Duty Statement - CalCareers



|duty statement |

|Class Title |Position Number |

|Information Technology Specialist I (ITS I) |805-450-1402-022 |

|COI Classification | |

|Yes |No |

|Unit |

|Section |

|Branch |

|Information Technology Management Branch (ITMB) |

|Division |

|California Medicaid Management Information System (CA-MMIS) |

| |

|This position requires the incumbent maintain consistent and regular attendance; dress in a professional manner; communicate effectively (orally and in writing if both |

|appropriate) in dealing with the public, executives, and/or other employees; develop and maintain knowledge and skills related to security efforts, methodologies, |

|materials, tools, and equipment; complete assignments in a timely and efficient manner; and, adhere to departmental policies and procedures regarding attendance, leave, |

|and conduct. |

| |

|Job Summary: Under the general direction of the Information Technology Manager I (ITM I), the Information Technology Specialist I (ITS I) performs functions in the |

|domains of System Engineering and Information Security Engineering. The ITS I serves within the Department of Health Care Services (DHCS), Information Technology |

|Management Branch (ITMB) as an Information Security Compliance Specialist. The ITS I’s primary focus is on vendor security, compliance, and risk management. The ITS I |

|works in multiple operational areas of California Medicaid Management Information System (CA-MMIS). Job duties include ensuring vendors are compliant with applicable |

|security compliance requirements, reviewing security and technology recovery related documentation, assessing risks, developing corrective action plans, and providing |

|general security oversight of vendors. Duties include assisting in developing, maintaining, and delivering the models, frameworks, principles, and processes that are |

|used to plan, design, implement, and operate information security solutions; which enable consistency and reuse to satisfy business requirements for security services in|

|a standardized, repeatable, high quality manner. |

| |

|Supervision Received: The ITS I works under the general direction of the ITM I and receives general administrative and policy direction from the ITM I and the CA-MMIS |

|Security Lead (ITS II). The ITS I works independantly with responsibility and discretion over broadly defined missions or functions. |

| |

|Supervision Exercised: The ITS I has no direct supervision responsibilities. |

| |

|Domain: System Engineering and Information Security Engineering |

| |

|Working Title: Information Security Compliance Specialist |

| |

| |

|Description of Duties: The ITS I is responsible for ensuring DHCS and its vendors are compliant with all applicable security requirements at federal, state, agency, and|

|departmental levels. Duties include reviewing system security plans, technology recovery plans, risk and vulnerability assessments, Plan of Action and Milestone |

|reports, and providing compliance expertise consultation. The DHCS ITS I is a key member in the reuse of security services to mitigate CA-MMIS security risks while |

|maintaining compliance with Federal, State and Department requirements. |

| |

|In collaboration with the DHCS Information Security Office (ISO), and the CA-MMIS Security Lead, this position has responsibility for the development and maintenance of|

|DHCS information security principles, security reference architectures, and maintaining strategies, frameworks, standards, and roadmaps in cooperation with the ISO. |

|Other duties include assisting management with CA-MMIS security governance processes for evaluating the security and viability of proposed technologies, architectures |

|and systems. The ITS I will assist in development, maintenance, and review of a wide range of security related asset and portfolio documentation for vendor managed |

|CA-MMIS applications. Duties include performing information security risk assessments of documents and deliverables throughout the system life cycle. The ITS I must |

|maintain a high level of understanding of DHCS business functions, data flows, major applications, IT security technologies, and general information technology |

|concepts. Knowledge must be maintained of compliance regulations such as the State Administrative Manual (SAM), Health Insurance Portability and Accountability Act |

|(HIPAA), National Institute of Standards and Technology (NIST), and the Medicaid Information Technology Architecture (MITA). |

| |

|The ITS I will act as a technical subject matter expert and security authority for security controls, security plans, security policies, risk assessments, and incident |

|response for state staff and contractors performing contracted IT services for Fiscal Intermediary/System Integration vendors. Activities will include ensuring |

|appropriate technical, administrative and physical controls are put into place by the vendors operating under contract by conducting oversight, planning, consultation, |

|risk assessments and policy development. The ITS I must become familiar with the business function and data flows for all applications that are operated by contracted |

|vendors. Duties include documented security risk analysis within the change and release management process; to ensure appropriate technical, administrative and physical|

|controls are put into place by vendors. Risk analysis topics may include secure software development, authentication and authorization infrastructure, secure web |

|services and messaging, encryption, vulnerability management, and assurance of appropriate policies and procedures. Duties additionally include serving as the subject |

|matter expert for external audits, assessments, security incidents and data breaches. |

| |

|The ITS I will be responsible for acting as a liaison between non-technical program staff during system development projects including requirement development, |

|technical data review and acceptance testing. The ITS I will work with staff from all levels of state government, as well as, software/hardware vendors, |

|contractors/subcontractors, and consultants. The ITS I, in coordination with the CA-MMIS Security Lead, will aid in providing consultative assistance and oversight |

|during system and project planning and design phases to help ensure appropriate technical, administrative and physical controls are put into place by the vendors |

|operating under contract. |

|PERCENT OF TIME |ESSENTIAL FUNCTIONS |

| | |

|25% | |

| |Information Security and Architecture Compliance |

| | |

| |A1. In collaboration with ITMB Leadership, CA-MMIS Security Lead, and ISO, the ITS I is responsible for: |

| | |

| |Ensuring vendors are compliant with applicable information security requirements and architecture. |

| |Ensuring vendor deliverables are compliant with applicable security and technology recovery requirements. |

