IT Security & Compliance Manager I

The Office of the State Controller

Please Note: OSC does not use 3rd parties to conduct job interviews.

OSC is interested in every qualified candidate who is eligible to work in the United States.  However, we are not able to sponsor visas at this time.

Successful candidate will be subject to a criminal background check.   

The mission of the Office of the State Controller (OSC) is to protect the financial integrity of the State and promote accountability in an objective and efficient manner.  

The foundational principles of the office are Integrity/Ethics, Objectivity and Accountability.  OSC's overall goals are to optimize operational execution, manage risk effectively and efficiently and foster a high-performance culture.  OSC will provide excellent customer service while achieving those goals. The State Controller is the State's Chief Fiscal Officer.  The Controller serves as an independent resource to protect the financial integrity of the State and to promote accountability in an objective and efficient manner through accounting, disbursing, payroll, internal control, eCommerce, and financial reporting systems.  The basis for the Controller's authority is statutory.

Description of Work:

This position is a senior-level IT position responsible for the agency's overarching IT Security Program, ensuring data security policies and procedures are established, reviewed, maintained, applied, and routinely assessed for compliance to secure OSC's enterprise applications as well as OSC's infrastructure and data assets. OSC's enterprise applications include legacy on-premise and cloud-based technologies. OSC's operational technology infrastructure includes an independently managed M365 environment, Azure Data Lake, legacy server infrastructure, and website. Across all systems and infrastructure, responsibilities include:

• Implement and manage information security policies and standards to ensure compliance with State and Federal requirements.  
• Lead information security risk management initiatives to identify vulnerabilities and threats.
• Continually review and assess the agency's Business Continuity Plan, providing updates when the agency's technology needs, vendors, or services change.
• Work closely with IT managers, application owners, and agency leadership to develop and maintain a robust Incident Response Plan and ensure agency staff are adequately prepared and empowered to identify and respond to security incidents.
• Provide leadership and guidance during incident response activities.
• Develop and implement an IT security training program, inclusive of all employees and tailored for various levels of system and data access.
• Consult with employees, teams, divisions and agency leadership on security related topics and trends.
• Consult with ITD staff when new technologies are evaluated and provide guidance on security related requirements.
• Identify and implement appropriate security assessments for local and enterprise applications.  Analyze assessment results, develop corrective action plans, and track remediations.  
• Serve as the agency's primary Security Liaison and Privacy Contact, interfacing with the North Carolina Department of Information Technology (NCDIT) as required for both roles.
• Assess role creations in the Integrated HR-Payroll System (SAP ECC 6.0) to ensure proper standards are met using application tools Security Optimization Service and Security Health Check Report.
• Assess role creations in NCFS (Oracle Financials) to ensure proper standards are met using application tools Advance Access Controls.
• Implement and monitor Separation of Duties report produced in Oracles Advance Access Controls with state agency staff on a periodic basis.

This position reports to the IT Operations Director but works cross-functionally across the ITD and agency to manage the agency's IT Security Program.   The work schedule is a standard 8-hour day. However, IT Security related responsibilities may require extended shifts and weekend work for incident response or technology deployment.  

NOTE:  The knowledge, Skills, and Abilities (KSA'S) and the Minimum Education and Experience are REQUIRED in order to be considered qualified for this vacancy.  Therefore, you MUST provide supporting information within the body of your application that clearly demonstrates your possession of the KSA's and the minimum education and experience requirements. 

• Demonstrated experience developing and implementing information security policies and procedures
• Demonstrated experience functioning as a technical lead or consultant on security compliance matters
• Knowledge of cyber threats and vulnerability identification and practical mitigation experience
• Demonstrated experience in incident response planning and incident response
• Experience performing information security threat assessments and audits
• Knowledge of NIST security standards
• Demonstrated experience with on-premise, cloud-based, and hybrid technology
• Knowledge of new and emerging IT and cybersecurity technologies
• Demonstrated ability to manage and lead cross-functional projects utilizing project management standards
• Ability to communicate effectively and strategically with technical and non-technical audiences across all communication channels

Management Preferences

• Demonstrated knowledge of the North Carolina Statewide Information Security Manual (SISM) and State IT Policies as published by the North Carolina Department of Information Technology
• An active, nationally recognized IT security certification (i.e. CISSP, CompTIA Security+, CISM)

Some state job postings state that you can qualify by an "equivalent combination of education and experience." If that language appears below, then you may qualify through EITHER years of education OR years of directly related experience, OR a combination of both. See oshr.nc.gov/experience-guide for details.

Bachelor's degree in computer science or a related IT field or closely related field from an appropriately accredited institution and two years of progressive experience in IT security or closely related area; or

Associate degree in computer science or a related IT field or closely related field from an appropriately accredited institution and three years of progressive experience in IT Security or closely related area; or an equivalent combination of education and experience.

NOTE:  Transcripts must be uploaded to NEOGOV and attached to your application to receive credit for any training and educational requirements, 

in order to qualify for the position.   

All degrees must be received from appropriately accredited institutions.   

NEOGOV Technical Assistance 

If you are having technical issues logging into your account or applying for a position, please review the Get Help/FAQ's information on the website. If you are still experiencing technical issues with your application, please call the NEOGOV Help Line at 855-524-5627.  

All work history, training, and education must be listed on the official application, along with attached transcripts, to receive credit.  Applications must be completed in full.  "See Resume" or "See Attached" will not be accepted.  

The Office of the State Controller

 3514 Bush Street

 Raleigh, NC 27609

http://www.osc.nc.gov/

 Once the position has been filled, all on-line applicants will be notified via the e-mail provided at the time of application.

 APPLICATIONS MUST BE COMPLETED IN FULL.  "SEE RESUME" OR "SEE ATTACHED" WILL NOT BE ACCEPTED.