Position Information

NY HELPNo

AgencyNYS Gaming Commission

TitleChief Information Security Officer

Occupational CategoryNo Preference

Salary Grade662

Bargaining UnitM/C - Managerial/Confidential (Unrepresented)

Salary RangeFrom $103870 to $131298 Annually

Employment Type Full-Time

Appointment Type Permanent

Jurisdictional Class Non-competitive Class

Travel Percentage 0%

Schedule

Workweek Mon-Fri

Hours Per Week 37.5

Workday

From 9 AM

To 5 PM

Flextime allowed? No

Mandatory overtime? No

Compressed workweek allowed? No

Telecommuting allowed? No

Location

County Schenectady

Street Address 354 Broadway

City Schenectady

StateNY

Zip Code12305

Job Specifics

Duties Description Under the direction of the NYS Gaming Commission’s Director of Risk Management, the Chief Information Security Officer (CISO) will work closely with all stakeholders, including agency leadership, NYS Office of Information Technology Services (ITS), Gaming Divisions, Bureaus, Contractors and Vendors, MUSL to identify, mitigate, manage and monitor information governance, compliance risks and Agency legal obligations involving the privacy, confidentiality, compliance, and electronic discovery needs applicable to data the Agency collects, uses, receives, exchanges or otherwise stores or handles [in respect to our enterprise initiatives].
More specifically:
• Liaise with the NYS Office of Information Technology Services (ITS) on data-handling issues/concerns/requirements that require implementation of policies, standards and procedures in the Agency.
• Develop, deploy and maintain policies, standards, and procedures in accordance with State and Agency information governance, risk and compliance obligations, liaising with ITS on implementation, as needed, to support Agency obligations.
• Ensure that ITS is kept apprised of the requirements of laws, rules, regulations and other Agency obligations.
• Participate in the development and maintenance of ITS statewide policies, procedures and standards, as appropriate, to meet Agency obligations.
• Assume responsibility for Agency data-handling policies that incorporate the statewide policies, in whole or in part, and define the parts of policy and standards that derive from the specific Agency obligations, the user experience and the interaction with the systems in use. Examples include, but are not limited to the impact of:
compliance requirements specified in MOUs with other NYS Agencies and other State's Agencies detailing the handling of data (we have numerous MOU’s with other agencies regarding data interfaces i.e. tax department, OTDA, etc)
-Agency standards instituted to meet provisions of State law regarding privacy and confidentiality of data in the possession of the Agency
-Development and implementation of Agency standards to ensure the capacity to audit, purge, retain, preserve and produce data, as may be required to meet Agency obligations.
• Monitor data-handling, compliance, and information governance to ensure they meet Agency Obligations, recommending improvements to control access and ensure requisite data-handling safeguards and compliance are maintained, as necessary. This obligation may include, but not be limited to:
-Review of audit logs related directly to Agency functions for monitoring purposes and to insure appropriate access to data and compliance.
- Verification with ITS that they are monitoring logs and access to ensure compliance where direct access to system logs, network logs, or joint application logs.
Verifying that ITS maintains a level of compliance with Agency Obligations through development of SLAs and review by independent auditors, as necessary.
• Work with other Agency units during compliance audits.
• In coordination with other Agency units (e.g., Communications, Human Resources, Legal, Audit, Lottery, GIG, Licensing) and ITS, support requests for data from Agency, and/or other investigatory entities (e.g., law enforcement, and State and federal agencies) and work to insure the Agency complies with all requirements for notification.
• Function as a liaison for litigation support processes and respond to inquiries for information to support Agency processes related to litigation support, including, but not limited to electronic records management and electronic discovery preparedness (e.g., records integrity and preservation).
• Disaster Recovery policies/procedures: Participate in the development effective continuity of operations plans (COOP)/business continuity i.e. disaster recovery policies and standards and the development of implementation plans and procedures to ensure that business-critical electronic data and IT services are recovered in the event of a disaster, and provide direction and in-house consulting in these areas, as necessary. This work would include, but not be limited to:
-Work to develop and keep current Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based upon Agency requirements.
-Work with ITS and/or contractors/ vendors to ensure a disaster recovery processes that will meet those requirements through development of SLAs and supporting processes, as necessary, including the validation of those capabilities through the review of reports of regular testing of same and/or as it relates to our vendors.
-Participate in the discussion of how the Agency programs are weighted against those required by other agencies where both may be impacted by a disaster affecting the ITS environment.
• IT Information Asset Training: Supervise, administer, or verify training for Agency employees, contractors, and third parties, as appropriate, on their responsibilities to protect Agency IT and information assets and comply with Agency Obligations. This work would include, but not be limited to:
-Responsibility for conveying basic data privacy/confidentiality/compliance/information governance obligations to Agency, as appropriate, including any such obligations involving restricted access for Agency and ITS employees.
-Participation in communicating to outside agencies or vendors any unique requirements for training that relate to the Agency data
-Participation in the development of policy for the validation of compliance with these requirements.
• Monitor, manage, and resolve, as appropriate, threats or risks to Agency information systems or data that may result in inappropriate or unauthorized exposure or non-compliance with Agency Obligations.
• Work with Agency business units and ITS to determine acceptable levels of risk to Agency data and systems. This work would include, but not be limited to:
-Development of risk management processes based upon Agency acceptable levels of risk.
-The establishment of roles and responsibilities with regards to information classification and protection.
-The development of Agency information classification requirements.
-Participation in verifying, through independent auditors and other appropriate means, that ITS is maintaining Agency related IT data and systems in accordance with these requirements.
• Incident Response: Develop, implement, improve and maintain Agency incident response plans, and reporting requirements, working with ITS and/or vendors to ensure that there is an incident response process that incorporates communication to the Agency regarding incidents.
• Risk Evaluation and Mitigation: Work with Agency and ITS to ensure adoption of mitigation plans to prevent future incidents, as appropriate.
• Evaluate risks that might affect Agency data and/or information systems and recommend improvements to Agency and/or ITS executive management to mitigate risks. This work would include, but not be limited to:
-Work to monitor ITS countermeasures to newly emerging threats to determine what, if any, Agency alerts to users and/or response is necessary.
-Work to ensure appropriate countermeasures are incorporated into the development of any new Agency systems or processes.
-Verification of completion of regular internal intrusion testing, including the evaluation of results and effectuating changes to Agency processes and/or procedures and training programs to improve compliance with State and Agency Obligations.
-Review of independent audits to validate that ITS is performing this function adequately.
• Data Management: Serve as Agency data-handling resource and point of contact to confirm data, systems and contract alignment with Agency and State data-handling policies. This would not include the ITS ISO work, but, rather, Agency work on these matters. This work would include, but not be limited to:
-Providing advice and recommendations to Agency executives on data-handling matters.
-Ensure that business requirements reflect and that ITS builds in business rules within applications that will trigger notification of suspect user behavior.
• Data Handling: Work with ITS ISO to implement required data-handling and compliance features on all new or, where possible, legacy system changes, that ensure that the technology systems meet Agency Obligations. This work would include, but not be limited to:
-Review of proposed projects and/or modifications of IT systems/data handling to ensure that the fundamental business requirements involving Agency Obligation are met.
-Where necessary, work with Agency business units and/or ITS to implement mitigation strategies to meet Agency Obligations.
-Review independent audits to ensure that ITS is following a risk mitigation strategy that complies with Agency risk acceptance levels.
• IT-related Contract Review: Develops or review contracts, service level agreements, memorandum of understanding language and other documents to verify that they meet and align with Agency and State data-handling policies and Agency Obligations.
• Electronic Discovery: Monitors electronic discovery, privacy, confidentiality and compliance trends, tools and techniques to build in best practices into Agency policies and procedures.
• Representation: Represents the Agency at internal and external meetings and conferences, industry and state-wide groups to maintain awareness, and evaluate the applicability of the latest techniques, trends and tools as they relate to the Agency’s obligations, with a focus on risk management.
• In consultation with the Agency legal office, research and review relevant laws and regulations that may affect compliance, data-handling controls, and classification of information assets and approve adjustments to meet Agency obligations.
• Liaise and act as primary point of contact, both within the Agency and with ITS, for all information classification and information governance work affecting the Agency.

