Basic Function - The Director, IT Security performs two core functions for the enterprise. The first is overseeing the operations of the enterprise’s security solutions through management of the organization’s PCI security policies and procedures. The second is establishing an enterprise security stance through policy, architecture and training processes. Secondary tasks will include the selection of appropriate security solutions, and oversight of any vulnerability audits and assessments. The Director, IT Security is expected to interface with peers in the Applications and Infrastructure Groups of IT as well as with the leaders of the business units to both share the corporate security vision with those individuals and to solicit their involvement in achieving higher levels of enterprise security through information sharing and cooperation.
Strategy & Planning
- Creates and maintains the enterprise’s securityarchitecture design including PCI compliance standards.
- Creates, and maintains the enterprise’s security awareness training program.
- Creates and maintains the enterprise’s security documents (policies, standards, baselines, guidelines and procedures).
- Participates in validating/defining Sarbanes Controls of security and ensuring the controls are followed.
- Performs information securityrisk assessments and serves as an internal auditor for security issues.
- Implements information security policies and procedures for the organization.
Acquisition & Deployment
- Maintains up-to- date knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.
- Selects and acquires additional security solutions or enhancements for existing security solutions to improve overall enterprise security as per the enterprise’s existing procurement processes.
- Oversees the deployment, integration and initial configuration of all new security solutions and any enhancements to existing security solutions in accordance with standard best operating procedures generically and the enterprise’s security documents specifically.
- Ensures the confidentiality, integrity and availability of the data residing on or transmitted to/from/through enterprise workstations, servers and other systems and in databases and other data repositories.
- Ensures the enforcement of enterprise security documents.
- Takes responsibility for all security access provisioning throughout the enterprise and works to ensure reasonable SLA are achieved in approving and setting up of end user security profiles/access.
- Supervises all investigations of problematic activity and provides ongoing communication with senior management.
- Supervises the design and execution of vulnerability assessments, penetration tests and securityaudits.
- Coordinates a location-by- location effort to ensure all locations are PCI compliant using internal network engineers, field application personnel and/or 3rd party vendors for the following:
- Analyzing all garage facilities that accept payment cards for compliance with the PCI DSS and PA DSS
- Documenting network environments at facilities, identifying compliance gaps and developing solutions
- Working with field managers, equipment vendors and 3rd party service providers to implement and thoroughly test compliance solutions
- Provides analysis/documentation, identifies compliance gaps, and implements solutions for more complex locations (i.e. airports, universities).
- Provides relationship management of 3rd party service providers (e.g. Trustwave).
- Designs and documents processes and procedures that help maintain PCI compliance while keeping garage network downtime at a minimum.
- Reviews exception logs and responds appropriately to any data breaches or threats of a data breach.
- Performs regular security awareness training for all employees to ensure consistently high levels of compliance with enterprise security documents.
- Leads Incident Response Team.
- Engages in ongoing communications with peers in the Systems and Networking groups, as well as the various business groups to ensure enterprise wide understanding of security goals, to solicit feedback and to foster co-operation.
Formal Education & Certifications
- College diploma or university degree in the field of computer science and/or 5 years equivalent work experience.
- One or more of the following certifications:
- GIAC Security Essentials Certification
- GIAC Security Leadership Certification
- ISACA Certified Information Security Manager
- Microsoft Certified Systems Engineer: Security
Knowledge & Experience
- Extensive proven experience in enterprise securityarchitecture and secure network design.
- Extensive proven experience with PCI DSS guidelines and working with financial institutions to achieve compliance.
- Strong ability to communicate PCI guidelines to non-technical executives and staff
- Extensive experience in enterprise security document creation.
- Experience in designing and delivering employee security awareness training.
- Experience in managing a staff of 3-5 individuals including staff development.
- Experience in working with internal and external vulnerability scanning and the resulting closure of all vulnerabilities working with infrastructure team.
- Working technical knowledge of Cisco, Barracuda, Fortnet, and other firewall technologies including management and monitoring.
- Working technical knowledge of a variety of OS including Windows and Linux.
- Strong understanding of IP, TCP/IP, and othernetwork administration protocols. Ability to work effectively with Network teams to improve security of corporate network.
- Proven analytical and problem-solving abilities.
- Ability to effectively prioritize and execute tasks in a high-pressure environment. Deliver on projects as assigned within the time frame needed.
- Good written, oral, and interpersonal communication skills.
- Ability to conduct research into IT security issues and products as required.
- Ability to present ideas in business-friendly and user-friendly language.
- Highly self-motivated and directed. Delivers projects with minimal supervisor. Take charge individual
- Keen attention to detail.
- Ability to effectively work with peers within IT as a member of the team.
- Ability to develop/mentor current security administrators in developing their skills and knowledge of function.
- Team-oriented and skilled in working within a collaborative environment.