Senior Systems Security Specialist 2026P-0515
Ascension is seeking a highly experienced Senior Systems Security Specialist to help Montgomery County Public Schools protect its enterprise applications, networks, infrastructure, data, and technology services from cybersecurity threats and unauthorized access.
The successful candidate will analyze and define security requirements for complex, high-level applications; conduct security and privacy risk assessments; evaluate vulnerabilities; support secure identity and access management; and advise technical teams on the implementation of enterprise and multilevel security controls.
This role is important because MCPS technology environments support more than 159,000 students, approximately 25,800 employees, and numerous administrative, instructional, financial, human capital, student information, cloud, and infrastructure systems. The Senior Systems Security Specialist will help ensure that these systems are designed, configured, integrated, tested, and maintained in a manner that protects sensitive student, employee, financial, operational, and institutional information.
Ascension is looking for an individual who combines deep technical security expertise with sound judgment, professional discretion, and the ability to translate complex cybersecurity risks into practical recommendations for executives, project managers, system owners, developers, administrators, and end users.
Summary of the Contractor Role
The Senior Systems Security Specialist will provide cybersecurity engineering, risk management, and security requirements support throughout the System Development Life Cycle. The position will evaluate security controls and system architectures; identify vulnerabilities and threats; define remediation requirements; and support the secure implementation of applications, cloud platforms, infrastructure, databases, identity services, web systems, and enterprise integrations.
The specialist may support vulnerability assessments, penetration-testing activities, intrusion detection and monitoring, endpoint security, identity and access management, disaster recovery planning, application security reviews, and Independent Verification and Validation. The role may also advise development and infrastructure teams on secure configurations, role-based access, data protection, logging, encryption, source-code security, and system readiness before production deployment.
The ideal candidate will be:
- Self-directed and capable of working in a complex environment with limited supervision.
- Detail-oriented, analytical, and highly protective of sensitive information.
- Skilled at identifying the root causes of security risks rather than merely documenting symptoms.
- Comfortable challenging insecure designs or practices while maintaining productive working relationships.
- Able to prioritize multiple assessments, incidents, remediation activities, and project deadlines.
- Experienced in presenting technical findings to both technical and nontechnical stakeholders.
- Prepared to work in an educational environment governed by student privacy, accessibility, public-sector security, and records-management requirements.
The RFP specifically identifies information-system security as a functional area covering vulnerability assessments, penetration testing, intrusion detection monitoring, endpoint security, and identity management. It also requires contractors to consider FERPA, COPPA, the Maryland Student Privacy Act, SOC 2, State IT security policies, and applicable HIPAA requirements.
Position Responsibilities and Anticipated Activities
The Senior Systems Security Specialist will:
- Analyze business, technical, privacy, and operational requirements to identify applicable security requirements and controls.
- Define security requirements for complex, enterprise-level applications, cloud platforms, databases, integrations, infrastructure components, and web-based systems.
- Conduct cybersecurity risk assessments and document threats, vulnerabilities, likelihood, potential impact, existing safeguards, residual risk, and recommended treatments.
- Evaluate system architectures, application designs, data flows, trust boundaries, interfaces, APIs, and integrations for security weaknesses.
- Perform or coordinate vulnerability assessments, configuration reviews, penetration tests, and application-security testing.
- Review vulnerability scan and penetration-test findings for accuracy, severity, exploitability, business impact, and remediation priority.
- Develop security assessment reports, plans of action, remediation recommendations, risk registers, control matrices, and executive summaries.
- Support identity and access management activities, including role-based access control, account provisioning, privileged-access management, authentication, authorization, and access recertification.
- Assess system roles and permissions to identify excessive access, segregation-of-duties conflicts, inactive accounts, and unauthorized privileges.
- Recommend technical and administrative safeguards for protecting student, employee, financial, operational, and other sensitive information.
- Advise application developers, system engineers, cloud administrators, database administrators, and project managers on secure-by-design practices.
- Integrate security requirements into project plans, system requirements, design documents, acceptance criteria, test plans, and release-readiness reviews.
- Review proposed changes, upgrades, patches, integrations, and system configurations for cybersecurity impact.
- Validate remediation evidence and determine whether vulnerabilities and security findings have been adequately resolved.
- Support Independent Verification and Validation activities that evaluate system security, functionality, compliance, and production readiness.
- Monitor or assist with evaluating security events, alerts, endpoint data, system logs, and intrusion-detection information.
- Investigate suspected security incidents or control failures and assist with documenting findings, containment actions, corrective measures, and lessons learned.
- Support immediate escalation and formal documentation of security incidents or unauthorized disclosures involving MCPS information.
- Develop or update cybersecurity policies, standards, procedures, security plans, operating instructions, and incident-response documentation.
- Assess disaster recovery, business continuity, backup, recovery, and resilience controls for critical systems and data.
- Evaluate third-party products, services, subcontractors, and solution architectures for security and privacy risks.
- Review applicable SOC 2 reports and supporting security documentation when required.
- Coordinate with system owners, privacy personnel, project teams, quality-assurance staff, vendors, and MCPS security representatives.
- Facilitate security review meetings, risk discussions, technical working sessions, and remediation-status reviews.
