“The incumbent is responsible for timely execution of high-quality information system security audits of state agency technology infrastructure and information security programs, business application systems, and significant projects to validate requisite information security controls are in place and are working as intended,” says the job posting, which was published Thursday.
The extensive list of desirable qualifications includes:
- Professional certifications including CISA, CIA, CISM, CRISC and CISSP
- Experience performing IT audits
- Extensive knowledge of federal and state information security policies, standards, principles, practices and frameworks
- Ability to effectively present information clearly to staff and auditees at all levels and at a wide variety of state entities to prepare entities for audit activities
- Ability to prepare detailed audit reports, presentations and other types of audit-related documentation on short notice
The auditor is responsible for the planning, design and execution of information security audits of state agencies’ and departments’ complex information systems and programs, the duty statement notes. “This program has significant statewide impact and is part of the overall state information security program,” the statement says. “The consequences of error (lack of adherence to audit standards and accuracy) results in increased security risk exposure and liability for the state.”
In addition, the statement says, “This position will interact with all levels of staff including state agency and departmental agency directors, agency information officers, chief information officers, information security officers, privacy and disaster recovery coordinators, and stakeholders from other branches and levels of government, education, critical infrastructure sectors, national associations, and private industry.”
The role has a monthly salary range of $8,591 to $11,512, and the application deadline is Oct. 8.
CDT was faulted in an April report by the California State Auditor for its IT security oversight efforts. State Auditor Grant Parks, in the report to the governor and Legislature, wrote in part: “… CDT has not ensured that the State’s IT systems are adequately protected from cyberattacks that can compromise individuals’ identities, shut down critical government functions, and cost the State millions of dollars to remedy.”
Parks continued: “For example, CDT has stated that to improve the State’s information security programs, it must be able to effectively determine the status of information security across the State as a whole and within each state agency individually. However, it has yet to determine the effectiveness of the State’s information security programs. Further, in those instances when it has assessed state agencies’ information security, those agencies’ security statuses have tended to decline subsequently rather than improve. Moreover, CDT has not taken adequate steps to educate state agencies on the cybersecurity threat monitoring service that it provides at no cost.”
In a report last month by the auditor, CDT remained on a list of “high-risk agencies and issues.” That report noted that CDT had been deficient in information security oversight since 2013.
