Information Security Manager at San Diego Metropolitan Transit System (MTS) (San Diego, CA)

The Information Security Manager (ISM) is responsible for leading the implementation and support of formal Information Security frameworks and will take a central role in promoting a culture of information security throughout the Agency. The ISM will ensure the Agency has the protections and controls to effectively ensure the Confidentiality, Integrity and Availability (CIA) of information resources. The ISM will serve a critical role in optimizing the Agency's security posture to protect information resources from attack, theft, damage or unauthorized access. The ISM will lead the Agency in the adoption and use of strong security measures to protect MTS's sensitive information, systems and resources, while balancing this with the ease of staff and stakeholder access to sensitive information and the efficient use of computer systems. Essential duties include, but are not limited to, the following:

Responsibilities

Essential Functions

• Implements and maintains the ISO/IEC 27000 Information Security Framework, Information Security Management System (ISMS) and achieves ISO 27000 compliance.
• Identifies legal and regulatory standards with which the Agency must comply and reports on this compliance (e.g., Payment Card Industry (PCI), Personally Identifiable Information (PII), Health Insurance Portability and Accountability Act (HIPAA), etc.).
• Maintains in-depth knowledge of technology, business operations, information security best practices, regulations and policies as set forth by federal, state and local entities to ensure compliance and develops and implements risk mitigation strategies.
• Develops the MTS information security strategic plan, performs annual information security assessments and investigates information security incidents.
• Creates and updates the Information Security Advisory Management Report annually and presents this to the Information Technology Advisory Committee (ITAC).
• Institutes and delivers information security orientation and ongoing annual awareness training for all staff.
• Provides direction on and oversight of all MTS departments' handling of secure information and adherence to best practices. Performs assessments, reports compliance and directs remediation activities.
• Applies knowledge and experience of information security, management and risk assessment to establish and maintain a standard, agency-wide information security policy, governing controls, methods, practices, procedures and tools.
• Advises the Agency on emerging threats and risks to enterprise systems and continually assesses the security of those systems throughout their lifecycle. Provides recommendations for enhancing security and countering new threats and vulnerabilities.
• Manages vendors, develops Independent Cost Estimates (ICE), creates Scopes Of Work (SOW), Requests For Proposal (RFP) or Information (RFI), etc.
• Provides information security management, project leadership and oversight (e.g., performs risk analysis, risk detection and response, scope of work, delivers security controls and protection or similar functions).
• In conjunction with Risk and Legal, the ISM develops compliance control and risk mitigation programs to ensure that risks are contained to acceptable levels. Assists the MTS Internal Auditor with information security audits throughout the Agency.
• In partnership with the IT Department, the ISM leads the implementation of controls and procedures to protect information assets from unauthorized or accidental modification, disclosure or destruction.
• Collaborates with Legal and Procurement departments on all information security components of MTS contracts to ensure that proposed technology meets applicable standards of security.
• Creates and administers an information security review process for new facilities, information technologies and environments.
• Participates in the development, implementation and ongoing compliance monitoring of any information-sharing relationships to ensure all security requirements and responsibilities are met.
• Conducts regular technical assessments of systems and infrastructure, including conducting security audits, ASV scans, penetration testing, compliance reports, phishing, etc. Summarizes findings from analyses and audits such that they can be easily used to drive remediation actions.
• Leads information security-centric crisis preparedness exercises. Leads and coordinates information security incident responses, provides accurate, comprehensive and timely communications of each incident's containment, reporting, assessment, investigation and post-incident analysis.
• In partnership with the Agency, develops and maintains a Business Continuity Plan that meets the identified data loss standards for unplanned downtime.

Qualifications

Special Skills/Knowledge

• Must be self-disciplined and a self-starter and able to work independently.
• Skill in building and maintaining relationships at all levels of management, from the executive leadership team to analysts, technicians, customers and vendors in order to achieve consensus among diverse audiences with competing goals and objectives.
• Extensive experience leading the implementation and support of formal ISO/IEC 27000 information security frameworks.
• Advanced knowledge of and experience in developing and overseeing enterprise-level information security plans, policies, standards, guidelines, methods and practices based on current industry standards, best practices, tools and techniques.
• Advanced knowledge of and experience with current and emerging information security products. Current knowledge of security threats, attack methodologies, security principles, best practices and defense techniques.
• Advanced knowledge of and experience in working with laws and regulations that affect information security including HIPAA, PII and PCI Security, Standards, Compliance and Privacy rules including Compensating Controls.
• Strong knowledge of Incident Analysis and Response concepts and techniques.
• Knowledge of key security capabilities such as e-forensics, logging/SIEM, risk management, PKI, IPsec, vulnerability management, continuous monitoring, disaster recovery, network and endpoint security.
• Excellent planning, documentation and organizational skills. Excellent customer service skills as well as a sense of urgency when resolving issues. Excellent clear and effective communication and interpersonal skills.

Experience/Education/Certificates/License(s)

Possess a bachelor's degree from an accredited university in Computer Science, Information Systems, Cybersecurity, Risk Management or a related field. A master's degree is highly desirable, but not required. Active IT Security certifications including CISSP, CISM and/or CISA or equivalent are required. Knowledge of Information Technology Infrastructure Library (ITIL) methodology. A minimum of 10 years of direct Information Technology experience of which at least two (2) years must be in a managerial position. A minimum of five (5) years of professional experience in Information Security focused roles. A combination of education and experience will be considered. Must possess and maintain a valid California driver's license.

DISCLAIMER: The above described job elements are intended to indicate the general nature and levels of work being performed by employees assigned to the job. They are not intended to be an exhaustive list of duties, responsibilities and skills required of employees so classified. Management retains the discretion to add to or change the duties of the position at any time.

by via developer jobs - Stack Overflow