Vulnerability Management Analyst (Information Security Specialist 2)

Salary: $77,379.00 - $117,497.00 Annually
Location : Dauphin County, PA
Job Type: Civil Service Permanent Full-Time
Job Number: CSSC-2026-50087-01518
Department: Executive Offices
Division: EX OA Entrprs Info Scy Off
Opening Date: 06/03/2026
Closing Date: 6/16/2026 11:59 PM Eastern
Job Code: 01518
Position Number: 00047176
Union: Non Union
Bargaining Unit: A3
Pay Group: ST09
Bureau / Division Code: 00812072
Bureau / Division: Enterprise Information Security Office
Worksite Address: 400 North Street
City: Harrisburg, Pennsylvania
Zip Code: 17120
Contact Name: Matthew Zyroll
Contact Phone: View phone number on click.appcast.io
Contact Email: View email address on click.appcast.io


THE POSITION
The Vulnerability Management Analyst position with the Office of Administration offers a chance to protect state systems while growing valuable technical skills. in this vital role, you will actively participate in actions that reduce the threat landscape and help reduce risk to the Commonwealth and its data. You will join a team that works to spot and prevent weaknesses before they become problems. Apply today and support the safety of digital tools used across the Commonwealth.
DESCRIPTION OF WORK
This role focuses on scanning technology, identifying risks, and supporting the security of Commonwealth systems. As a Vulnerability Management Analyst, you will perform the following duties:

• Scan Oversight: Conduct vulnerability scans across hosts, applications, and networks
• Asset Coverage: Review configurations and ensure all Commonwealth assets receive required assessments
• Issue Resolution: Troubleshoot problems that occur during or after scanning activities
• Data Review: Analyze scan results and other information to reduce vulnerabilities and risk
• Tool Management: Support management of scanners, agents, and information security software
• Team Support: Assist analysts who perform application level scanning and help maintain security standards

Interested in learning more? Additional details regarding this position can be found in the position description
Work Schedule and Additional Information:

• Full-time employment
• Work hours are 8:00 AM to 5:00 PM, Monday - Friday, with 60-minute lunch.
• Telework: You may have the opportunity to work from home (telework) part-time. Position will be required to work in the office two days per week. In order to telework, you must have a securely configured high-speed internet connection and work from an approved location inside Pennsylvania. If you are unable to telework, you will have the option to report to the headquarters office in Harrisburg. The ability to telework is subject to change at any time. Additional details may be provided during the interview.
• Salary: In some cases, the starting salary may be non-negotiable.
• You will receive further communication regarding this position via email. Check your email, including spam/junk folders, for these notices.

REQUIRED EXPERIENCE, TRAINING & ELIGIBILITY
QUALIFICATIONS

Minimum Experience and Training Requirements:

• One year as an Information Security Specialist 1 (Commonwealth job title or equivalent Federal Government job title, as determined by the Office of Administration); or
• Three years of experience performing technical work in information technology security, and an associate's degree in any information technology field; or
• One year of experience performing technical work in information technology security, and a bachelor's degree in any information technology field; or
• An equivalent combination of experience and training.

Other Requirements:

• This particular position also requires two or more years of full-time professional experience troubleshooting Enterprise networks or Enterprise network related issues.
• You must meet the PA residency requirement. For more information on ways to meet PA residency requirements, follow the link and click on Residency Guidelines.
• You must be able to perform essential job functions.

Legal Requirements:

• You must pass a background investigation and meet Criminal Justice Information Services (CJIS) compliance requirements.
• A conditional offer of employment will require an in-depth Pennsylvania State Police background check.

How to Apply:

• Resumes, cover letters, and similar documents will not be reviewed, and the information contained therein will not be considered for the purposes of determining your eligibility for the position. Information to support your eligibility for the position must be provided on the application (i.e., relevant, detailed experience/education).
• If you are claiming education in your answers to the supplemental application questions, you must attach a copy of your college transcripts for your claim to be accepted toward meeting the minimum requirements. Unofficial transcripts are acceptable.
• Your application must be submitted by the posting closing date. Late applications and other required materials will not be accepted.
• Failure to comply with the above application requirements may eliminate you from consideration for this position.
• All application materials and interview responses must reflect the applicant's own experience, qualifications, and work. Applicants may use generative AI tools for preparation purposes only. Use of AI to misrepresent or falsify information, or to assist during interviews, is not permitted. Review the Guidance for Generative AI Tools & Job Seekers for additional information.

