CS-214
REV 8/2007 / 1. Position Code

State of Michigan

Civil Service Commission
Capitol Commons Center, P.O. Box 30002
Lansing, MI 48909
Federal privacy laws and/or state confidentiality requirements protect a portion of this information. /

POSITION DESCRIPTION

This form is to be completed by the person that occupies the position being described and reviewed by the supervisor and appointing authority to ensure its accuracy. It is important that each of the parties sign and date the form. If the position is vacant, the supervisor and appointing authority should complete the form.
This form will serve as the official classification document of record for this position. Please take the time to complete this form as accurately as you can since the information in this form is used to determine the proper classification of the position. THE SUPERVISOR AND/OR APPOINTING AUTHORITY SHOULD COMPLETE THIS PAGE.
2. Employee’s Name (Last, First, M.I.) / 8. Department/Agency
Dept Technology, Management & Budget (DTMB)
3. Employee Identification Number / 9. Bureau (Institution, Board, or Commission)
Cybersecurity and Infrastructure Protection (CIP)
4. Civil Service Classification of Position
IT Specialist 14 / 10. Division
Michigan Cyber Security (MCS)
5. Working Title of Position (What the agency titles the position)
Cyber Forensics Specialist - Desktop / 11. Section
Michigan Security Operations Center (MiSOC)
6. Name and Classification of Direct Supervisor
Victoria McPherson, SAM 15 / 12. Unit
Threat Intelligence and Incident Response unit
7. Name and Classification of Next Higher Level Supervisor
Richard Reasner, SOA 17 / 13. Work Location (City and Address)/Hours of Work
515 Westshire Drive, Lansing, MI
Hours may vary, Shift Work Required
14. General Summary of Function/Purpose of Position
Daily the state of Michigan blocks over a half of million attacks on state IT assets via its automated security and defense systems. However, on average 600 attacks bypass these systems and find their way on to state systems. This critical enterprise position provides forensics for the Michigan’s enterprise Cyber Incident Response Management program that remediates these incidents.
This position requires competency in cyber forensics and information security. The primary purpose of this position is to conduct forensic investigations for the area of focus noted in the above working title (Item 5). The candidate will be expected to have a solid foundation of IT technical experience and expertise, excellent analytical skills, to be highly conscious of details and to be able to multi-task efficiently.
This position will work with senior level staff across the enterprise regarding forensics and incident response, as well as with other areas within DTMB and Agency business partners/clients. Specifically this position will work with State Attorney General’s Office, State Agency Human Resource Directors, all levels of Law Enforcement (including the FBI and Homeland Security). A strong background in forensic practices and procedures, and evidence handling is required. Experience in law enforcement, basic investigations or with a professional services firm, and testifying as an expert witness is preferred.
For Civil Service Use Only
15. Please describe your assigned duties, percent of time spent performing each duty, and explain what is done to complete each duty.
List your duties in the order of importance, from most important to least important. The total percentage of all duties performed must equal 100 percent.

Duty 1

General Summary of Duty 1 % of Time 80%
As a expert in SOM enterprise forensics for the identified focus area, this Specialist provides leadership and execution in support of internal and external cybersecurity incident response.
Individual tasks related to the duty.
·  Lead the identified focus area forensics practice within MCS.
·  Use available tool-sets to perform digital forensics examinations through the entire lifecycle (case planning, intake, acquisition, examination, presentation and disposition) for the enterprise.
·  Participate on or in support of the Cyber Incident Response Team which is formed when a major cyber incident is suspected.
·  Interface with State Agency Executives including Human Resource Directors, Security and Privacy officer.
·  Interface with Local, State, and Federal Law Enforcement agencies.
·  Participate in the investigation, assessment and remediation activities associated with cyber incidents such as employee acceptable use cases, data breaches, network security access breaches, and denial of services.
·  Provides technical expertise by acting as a state digital forensics expert for cyber and acceptable use incidents. The position is also responsible for presenting evidence in a legally acceptable and understandable way.
·  Provides technical expertise, and guidance on best practices in cyber forensics to other members of MCS, other areas of DTMB and customer community.
·  Responsible for conducting forensic analysis in support of agency matters including large-scale investigations.
·  Serves as a technical advisor/expert to State of Michigan human resource in acceptable use cases.
·  Provide a timely response, proposed resolution, and documentation in support of incident investigation results.
·  Provides internal staff training on forensics and incident response.
·  Is responsible for ensuring that evidence is properly identified, preserved, and analyzed.
·  Assist in developing, implementing and managing a set of standards, policies, and procedures established for the forensics.
·  Creates standards, procedures and templates for staff to use in their daily tasks.
·  Establish methods and techniques for monitoring and identifying inappropriate and/or illegal use of the State’s IT resources.
·  Provide management with recommendations for new or updated tools to further enhance the enterprise-wide forensic toolset.

Duty 2

General Summary of Duty 2 % of Time 15 %
The specialist will maintain knowledge of industry best practices for IT security solutions, as well as developments in new technologies and/or methodologies for IT security.
Individual tasks related to the duty.
·  Assist MCS/MiSOC management in the development of effective and efficient security documents to assist identifying and assessing risk across the enterprise.
·  Research, and evaluate best practice data security methods for inclusion in MCS/MiSOC standards. Then recommend how they can be implemented across or in support of the enterprise.
·  Conduct research and attend training sessions, seminars, and conferences to keep abreast of developing IT security tools and technology.
·  Interface with the Computer Emergency Response Team (CERT) and participate in various internet security groups in order to maintain awareness of IT security developments.
·  Serves on assigned task forces, special committees and/or research groups.

