State of Michigan Position Code

Civil Service Commission

SENMGECXB36N

Capitol Commons Center, P.O. Box 30002 Lansing, MI 48909

POSITION DESCRIPTION

This position description serves as the official classification document of record for this position. Please complete the information as accurately as you can as the position description is used to determine the proper classification of the position.

2. Employee's Name (Last, First, M.I.) 8. Department/Agency Department of Technology, , & Budget

3. Employee Identification Number 9. Bureau (Institution, Board, or Commission)

4. Civil Service Position Code Description 10. Division Executive 19 Cybersecurity and Infrastructure Protection

5. Working Title (What the agency calls the position) 11. Section Deputy Chief Security Officer

6. Name and Position Code Description of Direct Supervisor 12. Unit Chris DeRusha, Chief Security Officer

7. Name and Position Code Description of Second Level Supervisor 13. Work Location (City and Address)/Hours of Work

Trish Foster, Director, Department of Technology, 7150 Harris Dr., Dimondale, MI 48821, M-F 8 am-5 pm Management and Budget

14. General Summary of Function/Purpose of Position

The Deputy Chief Security Officer – Senior Management Executive 19 is responsible for supporting the formulation, establishment and implementation of cybersecurity and infrastructure protection policies and programs within the department and across state government for the State of Michigan. This position participates in and supports cybersecurity and infrastructure protection committees and programs at the local, state and national level. The position will ensure that critical processes and structures for all cybersecurity and infrastructure protection are effectively delivered and operationalized throughout the enterprise. These processes ensure quality, standardization, integration and successful completion of all security related projects developed and implemented. Assists the Chief Security Officer (CSO)/Director of CIP to set clear direction and goals and to secure the appropriate training and tools for its employees. In addition, this position supports the CSO/CIP Director with recommendations on cybersecurity policy and future department direction.

15. Please describe the assigned duties, percent of time spent performing each duty, and what is done to complete each duty.

List the duties from most important to least important. The total percentage of all duties performed must equal 100 percent.

Duty 1 General Summary: Percentage: 50 Serves as Deputy Chief Security Officer – Senior Management Executive 19. Oversees the day-to-day operations and activities of the Cyber Security and Risk Management Divisions. Ensures that the appropriate levels of budgetary and personnel resources are available and effectively managed to ensure the statewide delivery of services. Seeks input from each manager to ensure the strategies, decision, policies, and procedures are effective for the needs of their areas, client agencies, and the overall State enterprise. Individual tasks related to the duty:

• Directs the staff and processes for CIP to support daily operations. • Advises staff in the resolution of sensitive, complex, or controversial matters. • Implements strategic plans, initiatives, and objectives to meet the goals and directives of the agency. • Apprises the CSO/CIP Director of sensitive or controversial issues and takes appropriate action as necessary. • Develops budget recommendations, monitors expenditures, and recommends solutions to budget needs. • Provides guidance on resources allocation, training resources, and other expenditures for CIP and client agencies. • Develops and oversees services delivery models for all areas of responsibility. • Selects and assigns staff, ensuring equal opportunity in hiring, promotion, and other employment practices; establishes performance standards and assesses staff performance. • Partners effectively with Agency Service’s General Managers to ensure effective service delivery. • Collaboratively working with vendors to evaluate new technology/platforms to be adopted by State’s network and cyber security team. • Develop technology vision, architecture and implementation plan for critical initiatives. Duty 2 General Summary: Percentage: 25 Assists in the establishment and implementation of CIP policies and programs within the department and at the local, state and national level to promote Michigan’s role as a national leader in cybersecurity and infrastructure protection-related issues.

Individual tasks related to the duty: • Carry-out the enterprise-wide vision for CIP issues, policies, standards, priorities and projects. • Advises the CSO/CIP Director on CIP policy issues, program accomplishments, vulnerabilities/threats and opportunities. • Assesses effectiveness of policies, programs and operations and determines need for improvement. • Reviews legislation, recommends department position, assures conformance by agency and others, and assists in the development of related communication and educational materials. • Works with other senior leaders of DTMB and agencies to creatively address CIP issues within DTMB, across agencies, and across the state. • As requested, attends meetings with public/private sector officials, various organizations, or vendor groups on behalf of the CSO/CIP Director. • Assist and advises on private-public partnership opportunities; identifies cross-boundary collaboration potential.

Duty 3 General Summary: Percentage: 20 Develop and provide effective resource management of existing staff while transitioning the organization toward the future organizational structure. Individual tasks related to the duty: • Motivate and guide existing staff to ensure delivery of new and existing services within current budgets. • Ensure transition of staff and functions to appropriate teams. • Assess effectiveness of operations and recommend improvements implementing continuous improvement methodologies. • Lead the security architecture team by providing guidance and collaborate with enterprise architecture group under ’s team.

