Under the general direction of the Deputy Chief Information Security Officer (CISO), an Information Technology Supervisor II in the Information Security Office (ISO), the incumbent performs State Controller’s Offices (SCO) Information Security Program activities providing direct support to the California State Payroll System (CSPS) Project and the agency in areas such as security risk management to ensure SCO business and technical environments have and maintain an appropriate security posture. Additionally, as a Information Security Support Specialist, the incumbent will provide Vulnerability Analysis, IT Compliance Analysis, IT Governance Analysis, Security Control Assessment & Analysis, and System Requirements Planning. The incumbent will be responsible for analyzing the organization’s cyber defense policies and configurations to evaluate CSPS compliance with regulations and directives, conducting investigations to identify noncompliance factors, and ensuring the accuracy, completeness, and security of agency data through the implementation of data security policies and the establishment of data standards. The incumbent will also be responsible for identifying gaps in security architecture, performing risk analyses, and developing risk mitigation strategies, as well as conducting risk analysis, feasibility and trade-off analysis, and consulting with customers to evaluate non-functional requirements. Finally, the incumbent will assist with division technical duties in various program areas to support organizational needs using a variety of skills and software.
Duties Performed:

(Candidates must perform the following functions with or without reasonable accommodations.)

• Responsible for analyzing the organization’s cyber defense policies and configurations to evaluate compliance with regulations and directives. Maintain a deployable cyber defense audit toolkit and stay up-to-date with applicable cyber defense policies, regulations, and compliance documents. Prepare audit reports, identifying findings and providing recommended remediation strategies. Perform risk and vulnerability assessments of relevant technology focus areas and conduct authorized penetration testing. Conduct required reviews and make recommendations regarding the selection of cost-effective security controls to mitigate risk.
• Responsible for conducting investigations to identify noncompliance factors, coordinating with other departments within the organization to ensure policies are being followed, and communicating with clients or stakeholders regarding changes in regulations or compliance issues that may impact their business. Responsible for preparing reports on findings, conclusions, and recommendations to improve compliance, monitoring the activities of regulated entities, reviewing and interpreting data to identify potential problems or issues, identifying risks that may expose an organization to legal liability, and educating customers about applicable laws and regulations.
• Responsible for ensuring the accuracy, completeness, and security of agency data through the implementation of data security policies and the establishment of data standards. Review data sources to identify gaps in coverage, monitor compliance with privacy laws and regulations, and collaborate with business managers to maintain data quality over time. Responsible for creating reports on data trends, developing policies on acceptable methods for reporting results, and presenting findings to stakeholders. Responsible for maintaining the ‘single source of truth’ for governance documentation and monitoring review periods of policies and processes.
• Responsible for identifying gaps in security architecture, performing risk analyses, and developing risk mitigation strategies. Review security authorization documentation and provide input to the Risk Management Framework process. Assess the effectiveness of security controls and ensure compliance with agency goals, information security requirements, and IT policies and procedures.
• Responsible for conducting risk analysis, feasibility and trade-off analysis, and consulting with customers to evaluate functional requirements. Define project scope and objectives, develop technical solutions, and coordinate with systems architects and developers. Develop and document user experience requirements, supply chain risks, and quality standards. Integrate and align cybersecurity policies and oversee configuration management, perform needs analysis, prepare use cases, develop cost estimates, and manage the IT planning process to ensure that solutions meet customer requirements. Ensure that all system components are integrated and aligned with applicable guidelines and develop baseline security requirements and preliminary system security concepts of operations. Act as the Information Security liaison across cross-functional teams through the software development life cycle (SDLC). Evaluate and support tools used in development, testing, deployment, and monitoring. Ensure security and compliance are integrated into each SDLC phase.
• Review and interpret IT-related contracts for security and compliance risks. Assess third-party tools, applications, and services for vulnerabilities. Provide ISO recommendations to mitigate identified risks.

You will find additional information about the job in the Duty Statement.
Working Conditions
This position is located at The Emerald Tower on Capitol Mall, steps from Tower Bridge and is walking distance to the State Capitol. The building offers affordable monthly parking, employee gym access, an amenities center, and a beautiful mid-tower garden terrace. It is conveniently situated only blocks from Old Sacramento, numerous restaurants, a seasonal farmer’s market, and the Crocker Art Museum. Overlooking the Golden 1 Arena and Downtown Commons, the office is accessible from Sacramento Regional Transit’s light rail and bus systems, with convenient access to I-5, I-80, US 50 & US 99.
This position is eligible for hybrid telework under California Government Code Section 14200 for eligible applicants residing in California. All telework schedules are subject to change and may be reevaluated at any time. Specific telework arrangements may be discussed in more detail with the respective hiring manager. Telework does not change the terms and conditions of employment, the essential functions of job duties, or required compliance with the State Controller’s Office policies.
Minimum Requirements
You will find the Minimum Requirements in the Class Specification.

Please refer the Job description for details