Reporting to the Chief Information Officer, the Chief Information Security Officer (CISO) is responsible for the overall organizational security strategy, security program oversight and security architecture development for the organization. The scope of this role covers all utilized security technologies and services, including protection services, perimeter defenses, physical and logical access control, and user profile management of all employees, contractors and visitors. As the organization's senior security officer, this person also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and organizational awareness. The CISO will work closely with the designated Privacy officer and Legal to ensure that technological and physical access controls effectuate the organization's data privacy policies. The incumbent will work with business, risk management, and technical stakeholders in the development and implementation of a security strategy designed to provide a high level of security over physical facilities and data processing while preserving and enhancing facility and system usability. The incumbent must be able to develop and implement flexible security solutions, dictated by the needs of a hybrid and rapidly evolving business environment. Position Responsibilities: IT Security Program -
- Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets
- Proactive and innovative approaches are investigated and implemented appropriately ensuring security program adequately safeguards the organization against advanced threats
- Provide leadership through strong working relationships and collaboration to develop strategic goals for information security compliance and risk mediation.
- Liaise with external agencies as necessary to ensure the organization maintains a strong security posture against relevant threats and advancing threat landscape.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and to continuously increase the maturity of information security program
- Leads the internal Information Security Committee
Policies, Procedures, Standards, and Guidelines -
- Lead and coordinate the development and maintenance of information systems security policies, procedures, standards, and guidelines, ensuring compliance with federal and state laws and regulations.
- Analyze new federal and state statutory requirements, and other security initiatives to determine changes necessary for adoption/compliance and makes appropriate recommendations.
- Establish security framework and ensure policies, procedures, standards, processes and controls adhere to framework requirements
- Establish monitoring and assessment processes to ensure compliance and adherence to established security policies, procedures, and standards
Incident Management -
- Develop and maintain the Incident Management Plan and escalates possible incidents to the Security Incident Response Team (SIRT).
- Ensure monitoring of security-related information sources for security alerts and assess security breaches/ events, oversee appropriate corrective actions, inform the campus community, and identify needed changes based on new security technologies or threats.
- Serve as the liaison with external agencies and organizations, including law enforcement, as needed for incident response and planning.
Threat and Risk Management -
- Ensures threat and vulnerability resources and technology are proactively monitoring 24X7 potential threats and vulnerabilities and protection controls are implemented timely and appropriately to safeguard and maintain business operations
- Identifies and assesses risks in implementing business innovations. Provides assessment of those risks to business stakeholders.
- Design and execute penetration tests and security audits.
- Support continuous monitoring activities, vulnerability scans, policy and procedure updates, configuration/incident management, and training.
- Coordinate response to security audit requests from participant organizations and institutions and ensures any identified remediation activities are implemented within committed timeframes
- Creates a risk-based process for the assessment and mitigation of any information security risk associated but not limited to supply chain partners, vendors, customers, and other third parties
- Monitors compliance with the organization's information security policies and procedures among employees, contractors, alliances, and other third parties.
- Facilitate and support the development of asset inventories, including information assets in cloud services and other parties included as part of the organization's technology environment
Leadership -
- Develop, motivate and provide leadership and direction to all staff.
- Interview and select qualified candidates for job opening in compliance with applicable employment laws.
- Monitor employee performance and provide on-going formal and informal feedback. Draft and administer staff performance evaluations in a timely manner.
- Conduct weekly staff meetings to ensure all staff are informed of any company and/or departmental changes and updates.
- Reward employees using formal and informal methods. Approve staff leave requests and timesheets and resolve employee attendance and performance concerns.
- Oversight of project teams dealing with IT security issues, optimizing the contribution of people involved.
Communications, Training, and Outreach -
- Oversee the development and implementation of training programs and communications to make systems, network, and data users aware of and understand security policies and procedures.
- Facilitate monthly Information Security council meetings
- Work with legal, risk and compliance staff to ensure all information owned, collected, and controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other regulatory requirements
- Collaborate and liaise with privacy officer to ensure that data privacy requirements are included in the security program
Research and Analysis -
- Lead or conduct special projects or studies related to information systems security.
- Stay well-informed of best practices in the IT security field, coordinate and/or evaluates new and emerging security practices and technologies, and recommends and promotes adoption as appropriate.
- Provides expert advice related to information and systems security to CIO and other executives and serves as an internal consulting resource on information security issues.
Other Duties -
- Serve as a member of the CIO's Executive Leadership Team
- Represent the organization with federal, state, local, and professional organizations in the area of IT security.
|