Minimum Qualifications Non-competitive: Seven years of information technology, cybersecurity, or information assurance experience*, including one year at the supervisory level.

*Substitutions: A bachelor's or higher-level degree in any field including or supplemented by 15 semester credit hours in computer science or related field substitutes for three years of required experience; any bachelor’s substitutes for two years of required experience. An associate degree with 15 semester credit hours in computer science or related field may substitute for one year of required experience. Candidates in a bachelor’s degree program with at least 15 semester credit hours in computer science or related field may substitute such credits for one year of required experience. A master’s degree or higher in computer science or related field substitutes for one year of required experience.

Additional Comments Prohibition against Playing and Wagering:
Commission employees and family members residing in their households are prohibited from purchasing Lottery tickets or claiming Lottery prizes. Commission employees are prohibited from wagering upon any horse racing, commercial gaming, video lottery gaming, Indian gaming, charitable gaming activities, interactive fantasy sports, and mobile sports wagering within the State. To avoid any appearance of impropriety of conflict of interest, Commission employees will be prohibited from all aspects of promoting, operating, and playing in any charitable gaming, which includes bingo and games of chance such as raffles, whether the organization conducting the game is required to be licensed by the Commission. The prohibition placed upon each Commission employee from assisting with any charitable gaming does not apply to the employee's family unless the employee thinks it presents a conflict of interest related to his or her job duties. Commission employees must also avoid any outside activities that could interfere or be perceived to interfere with their job duties.

The NYS Gaming Commission is an equal opportunity employer, and we recognize that diversity in our workforce is critical to fulfilling our mission. We encourage applicants from all communities to apply.

Employees that are new to New York State employment in positions such as competitive, non-competitive and other grade positions, the annual salary is the hiring rate “i.e. starting rate” of the position. All salaries are subject to the approval of the Office of the State Comptroller.

Some positions may require additional credentials or a background check to verify your identity.

How to Apply

Name Human Resources

Telephone

Fax (518) 388-3368

Email Address HRrecruitment@gaming.ny.gov

Address

Street Attn: Human Resources

354 Broadway

City Schenectady

State NY

Zip Code 12305

 

Notes on ApplyingEmail submissions are preferred. Please specify Vacancy ID in the subject line of your email or fax submission. Submit a cover letter and resume in Word or PDF format. We are unable to open documents from Google Docs, Google Drive, OneDrive and/or "the Cloud".

Clearly indicate how you meet the minimum qualifications for this position. Your Social Security Number may be required in order to confirm your eligibility.