or activity being reviewed is performing effectively, and the

timelines for completing planned tasks.

B7. Track, monitor, review IT findings within the audit reports and provide guidance to

agency staff, technical infrastructure staff and program areas on risks and

remediation plan adequacy.

B8. Meet with agency customers to understand their security requirements and

recommend alternatives that relate to the enterprise shared IT Infrastructure systems

security strategies.

B9. Participate on enterprise incident response teams working on security related issues.

B10. Investigate security and compliance related issues for the enterprise and agencies as

requested.

C. Performance of information technology security initiatives

C1. Participate on cross-functional teams in needs assessment, design, or

implementation projects to address security audit and compliance needs.

C2. Review internal project study requests and project plans for compliance with IT

security strategic goals.

C3. Evaluate customer requirements to determine if security solutions meet federal and

state audit and compliance controls. Provide cost-benefit analyses as needed and

solicit funding to develop and implement new projects and services.

C4. Provide information technology security expertise to system developers, system

administrators, project managers and other IT professionals to ensure adequate

security controls in IT systems.

C5. Recommend methods and technologies to improve management of the security

infrastructure, its efficiency, and its effectiveness

Knowledge, Skills and Abilities

1 Ability to deliver quality service and maintain positive working relationships with

customers.

2 Ability to function as a team member, including the open sharing of information,

and willingness to help wherever needed.

3 Ability to communicate clearly and effectively to both technical peers and less

technical customers in person and via written media such as email, reports, and

project charters.

Knowledge of and ability to apply IT service-delivery management best practices

and procedures.

5 Ability to learn quickly; synthesize complex information, identify key points and

communicate results accurately and effectively.

6 Considerable knowledge and skill in standard audit procedures, including preparing

an audit guide and identifying the steps taken in conducting the audit.

7 Considerable knowledge of information technology controls.

8 Considerable skill and experience in IT systems, software, and web-based

applications.

9 Considerable knowledge of regulatory compliance requirements and assessment

processes.

10 Considerable knowledge of security concepts, risk management and investigation

techniques.

11 Knowledge of practices of the Information Systems Audit and Control Association

or any other applicable background for the audit of information systems.

12 Considerable skill in writing technical, management and analysis reports and papers.

Top Required Skills & Years of Experience: 3-4 years for each skill

NIST 800-53 Framework

Considerable knowledge and skill in standard audit procedures, including preparing an audit guide and identifying the steps taken in conducting the audit.

Considerable knowledge of information technology controls.

Nice to Have Skills:

Strong written and verbal skills for translating technical specifications to non-technical individuals

Project details (project overview, who the contractor will work with, soft skills needed, etc.):

A certain degree of creativity and latitude is required. In addition, this position requires strong communications skills, both verbally and in writing, provides excellent customer service and consulting to internal and external stakeholders, and the ability to work with cross-functional teams.