Duty 3

General Summary of Duty 3 % of Time 5%
Perform miscellaneous functions as needed to contribute to the overall operation and objectives of the Department.
Individual tasks related to the duty.
·  Assists and advises other members of MCS with implement security controls for their projects.
·  Create metrics and generate agency reports based on expert security strategies to facilitate a complete security lifecycle.
·  Utilizing metrics and industry best practice generate an agency centric security profile.
·  Implement new security methodologies, and make recommendations to management regarding the acquisition of new security tools and/or technologies.
·  Disseminate information across the enterprise as appropriate.
·  Assist in provision of awareness training, and sharing new IT security solutions.
·  Attendance at staff meetings.
·  Other tasks as assigned by management.
16. Describe the types of decisions you make independently in your position and tell who and/or what is affected by those decisions. Use additional sheets, if necessary.
·  Decisions involving the development of IT security systems. These decisions impact the confidentiality, integrity, and availability of sensitive data on the entire State of Michigan network.
17. Describe the types of decisions that require your supervisor’s review.
Decisions regarding the acquisition of new security technologies, as well as system changes affecting enterprise-wide operational needs.
·  Matters that affect the budget beyond the MCS allocated amounts.
·  Decisions leading to the proposition of alternatives and recommendations that alter the scope of projects.
·  Approval of deviation from policy.
·  When decision results in an impact to an Agency’s business processes.
·  When the decision impacts systems or business units outside the governance of MCS.
·  When the decision impacts the department's IT strategic direction.
18. What kind of physical effort do you use in your position? What environmental conditions are you physically exposed to in your position? Indicate the amount of time and intensity of each activity and condition. Refer to instructions on page 2.
·  The position operates in a normal office environment, performing duties within the assigned workspace.
·  Tasks can be completed routinely seated at a desk, visiting others at their desks, in the context of meetings and meeting rooms.
·  Work requires extensive use of personal computers including keyboards and monitors.
·  This position is subject to stress and pressure to resolve problems quickly and effectively.
·  There are frequent deadlines that are imposed by external forces; heavy workloads are possible and overtime during development projects may be required.
·  Duties may involve lifting of 25 pounds or less.
19. List the names and classification titles of classified employees whom you immediately supervise or oversee on a full-time, on-going basis. (If more than 10, list only classification titles and the number of employees in each classification.)
NAME / CLASS TITLE / NAME / CLASS TITLE
N/A
20. My responsibility for the above-listed employees includes the following (check as many as apply):
Complete and sign service ratings. Assign work.
Provide formal written counseling. Approve work.
Approve leave requests. Review work.
Approve time and attendance. Provide guidance on work methods.
Orally reprimand. Train employees in the work.
21. I certify that the above answers are my own and are accurate and complete.
Signature Date

NOTE: Make a copy of this form for your records.

TO BE COMPLETED BY DIRECT SUPERVISOR

22. Do you agree with the responses from the employee for Items 1 through 20? If not, which items do you disagree with and why?
Prepared by Management
23. What are the essential duties of this position?
All duties listed are essential to the position.
24. Indicate specifically how the position’s duties and responsibilities have changed since the position was last reviewed.
New position.
25. What is the function of the work area and how does this position fit into that function?
The Michigan Security Operations Center (MiSOC) ensures the confidentiality, integrity and availability of State of Michigan and IT assets; handles IT security operations and recovery from all types of disasters; and effectively manages emergencies and keeps the business of state government – critical information, communication, and technology services to Michigan citizens – running smoothly.
This position is a member of the Threat Intelligence and Incident Response unit team within the MiSOC, specifically focusing on conducting forensic investigations.
26. In your opinion, what are the minimum education and experience qualifications needed to perform the essential functions of this position.
EDUCATION:
Possession of a bachelor’s degree with not less than 21 semester (32 term) credits in computer science, data processing, computer information systems, data communications, networking, systems analysis, computer programming, or mathematics
EXPERIENCE:
Three years of professional experience equivalent to an Information Technology Infrastructure or
Programmer/Analyst P11 or one year equivalent to an Information Technology Infrastructure or
Programmer/Analyst 12
KNOWLEDGE, SKILLS, AND ABILITIES:
·  Strong communications, leadership, and collaboration skills.
·  First-hand knowledge of cyber forensic practices and procedures, and evidence handling.
·  Knowledge of expert witness testimony discipline.
·  Considerable knowledge of IT security technologies, including IDS, firewall, forensic and encryption techniques.
·  Knowledge of current networking technologies (WAN, MAN, and LAN).
·  Knowledge of, and familiarity with, incident response policies and procedures.
·  Must possess excellent communication skills, both verbal and written.
·  Four years of professional EDP or security experience, with at least two years of that experience in the cyber forensics discipline.
CERTIFICATES, LICENSES, REGISTRATIONS:
·  The duties require the use of a personal vehicle.
·  Employment requires passing a drug test and background check.
·  The position also requires the passing a LEIN background investigation.
·  A Certified Information Systems Security Professional (CISSP) is preferred.
·  Forensic certification is preferred.
NOTE: Civil Service approval of this position does not constitute agreement with or acceptance of the desirable qualifications for this position.
27. I certify that the information presented in this position description provides a complete and accurate depiction of the duties and responsibilities assigned to this position.
Supervisor’s Signature Date
TO BE FILLED OUT BY APPOINTING AUTHORITY
28. Indicate any exceptions or additions to the statements of the employee(s) or supervisor.
29. I certify that the entries on these pages are accurate and complete.
Appointing Authority’s Signature Date

Page 1