• Conduct performance appraisals at the organizational, process and staff levels to identify areas of opportunity and provide development and training opportunities and implement corrective actions where appropriate to drive higher levels of organizational performance and customer service. • Ensure quality root-cause analysis is performed and appropriate after-action reviews are conducted after impactful cyber or information security events. • Assure overall compliance with Civil Service and Agency policies and procedures.

Duty 4

General Summary: Percentage: 5 Completes special assignments as needed, provides additional services as assigned and delivers analysis for the development of the division and agency. Individual tasks related to the duty: • Develops the appropriate strategy and approach to accomplish special assignments, including strategic direction, work plans, and analysis. • Works with other senior leaders of DTMB and client agencies to identify new requirements and develop programmatic services.

16. Describe the types of decisions made independently in this position and tell who or what is affected by those decisions.

Determine means and methods by which to implement the Department’s CIP mission, goals, objectives, strategic plans, etc.

17. Describe the types of decisions that require the supervisor's review.

Any deviation from CSO or CIO’s policies or directives. Sensitive or controversial matters should be brought to the CSO prior to taking action.

18. What kind of physical effort is used to perform this job? What environmental conditions in this position physically exposed to on the job? Indicate the amount of time and intensity of each activity and condition. Refer to instructions.

Standard office setting.

19. List the names and position code descriptions of each classified employee whom this position immediately supervises or oversees on a full- time, on-going basis.

NAME CLASS TITLE NAME CLASS TITLE Rich Reasner State Division Administrator Chris Christensen State Division Administrator 17 17 Smruti Shah State Division Administrator Vacant SEMA 11 17

20. This position's responsibilities for the above-listed employees includes the following (check as many as apply):

Y Complete and sign service ratings. Y Assign work.

Y Provide formal written counseling. Y Approve work.

Approve leave requests. Y/N Review work. Y

Y Approve time and attendance. Y Provide guidance on work methods.

Y Orally reprimand. N Train employees in the work.

22. Do you agree with the responses for items 1 through 20? If not, which items do you disagree with and why?

• Yes

23. What are the essential functions of this position?

The Deputy Director of CIP is responsible for supporting the formulation, establishment and implementation of cybersecurity and infrastructure protection policies and programs within the department and across state government for the State of Michigan.

24. Indicate specifically how the position's duties and responsibilities have changed since the position was last reviewed.

N/A

25. What is the function of the work area and how does this position fit into that function?

CIP oversees efforts to protect state systems from viruses, worms and other cyber attacks, and to oversee physical security and homeland security activities. CIP works in partnership with state agencies to maintain the highest achievable levels of protection while reducing overall threats to critical infrastructure, computer, technology and communications services. CIP works with federal and local government organizations to ensure the state has the necessary safeguards in place to protect Michigan’s cyber system and infrastructure.

26. What are the minimum education and experience qualifications needed to perform the essential functions of this position.

EDUCATION:

Possession of a bachelor’s degree in any major.

EXPERIENCE:

Two years of professional, managerial experience.

KNOWLEDGE, SKILLS, AND ABILITIES:

• Preferred 10 years’ experience in Information Technology, with 5 years’ experience in Cybersecurity and/or Infrastructure Protection. • Cybersecurity technologies, markets and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web and application development. • Information systems industry and best practices in network, application and hardware platform security. • Audit and assessment methodologies, procedures and best practices that relate to information networks, systems, and applications. • Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing. • Identity and access management, security program policies, processes, standards, requirements and procedures and various supporting security technologies. • Ability to develop knowledge of the State’s technical and business environment. • National security standards and experience with business continuity, disaster recovery, auditing, risk management, vulnerability assessment, information privacy protection, and cybersecurity incident management methodologies.

CERTIFICATES, LICENSES, REGISTRATIONS:

• CISSP, Certified Information Systems Security Professional, Issued by The International Information Systems Security Certification Consortium (ISC)2 • ITIL, COBIT, and Agile Methodology (Certified Scrum Master)

NOTE: Civil Service approval does not constitute agreement with or acceptance of the desired qualifications of this position.

I certify that the information presented in this position description provides a complete and accurate depiction of the duties and responsibilities assigned to this position.

Supervisor Date

TO BE FILLED OUT BY APPOINTING AUTHORITY

Indicate any exceptions or additions to the statements of employee or supervisors.

I certify that the entries on these pages are accurate and complete.

Appointing Authority Date

I certify that the information presented in this position description provides a complete and accurate depiction of the duties and responsibilities assigned to this position.

Employee Date