Under the general direction of the Deputy Chief Information Security Officer (CISO), an Information Technology Supervisor II in the Information Security Office (ISO), the incumbent performs State Controller's Offices (SCO) Information Security Program activities providing direct support to the California State Payroll System (CSPS) Project and the agency in areas such as security risk management to ensure SCO business and technical environments have and maintain an appropriate security posture. Additionally, as a Information Security Support Specialist, the incumbent will provide Vulnerability Analysis, IT Compliance Analysis, IT Governance Analysis, Security Control Assessment & Analysis, and System Requirements Planning. The incumbent will be responsible for analyzing the organization's cyber defense policies and configurations to evaluate CSPS compliance with regulations and directives, conducting investigations to identify noncompliance factors, and ensuring the accuracy, completeness, and security of agency data through the implementation of data security policies and the establishment of data standards. The incumbent will also be responsible for identifying gaps in security architecture, performing risk analyses, and developing risk mitigation strategies, as well as conducting risk analysis, feasibility and trade-off analysis, and consulting with customers to evaluate non-functional requirements. Finally, the incumbent will assist with division technical duties in various program areas to support organizational needs using a variety of skills and software. Duties Performed: (Candidates must perform the following functions with or without reasonable accommodations.)
- Responsible for analyzing the organization's cyber defense policies and configurations to evaluate compliance with regulations and directives. Maintain a deployable cyber defense audit toolkit and stay up-to-date with applicable cyber defense policies, regulations, and compliance documents. Prepare audit reports, identifying findings and providing recommended remediation strategies. Perform risk and vulnerability assessments of relevant technology focus areas and conduct authorized penetration testing. Conduct required reviews and make recommendations regarding the selection of cost-effective security con trols to mitigate risk.
- Responsible for conducting investigations to identify noncompliance factors, coordinating with other departments within the organization to ensure policies are being followed, and communicating with clients or stakeholders regarding changes in regulations or compliance issues that may impact their business. Responsible for preparing reports on findings, conclusions, and recommendations to improve compliance, monitoring the activities of regulated entities, reviewing and interpreting data to identify potential problems or issues, identifying risks that may expose an organization to legal liability, and educating customers about applicable laws and regulations.
- Responsible for ensuring the accuracy, completeness, and security of agency data through the implementation of data security policies and the establishment of data standards. Review data sources to identify gaps in coverage, monitor compliance with privacy laws and regulations, and collaborate with business managers to maintain data quality over time. Responsible for creating reports on data trends, developing policies on acceptable methods for reporting results, and presenting findings to stakeholders. Responsible for maintaining the 'single source of truth' for governance documentation and monitoring review periods of policies and processes.
- Responsible for identifying gaps in security architecture, performing risk analyses, and developing risk mitigation strategies. Review security authorization documentation and provide input to the Risk Management Framework process. Assess the effectiveness of security controls and ensure compliance with agency goals, information security requirements, and IT policies and procedures.
- Responsible for conducting risk analysis, feasibility and trade-off analysis, and consulting with customers to evaluate functional requirements. Define project scope and objectives, develop technical solutions, and coordinate with systems architects and developers. Develop and document user experience requirements, supply chain risks, and quality standards. Integrate and align cybersecurity policies and oversee configuration management, perform needs analysis, prepare use cases, develop cost estimates, and manage the IT planning process to ensure that solutions meet customer requirements. Ensure that all system components are integrated and aligned with applicable guidelines and develop baseline security requirements and preliminary system security concepts of operations. Act as the Information Security liaison across cross-functional teams through the software development life cycle (SDLC). Evaluate and support tools used in development, testing, deployment, and monitoring. Ensure security and compliance are integrated into each SDLC phase.
- Review and interpret IT-related contracts for security and compliance risks. Assess third-party tools, applications, and services for vulnerabilities. Provide ISO recommendations to mitigate identified risks.
You will find additional information about the job in the Duty Statement .
