The Massachusetts Gaming Commission (MGC) seeks an Information Security and Privacy Analyst reporting to the Information and Network Security Manager to establish, review and maintain the full range of information technology policy and oversight programs for MGC in accordance with applicable laws and regulations. This includes, but is not limited to, formulating information technology policies designed to oversee the gaming industry's responsibilities to identify, assess and remediate Technology, Data, and Cybersecurity Risk relating to licensed gaming activities in Massachusetts.

The role requires strategic vision and the ability to influence change and communicate a coherent understanding of how to efficiently and effectively oversee the security and data protection practices of MGC licensees. This position must develop a staffing plan to review 3rd party security audits of MGC licensees and ensure that licensees address and document risk areas identified in audit reports. Critical aspects of the work involve providing expert advice and guidance on the capabilities and limitations of IT security oversight for MGC licensees. Providing expertise and leadership in ensuring MGC licensees understand the regulatory requirements relating to security, privacy, and compliance responsibilities. All duties are to be performed in accordance with MGC policies, practices, and procedures.

Duties and responsibilities include, but are not limited to, the following:

• Plan, organize, and direct the analysis, design, development, implementation, and operation of information security and data protection requirements for MGC licensees.
• Consult with ITS senior staff, operational experts, industry technical compliance, information security staff, and third-party security experts to determine information systems risk control requirements and the operational and oversight controls needed to verify compliance with the requirements.
• Provide guidance and assistance to staff on resource capabilities relative to the risk control framework for information security and data protection practices of MGC licensees.
• Research operational requirements related to information and data security risk control measures used in the gaming industry and develop performance metrics to evaluate the effectiveness of similar MGC requirements for its licensees.
• Establish and maintain communication with peer gaming regulatory staff responsible for information and data security and leverage resources to promote efficiency and more effective oversight of common licensees.
• Develop and oversee internal and external information security awareness training and educational activities relating to MGC's oversight of the gaming industry.
• Review and recommend amendments to statutes and administrative rules that pertain to gaming industry information and data protection security.
• Continuously review and update information security and investigations procedures to ensure compliance with all regulated and unregulated standards pertaining to the responsible operation of licensed gaming activities in Massachusetts.
• Develop a plan for information security and data protection initiatives and create cost estimates, work plans, and timelines for MGC oversight and industry compliance education efforts.
• Research new technologies to enhance MGC's information security and data protection risk control programs.
• Monitor overall operational efficiency and initiates projects to improve performance.
• Create minimum standards for information security professionals used by MGC licensees and create a certification program for such professional service providers.
• Develop metrics to evaluate services provided by certified professional service providers of network security auditors and otherwise develop oversight procedures for third-party risk control professionals involved in performing compliance work related to MGC information security and data protection requirements.
• Provide consultative guidance and direction to leadership on the utilization and capabilities of the MGC's information security and data protection oversight activities.
• Maintain awareness of potential cyber-attack technologies, methods, and signatures.
• Direct the training of subordinate staff to ensure they are kept up to date with changes in information security and data protection. Prepares progress reports to inform management of project developments and deviations from objectives; consults with specialist or technical personnel to solve complex problems.
• Possess a working knowledge of all MGC Regulations, policies, and procedures.
• Ensure that the objectives under the Information Security Department align with applicable laws, regulations, policies, and MGC's code of ethics.
• Other projects assigned by the Chief Information Officer.

Our Benefits: Hybrid work environment; MA State Retirement Plan (Pension); a 9000 sq. foot on-site Fitness Center; Tuition Remission for yourself and your spouse to MA Community Colleges and State Universities; Medical, Dental, Vision, Life, and Disability insurance; 12 paid Holidays; Deferred Compensation 457(b) Plan; Flex Spending for Healthcare, Daycare, and Transportation; Three weeks' Vacation to start , three Personal Days and 15 Sick Days per year; Health Insurance Buy-out option.

Required Education and Experience:

• Bachelor's degree from an accredited college or university in Computer and Information Science, Computer Engineering, Computer Systems Analysis, Information Cybersecurity and five (5) years of progressive information security experience across various information security/information technology risk management domains such as but not limited to application security, infrastructure security, identity, and access management, vulnerability and cyber threat management, security architecture, etc.

Substitutions:

• Additional appropriate experience in progressive information security/information technology risk management substitutes for the degree requirement on a year-for-year basis.
• Additional appropriate education in Master's Degree or Doctorate substitute for the required experience on a year-for-year basis.

Required Skills & Abilities:

• Security certifications, e.g., CISSP, CISA, CISM, CCSP.
• Previous knowledge and experience in designing and architecting information technology and security controls across complex and diverse networks, applications, and infrastructures are strongly preferred.
• Technical aptitude, critical thinking skills, and the ability to think outside the box.
• Demonstrated ability to solve complex information security problems, observe security risks and weaknesses, and provide security recommendations to the respective project and delivery teams.
• Ability to translate technical risk issues to business leaders and upper management. Excellent verbal, written, and interpersonal communication skills.
• Detail-oriented and value teamwork.
• Knowledge of the Massachusetts gaming statutes and regulations.
• Ability to resolve problems as they arise and handle situations expediently.
• Must be able to work a flexible schedule according to business needs, including evenings, weekends, and holidays.

Preferred Skills & Abilities:

The following preferred experience(s), competencies, and abilities are highly desirable for this position and will be considered in selecting the successful candidate:

• Applicants with progressive gaming industry information security experience are strongly encouraged to apply.
• Demonstrated experience as a supervisor of a unit with at least two employees.
• In-depth knowledge and experience working with common regulatory framework applications related to data security, including HIPAA, HITRUST, - General Data Protection Regulation (GDPR), National Institute of Standards & Technology (NIST) standards, Payment Card Industry Data Security Standard (PCI), and similar constructs are highly desired.
• Demonstrated experience in the evaluation, selection, and decision-making as it relates to gaming security controls.

Salary is commensurate with experience.

The successful candidate will be required to pass an extensive background check that includes a full credit check, CORI, drug screen, and fingerprinting.

The Massachusetts Gaming Commission is responsible for the implementation of the expanded gaming law (Chapter 194 of the Acts of 2011). Under the law, the Commission is tasked with establishing a regulatory framework for the solicitation, licensing, taxation, and oversight of a maximum of three casino licenses and one slots parlor license in Massachusetts.

It is the policy of the Massachusetts Gaming Commission and the Commonwealth of Massachusetts to afford equal employment opportunities to all qualified individuals, without regard to their race, color, ancestry, religion, sex, sexual orientation, national origin, age, physical or mental disability, citizenship status, veteran status, gender identity or expression, or any other characteristic or status that is protected by federal, state, or local law.