Veterans:

• Pennsylvania law (51 Pa. C.S. §7103) provides employment preference for qualified veterans for appointment to many state and local government jobs. To learn more about employment preferences for veterans, go to and click on Veterans.

Telecommunications Relay Service (TRS):

• 711 (hearing and speech disabilities or other individuals).

If you are contacted for an interview and need accommodations due to a disability, please discuss your request for accommodations with the interviewer in advance of your interview date.
The Commonwealth is an equal employment opportunity employer and is committed to a diverse workforce. The Commonwealth values inclusion as we seek to recruit, develop, and retain the most qualified people to serve the citizens of Pennsylvania. The Commonwealth does not discriminate on the basis of race, color, religious creed, ancestry, union membership, age, gender, sexual orientation, gender identity or expression, national origin, AIDS or HIV status, disability, or any other categories protected by applicable federal or state law. All diverse candidates are encouraged to apply.

EXAMINATION INFORMATION

• Completing the application, including all supplemental questions, serves as your exam for this position. No additional exam is required at a test center (also referred to as a written exam).
• Your score is based on the detailed information you provide on your application and in response to the supplemental questions.
• Your score is valid for this specific posting only.
• You must provide complete and accurate information or:
  • your score may be lower than deserved.
  • you may be disqualified.
• You may only apply/test once for this posting.
• Your results will be provided via email.

Learn more about our Total Rewards by watching this short !
See the total value of your benefits package by exploring our


Health & Wellness

We offer multiple health plans so our employees can choose what works best for themselves and their families. Our comprehensive benefits package includes health coverage, vision, dental, and wellness programs.*

Compensation & Financial Planning
We invest in our employees by providing competitive wages and encouraging financial wellness by offering multiple ways to save money and ensure peace of mind including multiple retirement and investment plan options.


Work/Life Balance
We know there's more to life than just work! Our generous paid leave benefits include paid vacation, paid sick leave, eight weeks of paid parental leave, military leave, and paid time off for most major U.S. holidays, as well as flexible work schedules and work-from-home opportunities.*


Values and Culture
We believe in the work we do and provide continual opportunities for our employees to grow and contribute to the greater good. As one of the largest employers in the state, we provide opportunities for internal mobility, professional development, and the opportunity to give back by participating in workplace charitable giving.

Employee Perks
Sometimes, it is the little "extras" that make a big difference. Our employees receive special employee-only discounts and rates on a variety of services and memberships.

For more information on all of these Total Rewards benefits, please visit and click on the benefits box.

*Eligibility rules apply.
01



Additional Requirement: Do you possess a minimum of two years of professional experience with vulnerability scanning or management of vulnerability scan data?

• Yes
• No

02


If you indicated YES to the question above, please describe the details of the experience you possess. Please be sure to address the items listed below in your response. The claimed experience must also be provided within the experience section of your application. If you indicated NO to the question above, type N/A in the box below.

1. The name(s) of the employer(s) where you gained this experience
2. The specific duties you performed related to experience with vulnerability scanning or management of vulnerability scan data
3. Your level of responsibility

03


Have you been employed by the Commonwealth of Pennsylvania as an Information Security Specialist 1 for at least one full year?

• Yes
• No

04


If you are claiming experience in the above question, please list the employer(s) where you gained this experience in the text box below. The employer(s) and a description of the experience must also be included in the appropriate sections of your application if you would like the experience to be considered in the eligibility decision. If you claimed you do not have experience, type N/A in the text box below.
05


How many years of full-time technical information technology security experience do you possess?