Working Conditions This position is located at The Emerald Tower on Capitol Mall, steps from Tower Bridge and is walking distance to the State Capitol. The building offers affordable monthly parking, employee gym access, an amenities center, and a beautiful mid-tower garden terrace. It is conveniently situated only blocks from Old Sacramento, numerous restaurants, a seasonal farmer's market, and the Crocker Art Museum. Overlooking the Golden 1 Arena and Downtown Commons, the office is accessible from Sacramento Regional Transit's light rail and bus systems, with convenient access to I-5, I-80, US 50 & US 99. This position is eligible for hybrid telework under California Government Code Section 14200 for eligible applicants residing in California. All telework schedules are subject to change and may be reevaluated at any time. Specific telework arrangements may be discussed in more detail with the respective hiring manager. Telework does not change the terms and conditions of employment, the essential functions of job duties, or required compliance with the State Controller's Office policies.
Minimum Requirements You will find the Minimum Requirements in the Class Specification.
- INFORMATION TECHNOLOGY SPECIALIST I
Additional Documents - Job Application Package Checklist
- Duty Statement
Position Details Job Code #: JC-488454 Position #(s): 051-###-####-033 Working Title: Information Security Support Specialist Classification: INFORMATION TECHNOLOGY SPECIALIST I $6,513.00 - $8,729.00 A $7,163.00 - $9,599.00 B $7,864.00 - $10,537.00 C New to State candidates will be hired into the minimum salary of the classification or minimum of alternate range when applicable. # of Positions: 1 Work Location: Sacramento County Telework: Hybrid Job Type: Permanent, Full Time Facility: California State Payroll System
Department Information The Office of the State Controller (SCO) is the destination employer within the State of California. As California's chief fiscal officer, the Controller's Office ensures accountability and transparency of California's financial practices while promoting fairness and opportunity for all. Here, you'll work in a collaborative and supportive environment with diverse opportunities for professional growth and development. A career with the SCO offers meaningful work that directly impacts the state's future. The California State Payroll System (CSPS) Project at the State Controller's Office plays a vital role in modernizing the state's human resources and payroll infrastructure. This project leads the implementation of an innovative Human Capital Management system that will streamline services for 300,000 state employees. The team manages the development of essential functions including personnel administration, payroll processing, benefits management, and employee self-service capabilities. By joining CSPS, you'll be at the center of a historic transformation, contributing to solutions that will enhance government operations for decades to come. Take the next step in your career with an organization that values innovation, integrity, and the well-being of its employees. Apply today and build a California where everyone thrives! Visit our website to learn more about the State Controller's Office. How did you hear about us? Take our survey!
Special Requirements A Statement of Qualifications is required; please see 'Required Application Package Documents' for instructions. Take the required examination here: Information Technology Specialist I Examination
Application Instructions Completed applications and all required documents must be received or postmarked by the Final Filing Date in order to be considered. Dates printed on Mobile Bar Codes, such as the Quick Response (QR) Codes available at the USPS, are not considered Postmark dates for the purpose of determining timely filing of an application. Final Filing Date: 8/27/2025 Who May Apply Individuals who are currently in the classification, eligible for lateral transfer, eligible for reinstatement, have list or LEAP eligibility, are in the process of obtaining list eligibility, or have SROA and/or Surplus eligibility (please attach your letter, if available). SROA and Surplus candidates are given priority; therefore, individuals with other eligibility may be considered in the event no SROA or Surplus candidates apply. Applications will be screened and only the most qualified applicants will be selected to move forward in the selection process. Applicants must meet the Minimum Qualifications stated in the Classification Specification(s). How To Apply Complete Application Packages (including your Examination/Employment Application (STD 678) and applicable or required documents) must be submitted to apply for this Job Posting. Application Packages may be submitted electronically through your CalCareer Account at www.CalCareers.ca.gov. When submitting your application in hard copy, a completed copy of the Application Package listing must be included. If you choose to not apply electronically, a hard copy application package may be submitted through an alternative method listed below: Address for Mailing Application Packages You may submit your application and any applicable or required documents to: State Controller's Office Human Resources Attn: Human Resources Office, A.M. 300 Capitol Mall 3rd Floor, Ste 300 Sacramento , CA 95814 Address for Drop-Off Application Packages You may drop off your application and any applicable or required documents at: State Controller's Office Human Resources Attn: Human Resources Office, A.M. 300 Capitol Mall 3rd Floor, Ste 300 Sacramento , CA 95814 Applications dropped off in person must be received by 5 p.m. in HR, by the final filing date. 08:00 AM - 05:00 PM Required Application Package Documents The following items are required to be submitted with your application. Applicants who do not submit the required items timely may not be considered for this job:
- Current version of the State Examination/Employment Application STD Form 678 (when not applying electronically), or the Electronic State Employment Application through your Applicant Account at www.CalCareers.ca.gov. All Experience and Education relating to the Minimum Qualifications listed on the Classification Specification should be included to demonstrate how you meet the Minimum Qualifications for the position.
