Title: Information Security Risk and Compliance Officer

Hiring Range: $110,388 - $141,297

Pay Band: UG

Agency: Virginia Lottery

Location: Richmond, VA

Agency Website: www.valottery.com

Recruitment Type: General Public - G

Job Duties

For more than three decades, the Virginia Lottery has worked to build a strong reputation, one synonymous with providing fun, entertaining experiences and doing so responsibly and with integrity. Proceeds from traditional Lottery games support K-12 public education in Virginia. Taxes generated by sports wagering and casino gaming, which are regulated by the Lottery, benefit other priorities of the Commonwealth.

The Virginia Lottery, an independent state agency, is currently seeking an Information Security Risk and Compliance Officer to join our Information Security Department. This position is located in Richmond, Virginia.

The Information Security Risk and Compliance Officer will be responsible for the agency information security risk management program which is compliant with Commonwealth of Virginia Risk Management Framework found in SEC520 and SEC530. This is accomplished through policy, standards, and implementation of processes and controls through a variety of means, including System and Data inventory & classification, Business Impact Analysis (BIA), Risk Assessments (RA) for sensitive systems, and System Security Plans (SSP). It also includes testing systems and applications, monitoring system activity, coordinating system access control (physically and logically), creating/updating policies, and analyzing system security architecture with other subject-matter experts in the Lottery Information Technology Security Committee (ITSC) and Security and Technical Architecture Review (STAR) teams that ensure we comply with the VITA Standards and §2.2-603 of the Code of Virginia. Actively collaborates with Lottery Leadership, VITA, and Information Security community to stay current with all trends, technology, and COV requirements.

The Information Security Risk Officer duties include:
IT Security Governance Framework Program:
• Establish and maintain a robust governance framework, including clear roles and responsibilities for risk management.
• Facilitate communication and collaboration between different departments regarding risk and compliance matters.
• Develop key performance indicators (KPIs) to measure the effectiveness of GRC initiatives.
• Defines, updates and enforces security policies to reduce risk.
• Performs and approves security reviews and recommendations on proposed and new software and hardware solutions.
• Develop and maintain the Lottery Information Security program, to include policies and procedures.

IT Security and Risk Management Program:
• Responsible and accountable for the development and maintenance of the Lottery risk management program of the overall Lottery Information Security program, to include associated policies, procedures, and formalized application security testing processes.
• Responsible to prioritize risks based on severity and likelihood and develop mitigation strategies.
• Responsible and accountable to ensure Risk Assessments for sensitive systems are developed and reviewed in accordance with the Lottery Risk Assessment Plan.
• Responsible and accountable to create with internal stakeholders System Security Plans (SSP’s) for each sensitive system.
• Coordinate risk analysis, assessment, and reporting activities with vendors and internal stakeholders.
• Perform security reviews on Lottery systems to ensure CIA best practices are being followed and maintained.

Compliance Management:
• Monitor compliance with applicable laws, regulations, and COV controls.
• Develop and maintain compliance policies and standards.
• Maintain a centralized repository for policies and standards, and ensure regular reviews and updates are conducted in a timely manner.
• Conduct compliance assessments and reviews to identify gaps and ensure adherence.
• Conduct quality assurance reviews and assess compliance with policies and standards.
• Coordinate the Security Teams response to audit request.
• Oversee audit readiness, including documentation, workflows, and remediation tracking. Proactively monitor potential audit points/findings and coordinate remediation activity before they become audit findings.
• Perform security reviews on Lottery systems to ensure CIA best practices are being followed and maintained.

Develop and maintain Business Continuity Program:
• Develop and maintain the Lottery Business Impact Analysis (BIA), Enterprise Business Continuity Plan, and documents supporting the overall continuity program. Coordinate and maintain the IT Disaster Recovery Plan (IT-DRP).
• Coordinates Disaster recovery planning activities; disaster recovery training and exercise, IT disaster recovery exercise and updates.

General department tasks:
• Supporting tasks as required.
• Perform other duties as assigned.

Note - This position requires in-office work three days per week including Tuesday and Wednesday.

Minimum Qualifications

The person selected for this position will have:
• Bachelor’s Degree from an accredited 4-year college or university with major studies in Information Systems, Computer Science, or related field.
• Five or more years of information security instruction and risk assessment training, and experience working on project teams and meeting project deadlines.
• Considerable knowledge of information security principles, policies and procedures, and Risk Management Frameworks.
• Working knowledge of business, applications, and technology as applied to information security.
• Knowledge of information assurance principles and organizational requirements that are relevant to confidentiality, integrity, and availability.
• Demonstrated ability to plan, develop, coordinate, and manage multiple security initiatives in a technologically diverse environment.
• Experience in business continuity planning.
• Excellent interpersonal and communications skills, both oral and written.
• Demonstrated ability to interact successfully with senior management, regulatory and compliance managers, and external vendors.
• Knowledge of new and emerging Information Technology and Security strategies.
• Knowledge of federal, state, agency, and other regulatory agents’ policies, regulations, and standards.
• Excellent understanding of IT security controls, specifically NIST 800-53 and Commonwealth of Virginia IT security policies and standards.
• Ability to maintain strict confidentiality of sensitive material.
• Strong organizational, planning and project management skills a plus.

Additional Considerations

• Certification in information security from CompTIA, ISC2, ISACA or SANS Global Information Assurance Certification (GIAC) credentials preferred.

Special Instructions

You will be provided a confirmation of receipt when your application and/or résumé is submitted successfully. Please refer to “Your Application” in your account to check the status of your application for this position.

The selected candidate will be required to complete a background investigation and possess a valid Driver’s License. Must be willing to work some nights and weekends as needed. Requires in-person work three (3) days a week including Tuesday and Wednesday.

The Virginia Lottery is an independent state agency, and as such all positions are exempt from the Virginia Personnel Act, as well as most Executive Branch human resources policies. The Virginia Lottery is a fun place to work and values diversity in the workforce. We offer a competitive salary and excellent benefits. The Virginia Lottery is an Equal Opportunity Employer. Only online applications completed in their entirety will be accepted for this position. The Virginia Lottery will provide, if requested, reasonable accommodation to applicants in need of accommodation in order to provide access to the application and/or interview process. If any assistance is needed when applying online, please contact the Virginia Lottery’s Human Resources Department at (804) 692-7000. Applications will be accepted until a suitable pool of candidates is received. After 5 business days, this position may be closed at any time.

Contact Information

Name: Human Resources

Phone: (804) 692-7000

Email: N/A

In support of the Commonwealth’s commitment to inclusion, we are encouraging individuals with disabilities to apply through the Commonwealth Alternative Hiring Process. To be considered for this opportunity, applicants will need to provide their AHP Letter (formerly COD) provided by the Department for Aging & Rehabilitative Services (DARS), or the Department for the Blind & Vision Impaired (DBVI). Service-Connected Veterans are encouraged to answer Veteran status questions and submit their disability documentation, if applicable, to DARS/DBVI to get their AHP Letter. Requesting an AHP Letter can be found at AHP Letter or by calling DARS at 800-552-5019.

Note: Applicants who received a Certificate of Disability from DARS or DBVI dated between April 1, 2022- February 29, 2024, can still use that COD as applicable documentation for the Alternative Hiring Process.