• 1 year or more
• 6 months to less than 1 year
• Less than 6 months
• No experience

06


If you are claiming experience in the above question, please list the employer(s) where you gained this experience in the text box below. The employer(s) and a description of the experience must also be included in the appropriate sections of your application if you would like the experience to be considered in the eligibility decision. If you claimed you do not have experience, type N/A in the text box below.
07


How much graduate education do you possess in information technology security?If you are claiming credits/degree, you must upload a copy of your college transcript(s) for this education to be considered in the eligibility decision. Unofficial transcripts are acceptable. You must attach your transcript(s) prior to the submission of your application by using the "Attachments" tab on the left. You will not be able to add a transcript(s) to the application after it has been submitted.
If your education was acquired outside of the United States, you must upload a copy of your foreign credential evaluation report. We can only accept foreign credential evaluations from organizations that are members of the National Association of Credential Services (NACES). A list of current NACES members can be found by visiting and clicking the Evaluation Services Link.


You must attach your documentation prior to the submission of your application by using the "Attachments" tab on the left. You will not be able to add a document to the application after it has been submitted.

• A conferred master's degree
• 30 credits or more
• 15 credits but less than 30
• Some graduate coursework
• None

08


You must complete the supplemental questions below. These supplemental questions are the exam and will be scored. They are designed to give you the opportunity to relate your experience and training background to the major activities (Work Behaviors) performed in this position. Failure to provide complete and accurate information may delay the processing of your application or result in a lower-than-deserved score or disqualification. You must complete the application and answer the supplemental questions. Resumes, cover letters, and similar documents will not be reviewed for the purposes of determining your eligibility for the position or to determine your score.
All information you provide on your application and supplemental questions is subject to verification. Any misrepresentation, falsification or omission of material facts is subject to penalty. If requested, you must provide documentation, including names, addresses, and telephone numbers of individuals who can verify the validity of the information you provide in the application and supplemental questions.

Read each question carefully. Determine and select which "Level of Performance" most closely represents your highest level of experience/training. List the employer(s)/training source(s) from your Work or Education sections of the application where you gained this experience/training. The "Level of Performance" you choose must be clearly supported within the description of the experience and training information entered in your application or your score may be lowered. In order to receive credit for experience, you must have worked in a job for at least six months in which the experience claimed was a major function.


If you have read and understand these instructions, please click on the "Yes" button and proceed to the exam questions.

If you have general questions regarding the application and hiring process, please refer to our

• Yes

09



WORK BEHAVIOR 1 - SECURITY PLANNING
Plans and implements information technology security programs such as enterprise identity and access management systems or infrastructure. Recommends and justifies hardware and software upgrades and enhancements to ensure systems and data are appropriately protected.

Levels of Performance

Select the Level of Performance that best describes your claim.

• A. I have experience planning AND implementing information technology security programs.
• B. I have experience implementing information technology security programs; however, someone else was responsible for the initial program plan.
• C. I have successfully completed college-level coursework related to project planning and implementation or project management.
• D. I have NO experience or coursework related to this work behavior.

10


In the text box below, please describe your experience as it relates to the level of performance you claimed in this work behavior. Please be sure your response addresses the items listed below which relate to your claim. If you indicated you have no work experience related to this work behavior, type N/A in the box below.

1. The name(s) of the employer(s) where you gained this experience.
2. The specific duties you performed related to security planning.
3. The type(s) of security projects you planned and/or implemented.
4. Your level of responsibility.

11


If you have selected the level of performance pertaining to college coursework, please provide your responses to the three items listed below. If you indicated you have no education/training related to this work behavior, type N/A in the text box below.

1. College/University
2. Course Title
3. Credits/Clock Hours

12



WORK BEHAVIOR 2 - SECURITY DESIGN AND CUSTOMIZATION
Designs or customizes information technology security programs to ensure the confidentiality, integrity, and availability of systems, networks, servers, and data. Develops detailed functional or technical specifications used to outline the access and interaction among programs, the operations each program is authorized to use, the level of protection that is required, and action required when established requirements are not met.

Levels of Performance

Select the Level of Performance that best describes your claim.