- Resume is optional. It may be included, but is not required.
- Statement of Qualifications - Candidates must provide a Statement of Qualifications (SOQ). The SOQ items must be numbered and addressed in the same order as listed. The SOQ must be no more than two pages in length, single-spaced, with one-inch margins, and in 12-point font. 1. Describe your experience deploying cyber defense audit toolkits and aligning with security policies, regulations, and compliance frameworks. How have you applied these tools in real-world audits or assessments, and how did you identify and resolve compliance issues in collaboration with other departments? 2. Explain how you've identified gaps in security architecture and conducted risk assessments. What mitigation strategies did you implement, and how did you evaluate their effectiveness? 3. Discuss your role as a security liaison in the Software Development Life Cycle (SDLC), including how you reviewed IT contracts and third-party tools for security risks. What tools or processes did you use to ensure compliance, and how did your input influence project or procurement decisions?
Applicants requiring reasonable accommodations for the hiring interview process must request the necessary accommodations if scheduled for a hiring interview. The request should be made at the time of contact to schedule the interview. Questions regarding reasonable accommodations may be directed to the EEO contact listed on this job posting.
Desirable Qualifications In addition to evaluating each candidate's relative ability, as demonstrated by quality and breadth of experience, the following factors will provide the basis for competitively evaluating each candidate:
- Education: A Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field is preferred.
- Certifications: Possession of one or more industry-recognized certifications such as: CompTIA Security+, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH), GIAC Security Essentials (GSEC)
- Cybersecurity Experience: At least 2 years of hands-on experience in cybersecurity, including vulnerability assessments, risk analysis, security control evaluations, or compliance auditing.
- Security Governance & Compliance: Demonstrated experience interpreting and applying security frameworks such as NIST 800-53, NIST RMF, or ISO 27001. Familiarity with IT compliance processes, policy development, and audit response.
- Contract and Risk Review: Experience reviewing IT-related contracts and evaluating third-party tools or services for security and compliance risks.
- SDLC and Cross-Functional Collaboration: Experience working with cross-functional teams throughout the Software Development Life Cycle (SDLC), including integration of security requirements and tool evaluations.
- Technical Proficiency: Strong understanding of IT systems, networks, and security tools (e.g., vulnerability scanners, SIEMs, endpoint protection). Ability to assess and recommend technical solutions.
- Soft Skills: Strong analytical, communication, and problem-solving skil ls. Ability to work independently and collaboratively, manage competing priorities, and communicate effectively with technical and non-technical stakeholders.
Benefits Benefit information can be found on the CalHR website and the CalPERS website.
Contact Information The Hiring Unit Contact is available to answer questions regarding the position or application process. Hiring Unit Contact: Denise Middleton (916) ###-#### ...@sco.ca.gov Please direct requests for Reasonable Accommodations to the interview scheduler at the time the interview is being scheduled. You may direct any additional questions regarding Reasonable Accommodations or Equal Employment Opportunity for this position(s) to the Department's EEO Office. EEO Contact: SCO EEO Officer (916) ###-#### California Relay Service: 1-800-###-#### (TTY), 1-800-###-#### (Voice) TTY is a Telecommunications Device for the Deaf, and is reachable only from phones equipped with a TTY Device.
Equal Opportunity Employer The State of California is an equal opportunity employer to all, regardless of age, ancestry, color, disability (mental and physical), exercising the right to family care and medical leave, gender, gender expression, gender identity, genetic information, marital status, medical condition, military or veteran status, national origin, political affiliation, race, religious creed, sex (includes pregnancy, childbirth, breastfeeding and related medical conditions), and sexual orientation. It is an objective of the State of California to achieve a drug-free work place. Any applicant for state employment will be expected to behave in accordance with this objective because the use of illegal drugs is inconsistent with the law of the State, the rules governing Civil Service, and the special trust placed in public servants.