- Brief project leadership and senior stakeholders on significant risks, security posture, remediation progress, and decisions requiring management acceptance.
- Maintain accurate assessment records, supporting evidence, decisions, approvals, and remediation status.
- Prepare weekly productivity reports documenting completed activities, deliverables, issues, risks, decisions, and labor hours.
- Protect all MCPS information from unauthorized access, disclosure, alteration, retention, transmission, or use.
- Comply with MCPS, Maryland, federal, contractual, privacy, accessibility, and cybersecurity requirements.
Anticipated Tools and Technologies
The exact technology stack will depend on the individual MCPS task order. Candidates should have experience with several of the following:
Security and Vulnerability Management
- Tenable Nessus or Tenable Security Center
- Qualys
- Rapid7 InsightVM
- Burp Suite
- OWASP testing tools
- Nmap
- Wireshark
- Microsoft Defender
- Endpoint detection and response platforms
- Security information and event management platforms
- Intrusion detection and prevention systems
Identity and Access Management
- Microsoft Entra ID / Azure Active Directory
- Active Directory
- Single Sign-On
- Multi-factor authentication
- Privileged-access management
- Role-based access control
- Public Key Infrastructure
- Access-governance and recertification processes
Cloud, Application, and Infrastructure Security
- Microsoft Azure or Amazon Web Services security services
- Oracle Fusion Cloud security roles and controls
- Oracle Integration Cloud
- Web application firewalls
- API security controls
- Secure software-development practices
- CI/CD security scanning
- Database security
- Encryption and key-management technologies
- Backup, restoration, and disaster-recovery platforms
Documentation and Collaboration
- Microsoft 365
- Microsoft Teams
- SharePoint
- Excel
- PowerPoint
- Word
- Visio
- ServiceNow
- Jira, Azure DevOps, or comparable issue-tracking platforms
Security Processes and Frameworks
The successful candidate should be able to apply or work within:
- NIST Cybersecurity Framework
- NIST Risk Management Framework
- NIST Special Publication 800-53
- NIST Special Publication 800-30
- NIST Special Publication 800-61
- NIST Secure Software Development Framework
- CIS Critical Security Controls
- CIS Benchmarks
- OWASP Top 10
- SOC 2 Trust Services Criteria
- Zero Trust security principles
- Secure SDLC practices
- Configuration and change management
- Vulnerability and patch management
- Incident response
- Business continuity and disaster recovery
- Risk acceptance and exception management
How to Apply
CLICK HERE TO APPLY & SUBMIT YOUR RESUMEJob Features
| Job Category | Cybersecurity |
| MINIMUM QUALIFICATIONS | Bachelor’s degree from an accredited institution in cybersecurity, information assurance, computer science, information systems, computer engineering, engineering, or a closely related discipline | Ability to manage sensitive or confidential information with discretion | Strong written, analytical, presentation, facilitation, and interpersonal communication skills. |
| REQUIRED SKILLS | At least eight years of progressively responsible information-system security, cybersecurity, information assurance, or related experience | At least five years of experience analyzing and defining security requirements for high-level, complex, or enterprise applications. |
| TECHNICAL SKILLS | Demonstrated experience conducting security-risk assessments and vulnerability analyses. Demonstrated experience supporting security architecture, identity and access management, or implementation of layered or multilevel security controls | Experience interpreting technical findings and communicating risk to technical and nontechnical stakeholders | Experience preparing formal security documentation, assessment results, risk reports, or remediation plans | Experience working within a structured SDLC, change-management, release-management, or system-implementation environment. Knowledge of network, endpoint, application, database, cloud, and identity-security concepts. |
| DESIRED QUALIFICATIONS | Master’s degree in cybersecurity, information assurance, computer science, information systems, or a related discipline | Experience supporting public-school systems, state or local government, educational institutions, or other highly regulated public-sector environments | Experience protecting student records or personally identifiable information | Knowledge of FERPA, COPPA, the Maryland Student Privacy Act, PPRA, HIPAA, and SOC 2 requirements | Experience with NIST 800-53 control assessments or Risk Management Framework activities | Experience with Oracle Fusion Cloud, Oracle Integration Cloud, Microsoft Azure, Microsoft 365, or enterprise Student Information Systems | Experience evaluating cloud and on-premises integrations | Experience conducting or overseeing penetration testing | Experience with security operations, SIEM, EDR, IDS/IPS, vulnerability-management, or threat-detection platforms | Experience reviewing architecture diagrams, data-flow diagrams, APIs, microservices, and web applications | Familiarity with DevSecOps, CI/CD pipelines, source-code scanning, dependency scanning, and secure coding practices | Experience supporting Independent Verification and Validation or release-readiness assessments | Experience reviewing SOC 2 Type II reports, third-party security questionnaires, or vendor-risk assessments | Experience leading security workstreams or supervising cybersecurity professionals | Experience developing security policies, SOPs, standards, incident-response procedures, and disaster-recovery documentation | Knowledge of ADA Section 508 and Non-Visual Access requirements as they relate to secure systems and technology implementation. |
| SUITABILITY/SECURITY REQUIREMENTS | This position does not currently require a federal Secret or Top Secret security clearance. However, personnel assigned to MCPS work must satisfy significant suitability and background-screening requirements. |