Position Purpose:This role is responsible for the overall security program development and implementation for the organization; through the selection of the appropriate security framework in alignment with the organizational strategy coupled with a pragmatic risk based approach to implement the security controls; continually adapt the security program and influence the strategic direction to maintain an acceptable risk level for the organization. This role serves as the key leader on information security for the organization and works closely with the enterprise risk management group. The director is responsible for growing and sustaining a security group.
The Senior Information Security Officer is tasked with anticipating new threats and actively working to prevent them from occurring. The role must work with other executives across different departments to ensure that security systems are working smoothly to reduce the organization's operational risks in the face of a security attack.
The Senior Information Security Officer's duties may include conducting employee security awareness training, developing secure business and communication practices, identifying security objectives and metrics, choosing and purchasing security products from vendors, ensuring that the company is in regulatory compliance with the rules for relevant bodies, and enforcing adherence to security practices.
Other duties and responsibilities include ensuring the company's data privacy is secure, managing the Computer Security Incident Response Team and conducting electronic discovery and digital forensic investigations.
This is a full-time, exempt position working Monday through Friday with core hours from 8:00 am to 5:00 pm. The position will report to our Director of Enterprise IT.
- Set the vision and strategy for the security program then seek organizational agreement and commitment
- Build and sustain an effective security organization and a team to execute on the security program
- Create and maintain the required security policies, standards and procedures and bring about organizational governance to those policies
- Create and maintain an effective security awareness program for the organization
- Deploy and maintain the appropriate security controls in collaboration with our business and IT leaders using a risk based approach that is aligned with the organizational strategy and priorities
- Serve as the security subject matter expert for the internal organizational needs as well as needed for external entities
- Lead the organization through all required security audits (internal and external) to achieve the required compliance state
- Provide an ongoing measure of the security and compliance posture through KPI’s and other metrics
- Through continued training, professional events, and networking, stay aware and tuned to the current and emerging threats to our industry and use security best practices necessary to defend against those threats
- Write or review security-related documents, such as incident reports, proposals, security standards, policies, and procedures in alignment with regulatory and organizational requirements
- Assist in disaster planning, disaster testing, and contingency planning
- Conduct, support, or assist in governmental or regulator reviews, internal corporate evaluations, audits, or assessments of the overall effectiveness of the facilities security processes
- Train BTS or other organization members in security rules and procedures
- Identify, investigate, or resolve security breaches
- Collect and analyze security data to determine security needs, security program goals, or program accomplishments
- Ensure IT systems and practices compliance with security policies and regulations
- Communicate security status, updates, and actual or potential problems, using established protocols
- Prepare reports or make presentations on internal investigations, incidents, events, or violations of regulations, policies and procedures
- Analyze and evaluate security operations to identify risks or opportunities for improvement
- Operate within TASC’s guidelines pursuant to the Employee Handbook and all Policies and Procedures
- Perform additional duties as assigned
- Knowledge and experience with one or more major security framework such as NIST (800-53, CSF, 800-171), HITRUST, ISO 27001…etc.
- Knowledge and experience with one or more security standard such as PCI, HIPAA
- Skilled in interacting with all the areas of the organization and negotiating the security requirements in alignment with the business needs and organizational priorities
- Experience in the management of secure software development life cycle sSDLC and the application of security best practices and required controls
- Knowledge and understanding of all the elements of both traditional enterprise systems architecture as well as cloud based system deployments including commercial, fed-ramp and gov. cloud deployments
- Strong experience with security capabilities and controls (tools, processes, skills) needed to secure those systems
- Skilled in planning, prioritizing, and organizing work to lead from concept through implementation
- Bachelors degree or higher from an accredited college, university, or vocational college with a degree in computer sciences or a related discipline
- Eight or more years of IT experience with five or more years of security experience
- Three or more years of leadership experience
- Certifications CISM or equivalent, CISSP a plus
- Working knowledge and experience with NIST, HITRUST, ISO 27001, HIPAA, PCI
- Ability to attain a public trust, fiduciary, government security clearance
Corporate Core Competencies:
- Adaptability - Adapts to change, is open to new ideas, takes on new responsibilities, handles pressure, and adjusts plans to meet changing needs
- Initiative - Deals with problems as they arise, focusing energy and resources on those situations until resolved; identifies new opportunities and takes action; takes on new responsibilities when needed
- Results Focus - Can be counted on to meet or exceed goals; pushes self and others for results; is a conscientious worker who can be relied upon to handle unforeseen obstacles
- Customer Focus - Meets internal and external customer expectations; delivers upon commitments; build customer confidence; follows through on requests gaining trust and respect
- Ethics/Integrity - Is seen as a direct, truthful individual; adheres to appropriate core values at all times; acts in line with those values; rewards the right values and disapproves of others; practices what he/she preaches.