Enterprise Risk & Compliance Manager (Enterprise Information Security Manager) in Franklin County, OH – Columbus, OH

Enterprise Risk & Compliance Manager (Enterprise Information Security Manager) - Administrative Services - Franklin County, OH - Columbus, OH - work from home jobCompany: Administrative ServicesJob description:This position is telework eligible (hybrid) under the current DAS telework agreement. About Us:The (DAS), Office of Information Technology (OIT) is seeking an experienced and motivated professional to serve as the IT Risk Assessment Lead (Enterprise Information Security Manager) for the Office of Information Security and Privacy team within the Office of Information Technology at DAS.Led by Director Kathleen C. Madden, the Ohio Department of Administrative Services is the engine of state government, providing innovative solutions and supporting the efficient operation of state agencies, boards and commissions. The Office of Information Technology at DAS delivers information technology (IT) and telecommunication services to State of Ohio agencies, boards and commissions. What You'll Do:In the Office of Information Security and Privacy, leads efforts to manage enterprise compliance with applicable regulatory standards (e.g.NIST, HIPAA, FTI, CJIS, etc.):• Defines and develops the risk management environment including: assessments, risk inventory management, follow up actions, mitigation evaluation, reporting and audit interface. • Facilitates communication with legal and procurement groups in DAS and partner agencies for risk identification and compliance. • Actively monitors agencies and vendors to ensure compliance with statewide security policies, codes and regulations. • Conducts technical research & prepares formal recommendations to support multi-program IT risk identification and mitigation initiatives based on risk assessments• Advises senior administrators & makes recommendations reduce technology risk in IT policies, procedures, and standards that provide for protection of State IT assets• Develops metrics & benchmarks to identify and verify risk mitigation progress; prepares reports (e.g., findings, results, recommendations, threats, risks, trends, incidents) on technical & non-technical material• Facilitates IT security work groups & committees, oversees monitoring of project performance, integrity & implementation; supervises technical personnel• Determines section staffing needs• Works with Statewide constituents to interpret & approve security requirements relative to capabilities of new technologies• Develops, coordinates & implements a system to establish an Approval to Operate (ATO) for all IT systems to insure compliance• Develops, coordinates, and implements processes to organize the management and coordination of IT audit activities with external/internal auditors• Maintains relationships to facilitate collaboration and alignment between IT audit and IT security to better manage information security risksLeads efforts to monitor and report on enterprise information security risk posture:• Develop and direct IT risk monitoring activities to ensure IT compliance-related risks are managed to the appropriate level of acceptable residual risk• Promotes and ensures awareness of risk management requirements to meet state and federal compliance.• Develops, coordinates & implements processes to conduct risk assessments for information assets and applications; including management of third-party risk assessments. • Develops, coordinates & implements risk management procedures & processes relative to IT security (i.e., establishes ISP IT risk management strategies, establishes business & technology security strategies)• Develops, coordinates & implements risk management risk repository to track• Leads the development and maintains a system to measure information security risk at application, agency, and enterprise levels• Develops reports on risk posture of applications, agencies, and the enterprise• Advises senior administrators on information security risk posture & makes recommendations on risk mitigation and or compensating controls• Works directly with the business units and other internal departments and agencies to facilitate IT risk analysis and risk management processes, and identify acceptable levels of residual risk• Acts as risk management liaison with all levels of the IT organization and with the lines of business• Conducts meetings and or presentations to report on enterprise information security riskPerforms other duties as assignedAdheres to the Office of Information Security and Privacy (OISP) valuesWhat’s in it for you:At the State of Ohio, we take care of the team that cares for Ohioans.We provide a variety of quality, competitive benefits to eligible full-time and part-time employees. For a list of all the State of Ohio Benefits, visit our ! Our benefits package includes:Medical Coverage• Quality, affordable, and competitive medical benefits are offered through the available Ohio Med plans. Dental, Vision and Basic Life Insurance• Dental, vision, and basic life insurance premiums are free after completed. Length of eligibility period is dependent on union representation. Time Away From Work and Work/Life Balance• Paid time off, including vacation, personal, and sick leave• 11 paid holidays per year• Childbirth/Adoption leaveEmployee Development Funds• The State of Ohio offers a variety of educational and professional development funding that varies based on whether you are