| |Assisting in the development and evolution of CA-MMIS Information Security and Architecture Framework, including principles, strategy, standards, |

| |designs and roadmaps. |

| |Supporting security documentation through a consistent set of security principles, technology standards and architectural constructs. |

| |Assisting in development of business, information and technical artifacts that constitute the CA-MMIS information security/architecture and solutions, |

| |including security patterns, reference architectures and templates. |

| |Researching, designing and recommending new technologies, architectures, and security products that will support security requirements for CA-MMIS and |

| |its customers and business partners. |

| | |

| |B1. The ITS I must research and maintain an expert knowledge of information security principles, industry best practices and applicable compliance |

| |regulations. The ITS I must maintain a strong understanding of the security controls defined in NIST SP 800-53 and current industry best practices for |

| |addressing each control, including the technical levels, administrative/policy, and physical security of each. That knowledge must also include |

| |understanding of the design and selection of technical solutions. The ITS I must develop and maintain the ability to independently research and |

| |understand highly complex technical issues which impact security of DHCS data, study existing and emerging Federal and State requirements, and to study|

| |and understand the complex business processes and applications within DHCS. The ITS I will assist and participate in security awareness and education |

| |campaigns to foster CA-MMIS and vendor understanding of efforts regarding higher levels of security maturity related to individual DHCS projects, |

| |programs and staff activities. |

| | |

| |Information Security Project Consultation |

| | |

| |B1. The ITS I will provide security expertise in all phases of the Software Development Lifecycle (SDLC) helping vendors and/or projects comply with |

| |security policies, industry regulations, and best practices. Leads efforts requiring analysis, design, development, and implementation of security |

| |controls for the most complex modifications to vendor managed IT systems and processes. |

|25% | |

| |Work closely with solution/project architects, other functional staff, and security specialists to ensure adequate security solutions are in place |

| |throughout all IT systems and platforms to mitigate identified risks sufficiently, and to meet business objectives and regulatory requirements. |

| | |

| |Provide oversight and guidance on new security projects, security efforts, and evaluation of new IT technology and processes. Requires working |

| |knowledge of large-scale database architectures, data communication protocols, and network configurations; extensive knowledge of the Department's |

| |business enterprise, and ability to work independently. |

| | |

| |Provide support for risk analysis efforts; work directly with the vendor to provide security analysis expertise in evaluating release and change |

| |management efforts; and enforce standards and policies for security in Release, Change, and Configuration Management (RCCM). |

| | |

| |B2. The ITS I must maintain a strong knowledge of the purpose and best practices for use of enterprise security controls, as well as leveraging federal|

| |security requirements such as NIST SP 800-53, FedRAMP, and HIPAA. The ITS I must have a working knowledge of IT concepts such as firewalls, secure |

| |network design, authentication and authorization methods, use of secure event collection and monitoring, intrusion prevention techniques, and ensuring |

| |minimum necessary access through role based access controls. |

| | |

| |Information Security Business Consultation |

| | |

| |A3. The ITS I will evaluate and develop secure solutions, based on approved security architectures and by evaluating business strategies and |

| |requirements; analyze business impact and exposure, based on emerging security threats, vulnerabilities and risks. |

| | |

| | |

| | |

| | |

| | |

| | |

| | |

|25% | |

| | |

| | |

| |Work with vendors, DHCS Solution Architects and application teams to design solutions in alignment with security architectures, policies and |

| |principals; this may involve partnering with various cross-functional teams to ensure compliance to policies, principals and standards. |

| | |

| |Partner with business to provide guidance on security considerations during early planning of new IT solutions and services. |

| | |

| |Perform education and outreach to vendor IT and business areas regarding Federal, State and Departmental security compliance requirements. |

| | |

| |Assist in development of Advance Planning Documents (APD) and Budget Concept Proposals (BCP) to ensure critical security needs are reflected. |

| | |

| |B3. The ITS I must maintain a strong knowledge of all major DHCS business functions, supporting IT areas and external entities interfacing with DHCS |

| |(e.g., Vendors, Counties, State or Federal departments, Providers, and/or Third Party Entities). |

| | |

| |Information Risk Analysis |

| | |

| |A4. The ITS I will provide support for risk analysis efforts and work directly with other CA-MMIS areas to provide security analysis expertise in |

| |evaluating release and change management efforts. In addition to providing security oversight for all phases of testing to include enforcement of |

| |development standards, environment security analysis and all other related security oversight requirements. |

|20% | |

| |In collaboration with ITMB Leadership, CA-MMIS Security Lead, and ISO, the ITS I will: |

| | |

| |Contribute to the development and maintenance of the CA-MMIS Information Security Strategy and the alignment of security governance in conjunction with|

| |other IT branches. |

| | |

| |Assist in the departmental security governance processes to ensure vendor alignment and compliance with security policies, principles and standards |

| |regarding the use of security products, techniques and patterns are followed. This includes change control, risk assessments, audits, development of |

| |standards and policy and direct consultation with the applicable DHCS staff and vendor representatives. |

| | |

| |Assist in developing, recommending, and reviewing Information Security policies. |

| | |

| |B4. The ITS I must maintain strong skills in security risk analysis, security governance, and security strategy. |

| | |

| | |

| | |

| | |

| | |

| | |

| | |

| | |

|PERCENT OF TIME |MARGINAL FUNCTIONS |

| | |

|5% | |

| |Other Duties |

| | |

| |A5. The ITS I performs other duties as required. |

1

| |

|Employee’s signature |Date |

|Supervisor’s signature |Date |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download