Occ. Code 0836000








New York State Department of Civil Service


Classification Standard





            Chief Information Security Officers (CISOs) represent their agencys interests with respect to the security of its information and information systems, and have a senior advisory role in decisions affecting information security and assurance.  They implement, enhance, monitor and enforce agency and State information security policies and standards. They recommend and approve security policies, standards, processes and education and awareness programs to verify that appropriate safeguards are implemented; and facilitate compliance with those policies, standards and processes. They oversee alleged information security violations and follow agency and State procedures for referring the investigation to other investigatory entities, including law enforcement.


            The positions, which are non-competitive, are classified in various agencies.


Distinguishing Characteristics


            CISOs provide leadership and technical expertise to ensure the integrity, confidentiality, and availability of information assets under the general direction of the agency head, general counsel or executive designee.  They oversee and coordinate information security and information assurance efforts across an agency; and exercise enterprise-wide authority for compliance with the agencys information security and assurance policies. 


            Chief Information Security Officers 1 and 2 perform similar duties.  The levels are distinguished by the scope of the information security unit responsibilities, which is measured, in part, by the size of the agency or agencies served and the variety of programs, supervision over information security staff, or supervision over staff from various business areas assigned information security duties.


            Positions in the Information Technology Specialist series and parenthetic titles may also function as the chief information security officer for an agency.  The level of IT Specialist classified for such assignments is determined by evaluating the depth and breadth of information security responsibilities, level of independence, and supervisory responsibilities.




Related Classes


            Information Technology Specialists and Managers who are assigned information security duties function as information security administrators with responsibility to administer security tools, review security practices, identify and analyze security threats and solutions, and respond to security violations.  The proper title is determined by evaluating the preponderance of duties performed, and organizational context of the assignment.


Illustrative Duties


            Chief Information Security Officer 1 and 2


Directs and manages an agency information security and compliance program.


·         Directs the information security unit in developing, deploying and maintaining information security architecture, policies, standards, and procedures in accordance with State and agency information security policies.


·         Directs the development and implementation of the agencys information security risk management program and determines the level of security controls required to protect information technology and information assets.


·         Monitors information security compliance, and recommends improvements to control access to agency information assets and ensure security safeguards are maintained.


·         Coordinates agency technical efforts in response to information and system security compliance reviews or audits performed by external regulatory organizations or auditors.


·         Directs the investigation of alleged information security violations, follows agency procedures for referring the investigation to other investigatory entities (e.g., law enforcement, and State and federal oversight agencies), and responds to requests for information from external investigators.


·         Responds to inquiries for information to support agency processes related to litigation support, including electronic records management and electronic discovery preparedness (e.g., records integrity and preservation).


·         Supervises, administers, or verifies training to agency employees, contractors, and third parties, as appropriate, on their responsibilities to protect agency IT and information assets.


Manages and resolves security threats to agency information systems.


·         Develops information security risk analysis and risk management processes with business units, identifies acceptable levels of risk, and establishes roles and responsibilities with regard to information classification and protection.


·         Develops, implements and improves information security incident response plans, and reports.


·         Evaluates new security threats and counter measures that could affect agency information systems, and recommends improvements to executive management to mitigate risks.


·         Administers or verifies completion of regular internal intrusion testing, evaluates the results, and makes changes to agency information security procedures and training programs to improve compliance with State and agency information security policies.


Serves as information security expert, and confirms systems and contract alignment with agency and State information security policies.


·         Serves as agency information security expert and provides advice and recommendations to agency executives on information security matters.


·         Reviews the security features of new computing systems, change controls to existing systems, and external network connections to ensure that the technology systems meet existing security policies and standards.


·         Develops or reviews contract, service level agreement, memorandum of understanding language and other documents to verify that they meet information security needs and requirements, and align with agency and State information security policies.


·         Maintains guidelines for the development of secure application code using industry best practices.


·         As CISO for agencies that host other agency applications, provides information security consultation services to customer or partner agencies, and directs the development of test scenarios to secure agency applications and data.


Monitors information security industry trends, tools and techniques.


·         Represents the agency at internal and external information security meetings and conferences to maintain awareness, and evaluates the applicability of the latest information security techniques and tools to the agencys security program.


·         Collaborates with peers to develop a multilayered and adaptive approach to counter a dynamic information security threat environment.


·         In consultation with agency counsel, researches relevant laws and regulations that could affect the security controls and classification of information assets, and approves adjustments to meet legal and regulatory requirements.


Manages staff and resources dedicated to an agencys information security program.


·         Prepares an information security staffing, development, and training budget plan to align with the agencys risk management and information security plans.


·         Supervises staff and assigns work, writes performance and probationary evaluations, conducts interviews, and hires staff.


In addition, when assigned to a centralized information security management role for multiple State agencies,



Supervision Exercised


            Chief Information Security Officers 1 may supervise lower-level information security staff assigned to an information security unit.  In smaller information security units, the positions direct and coordinate staff from different business units, but may not be responsible for the regular supervision of these individuals.


            Chief Information Security Officers 2 directly supervise information security staff in a dedicated information security unit, and direct and coordinate staff from business units to fulfill agency information security management responsibilities.


Minimum Qualifications


            Chief Information Security Officer 1


Non-Competitive: bachelors degree* and five years of information technology experience, including three years of information security or information assurance experience.


            Chief Information Security Officer 2


Non-Competitive: bachelors degree* and six years of information technology experience, including four years of information security or information assurance experience.


* Appropriate information security or information assurance experience may substitute for the bachelors degree on a year-for-year basis; an associates degree requires an additional two years of information technology, information security, or information assurance experience.  Experience solely in information security or information assurance may substitute for the general information technology experience.



Date:  9/12



NOTE: Classification Standards illustrate the nature, extent, and scope of duties and responsibilities of the classes they describe. Standards cannot and do not include all of the work that might be appropriately performed by a class.  The minimum qualifications above are those which were required for appointment at the time the Classification Standard was written. Please contact the Division of Staffing Services for current information on minimum requirements for appointment or examination.