• A. I have experience designing AND customizing information technology security programs to ensure the confidentiality, integrity, and availability of systems, networks, servers, or data.
• B. I have experience customizing information technology security programs to ensure the confidentiality, integrity, and availability of systems, networks, servers, or data. Someone else was responsible for the initial design of the program.
• C. I have successfully completed college-level course work related to information security concepts and security design.
• D. I have NO experience or coursework related to this work behavior.

13


In the text box below, please describe your experience as it relates to the level of performance you claimed in this work behavior. Please be sure your response addresses the items listed below which relate to your claim. If you indicated you have no work experience related to this work behavior, type N/A in the box below.

1. The name(s) of the employer(s) where you gained this experience.
2. The specific duties you performed related to designing and/or customizing security programs.
3. The type(s) of security programs you designed and/or customized.
4. Your level of responsibility.

14


If you have selected the level of performance pertaining to college coursework, please provide your responses to the three items listed below. If you indicated you have no education/training related to this work behavior, type N/A in the text box below.

1. College/University
2. Course Title
3. Credits/Clock Hours

15



WORK BEHAVIOR 3 - SECURITY MONITORING AND TESTING
Monitors and tests network or system performance and identifies security deficiencies and threats. Manages security threats by ensuring corrective actions are implemented to resolve associated issues and risks. Coordinates with developers or architects to ensure security is appropriately built into software.

Levels of Performance

Select the Level of Performance that best describes your claim.

• A. I have experience monitoring and testing applications and systems. I was responsible for managing security threats and ensuring corrective action was taken.
• B. I have experience monitoring and testing applications and systems. I was responsible for notifying the appropriate staff of security threats so corrective action could be taken.
• C. I have successfully completed college-level coursework related to information security monitoring or testing, cybersecurity, or risk mitigation.
• D. I have NO experience or coursework related to this work behavior.

16


In the text box below, please describe your experience as it relates to the level of performance you claimed in this work behavior. Please be sure your response addresses the items listed below which relate to your claim. If you indicated you have no work experience related to this work behavior, type N/A in the box below.

1. The name(s) of the employer(s) where you gained this experience.
2. The specific duties you performed related to monitoring and/or testing networks/systems for security deficiencies/threats.
3. The type(s) of corrective action you took to manage or resolve issues/risks.
4. Your level of responsibility.

17


If you have selected the level of performance pertaining to college coursework, please provide your responses to the three items listed below. If you indicated you have no education/training related to this work behavior, type N/A in the text box below.

1. College/University
2. Course Title
3. Credits/Clock Hours

18



WORK BEHAVIOR 4 - TECHNICAL ASSISTANCE
Responds to escalated incidents by troubleshooting and diagnosing security issues and coordinates with end users and service providers to resolve issues. Provides advice and guidance to business areas on the importance and financial impact of security threats. Researches current security solutions and informs management of emerging technologies.

Levels of Performance

Select the Level of Performance that best describes your claim.

• A. I have experience troubleshooting, diagnosing, and resolving escalated information technology issues. I was responsible for responding to complex technical questions and providing guidance as necessary.
• B. I have experience troubleshooting, diagnosing, and resolving information technology issues. I was responsible for responding to questions and resolving routine issues but referred more complex technical questions and issues to someone else for resolution.
• C. I have successfully completed college-level coursework related to information technology troubleshooting.
• D. I have NO experience or coursework related to this work behavior.

19


In the text box below, please describe your experience as it relates to the level of performance you claimed in this work behavior. Please be sure your response addresses the items listed below which relate to your claim. If you indicated you have no work experience related to this work behavior, type N/A in the box below.

1. The name(s) of the employer(s) where you gained this experience.
2. The specific duties you performed related to the technical assistance you provided.
3. The type(s) of issues you diagnosed, troubleshot, and/or resolved.
4. Your level of responsibility.

20


If you have selected the level of performance pertaining to college coursework, please provide your responses to the three items listed below. If you indicated you have no education/training related to this work behavior, type N/A in the text box below.

1. College/University
2. Course Title
3. Credits/Clock Hours

Required Question