Title: Information Security Risk and Compliance Officer
Hiring Range: $110,388 - $141,297
Pay Band: UG
Agency: Virginia Lottery
Location: Richmond, VA
Agency Website: www.valottery.com
Recruitment Type: General Public - G

MINIMUM QUALIFICATIONS

The person selected for this position will have:

• Bachelor’s Degree from an accredited 4-year college or university with major studies in Information Systems, Computer Science, or related field.
• Five or more years of information security instruction and risk assessment training, and experience working on project teams and meeting project deadlines.
• Considerable knowledge of information security principles, policies and procedures, and Risk Management Frameworks.
• Working knowledge of business, applications, and technology as applied to information security.
• Knowledge of information assurance principles and organizational requirements that are relevant to confidentiality, integrity, and availability.
• Demonstrated ability to plan, develop, coordinate, and manage multiple security initiatives in a technologically diverse environment.
• Experience in business continuity planning.
• Excellent interpersonal and communications skills, both oral and written.
• Demonstrated ability to interact successfully with senior management, regulatory and compliance managers, and external vendors.
• Knowledge of new and emerging Information Technology and Security strategies.
• Knowledge of federal, state, agency, and other regulatory agents’ policies, regulations, and standards.
• Excellent understanding of IT security controls, specifically NIST 800-53 and Commonwealth of Virginia IT security policies and standards.
• Ability to maintain strict confidentiality of sensitive material.
• Strong organizational, planning and project management skills a plus.

For more than three decades, the Virginia Lottery has worked to build a strong reputation, one synonymous with providing fun, entertaining experiences and doing so responsibly and with integrity. Proceeds from traditional Lottery games support K-12 public education in Virginia. Taxes generated by sports wagering and casino gaming, which are regulated by the Lottery, benefit other priorities of the Commonwealth.
The Virginia Lottery, an independent state agency, is currently seeking an Information Security Risk and Compliance Officer to join our Information Security Department. This position is located in Richmond, Virginia.
The Information Security Risk and Compliance Officer will be responsible for the agency information security risk management program which is compliant with Commonwealth of Virginia Risk Management Framework found in SEC520 and SEC530. This is accomplished through policy, standards, and implementation of processes and controls through a variety of means, including System and Data inventory & classification, Business Impact Analysis (BIA), Risk Assessments (RA) for sensitive systems, and System Security Plans (SSP). It also includes testing systems and applications, monitoring system activity, coordinating system access control (physically and logically), creating/updating policies, and analyzing system security architecture with other subject-matter experts in the Lottery Information Technology Security Committee (ITSC) and Security and Technical Architecture Review (STAR) teams that ensure we comply with the VITA Standards and §2.2-603 of the Code of Virginia. Actively collaborates with Lottery Leadership, VITA, and Information Security community to stay current with all trends, technology, and COV requirements.
The Information Security Risk Officer duties include:

IT Security Governance Framework Program:

• Establish and maintain a robust governance framework, including clear roles and responsibilities for risk management.
• Facilitate communication and collaboration between different departments regarding risk and compliance matters.
• Develop key performance indicators (KPIs) to measure the effectiveness of GRC initiatives.
• Defines, updates and enforces security policies to reduce risk.
• Performs and approves security reviews and recommendations on proposed and new software and hardware solutions.
• Develop and maintain the Lottery Information Security program, to include policies and procedures.

IT Security and Risk Management Program:

• Responsible and accountable for the development and maintenance of the Lottery risk management program of the overall Lottery Information Security program, to include associated policies, procedures, and formalized application security testing processes.
• Responsible to prioritize risks based on severity and likelihood and develop mitigation strategies.
• Responsible and accountable to ensure Risk Assessments for sensitive systems are developed and reviewed in accordance with the Lottery Risk Assessment Plan.
• Responsible and accountable to create with internal stakeholders System Security Plans (SSP’s) for each sensitive system.
• Coordinate risk analysis, assessment, and reporting activities with vendors and internal stakeholders.
• Perform security reviews on Lottery systems to ensure CIA best practices are being followed and maintained.

Compliance Management:

• Monitor compliance with applicable laws, regulations, and COV controls.
• Develop and maintain compliance policies and standards.
• Maintain a centralized repository for policies and standards, and ensure regular reviews and updates are conducted in a timely manner.
• Conduct compliance assessments and reviews to identify gaps and ensure adherence.
• Conduct quality assurance reviews and assess compliance with policies and standards.
• Coordinate the Security Teams response to audit request.
• Oversee audit readiness, including documentation, workflows, and remediation tracking. Proactively monitor potential audit points/findings and coordinate remediation activity before they become audit findings.
• Perform security reviews on Lottery systems to ensure CIA best practices are being followed and maintained.

Develop and maintain Business Continuity Program:

• Develop and maintain the Lottery Business Impact Analysis (BIA), Enterprise Business Continuity Plan, and documents supporting the overall continuity program. Coordinate and maintain the IT Disaster Recovery Plan (IT-DRP).
• Coordinates Disaster recovery planning activities; disaster recovery training and exercise, IT disaster recovery exercise and updates.

General department tasks:

• Supporting tasks as required.
• Perform other duties as assigned.

Note - This position requires in-office work three days per week including Tuesday and Wednesday.