Information Technology Specialist 4 Information Security - 9880

Under the direction of senior team members within the Chief Information Security Office/Governance, Risk, & Compliance/Governance, Compliance, Awareness, & Training (GCAT)/Governance & Compliance Section, the incumbent will be responsible for assisting with the development and implementation of the Chief Information Security Office's GCAT Program. The Program consists of policies, standards, and guidelines to protect New York State information assets, assessing policy exception requests, assessing requests for Internal and External Audit information, and working with ITS and with other State entities to assess and assure compliance with all State and Federal compliance standards. The candidate will also work to promote cybersecurity awareness and information security "best practices". The position requires communicating orally and in writing with various individuals including management, users, vendors, and other IT staff. The position requires availability during off-shift hours to ensure appropriate response to security incidents or other critical activities that may impact sensitive information, critical systems, NYS agencies, or ITS. Additional information on work schedule will be discussed at time of interview. Specific duties include, but are not limited to: Develop and maintain statewide information security policies, mechanisms, processes, standards, and procedures that meet current and future state business needs. Consult with State Entities regarding interpretation and implementation issues for statewide information security policies, procedures, and best practices. Manage the security exception process in GCAT when NYS Policy and Standard compliance cannot be met, review and coordinate efforts to renew security exceptions when necessary. Facilitate participation of State Entities in the completion of the annual Nationwide Cybersecurity Review (NCSR) cybersecurity assessment. Establish and maintain channels of communication to target audiences (State and local government, education sectors, and citizens). Collaborate and advance partnership programs with State and national work groups. Manage CISO staff involved in internal and external information security audits across the enterprise. This requires working in conjunction with multiple teams across ITS and State Entities. Manage efforts to support, expand, and build efficiencies into the security audit process. Receive and Log Policy Exception Requests Act as the primary point of contact for receiving all incoming IT policy exception requests from various departments and stakeholders. Accurately log each request into a dedicated tracking system (e.g., Archer), capturing all essential details such as the requesting party, policy being excepted, reason for exception, duration, and proposed compensating controls. Initial Review and Validation: Perform an initial review of submitted requests to ensure completeness and clarity. Follow up with requesters to gather any missing information or clarify details. Verify that the request aligns with the established exception request process and submission guidelines. Facilitate Risk Assessment and Approval Workflow: Route exception requests to the appropriate stakeholders for review and approval. Coordinate meetings or communications to facilitate discussions around the exceptions. Ensure all required approvals are obtained and documented within the tracking system. Document and Record Exceptions: Maintain a comprehensive and up-to-date central repository of all approved and rejected policy exceptions. Document the justification for the exception, the associated risks, the approved compensating controls, the duration of the exception, and the names of all approvers. Ensure all documentation adheres to internal standards and audit requirements. Monitor and Track Exception Lifecycles: Proactively monitor the expiration dates of approved exceptions. Initiate the renewal or closure process for exceptions nearing their expiration, coordinating with the original requester and approvers as needed. Reporting and Analysis: Generate regular reports on policy exception trends, including the number of exceptions, common policies excepted, departments requesting exceptions, and reasons for exceptions. Analyze exception data to identify potential systemic issues, policy gaps, or areas requiring increased awareness and training. Present findings to management to support continuous improvement of policies and security controls. Process Improvement: Continuously identify opportunities to streamline and improve the policy exception management process, tools, and documentation. Develop and update procedural documentation related to exception handling. Audit Support: Assist during internal and external audits by providing accurate and comprehensive documentation related to policy exceptions. Answer auditor inquiries and demonstrate adherence to the exception management process. Perform the full range of supervisory responsibilities.