a union-exempt employee or a union-represented employee.Ohio Public Employees Retirement System• OPERS is the retirement system for State of Ohio employees. The employee contributes 10% of their salary towards their retirement. The employer contributes an amount equal to 14% of the employee’s salary. Visit thefor more information. DeferredCompensation• The Ohio DeferredCompensation program is a 457(b) voluntary retirement savings plan. Visit thefor more information. Ohio is a Disability Inclusion State and strives to be a Model Employer of Individuals with disabilities.The State of Ohio is committed to providing access and inclusion and reasonable accommodation in its services, activities, programs and employment opportunities in accordance with the Americans with Disabilities Act (ADA) and other applicable laws. QualificationsMinimumQualifications:Completion of undergraduate core coursework in computer science; 36 mos. trg. or 36 mos. exp. in computer systems analysis, design & operations or data security involving determination of appropriate access levels for resources & & formulating appropriate access profiles for each application; 12 mos.trg. or 12 mos. exp. in computer project/program management or providing work direction & training to computer personnel engaged in data security or program analysis &/or design. -Or 12 mos. exp. as Enterprise Information Security Supervisor, 69985. -Or equivalent of Minimum Class Qualifications For Employment noted above. Knowledge, Skills, and AbilitiesKnowledge• Basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage)• Basic system administration, network, and operating system hardening techniques• Computer Network Defense policies, procedures, and regulations• Current industry methods for evaluating, implementing, and disseminating IT security assessment, monitoring, detection and remediation tools and procedures utilizing standards-based concepts and capabilities• Different classes of attacks (e.g., passive, active, insider, close-in, distribution, etc.)• Operational threat environments (e.g., first generation [script kiddies], second generation [non- nation state sponsored], and third generation [nation state sponsored])• Electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers)• General attack stages (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)• Security principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)• Incident categories, incident responses, and timelines for responses• Incident response and handling methodologies• Known vulnerabilities from alerts, advisories, errata, and bulletins• Network security architecture concepts including topology, protocols, components, and principles (e.g., application of Defense-in-Depth)• New and emerging IT and information security technologies• Relevant laws, policies, procedures, or governance as they relate to work that may impact critical infrastructure• Structured analysis principles and methods• System and application security threats and vulnerabilities• Systems administration concepts• Capabilities and functionality of various collaborative technologies (e.g., groupware, SharePoint, etc.)• Knowledge of the organization• Organization's core business/mission processes• What constitutes a network attack and the relationship to both threats and vulnerabilitiesSkills:• Conducting information searches• Conducting knowledge mapping• Basic operation of computers• Apply cybersecurity and privacy principles to organizational requirements• Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).• Assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.)• Administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing proceduresAbilities:• Identify systemic security issues based on the analysis of vulnerability and configuration data• Identify critical infrastructure systems with information communication technology that were designed without system security considerations• Assess and forecast manpower requirements to meet organizational objectives• Read and understand a variety of technical and non-technical matters.• Maintain confidentiality of sensitive information• Maintain power skills and effective team leadership skills. • Developed after employmentApplying for position:• When completing your online Ohio Civil Service Application, be sure to clearly describe how you meet the minimum qualifications outlined on this job posting. • All answers to the supplemental questions must be supported by the work experience/education provided on your civil service application. • If you require a reasonable accommodation for the application process, please email the Human Resources contact on this posting so arrangements can be made.Hybrid Telework Schedule: 2 days per week in-office and 3 days per week from remote primary home location. This schedule is subject to change at any time based on business need. Enterprise Risk & Compliance Manager (Enterprise Information Security Manager) - Administrative Services - Franklin County, OH - Columbus, OH - work from home jobExpected salary:Location: Franklin County, OH - Columbus, OHEnterprise Risk & Compliance Manager (Enterprise Information Security Manager) - Administrative Services - Franklin County, OH - Columbus, OH - work from home jobJob date: Sat, 26 Aug 2023 23:57:30 GMTApply for the job now!Enterprise Risk & Compliance Manager (Enterprise Information Security Manager) - Administrative Services - Franklin County, OH - Columbus, OH - work from home job Apply tot his job