Enterprise Security Manager

Print (https://www.governmentjobs.com/careers/indianapolis/jobs/newprint/4314998)

Apply



Enterprise Security Manager

Salary

$87,402.16 Annually

Location

City County Building, IN

Job Type

Full Time

Job Number

08002

Department

Information Services Agency

Opening Date

12/14/2023

Closing Date

Continuous

• Description

• Benefits

Position Summary

The Information Services Agency (ISA) serves as the IT service provider and solutions advisor for City-County agencies and departments. The purpose and mission of ISA is to provide information technology services to the city and county. ISA helps each of the city and county agencies and departments achieve their mission through technology solutions. ISA aligns its objectives with the business of city and county partners to provide accessible and reliable services to local citizens, businesses, and visitors. The agency can do this by cultivating a productive, collaborative, and compliant work environment ensuring our Enterprise is prepared to meet the needs of the constituents of Indianapolis and Marion County.

Position is responsible for collaborating with supported agencies and departments on Cybersecurity strategy, helping to ensure secure Enterprise and Department-level Configuration and Supply Chain Management for IT Services and solutioning. Position manages the development of standards, best-practices, guidelines, and policies for how those services, solutions, and their accompanying data, should be implemented and maintained in the future in line with ISA’s IT Governance Plan. Additionally, this position has a keen eye toward the future, understanding the Enterprise (or Agency) vision as it applies to Information Security, Governance, Risk, and Compliance and manages the Enterprise Architecture Controls required to ensure the integrity/validity of the Enterprise Security Program. The Enterprise Security Manager consistently works with Enterprise, Domain (Business, Systems, Network, Data, Application), and Solution Architects and teams, ISA leadership, Legal Counsel, 3rd Party vendors and ISA-supported business units on efforts that will help to establish a mature Information Security program which is Business-outcome driven. Position will have principal responsibility for managing the design, modification, and ongoing administration of the Enterprise Security Program. The Enterprise Security Manager is quick on their feet, a strategic thinker who is willing to challenge assumptions while simultaneously advocating for best IT security practices. An extremely high degree of independent judgment is required for making decisions. There will be instances where policies, procedures, rules, and regulations do not exist for all situations that could be encountered. Errors in judgment will adversely affect the perception and image of the City-County relating to the use and operations of network systems and technology. Incumbent must have the ability to make appropriate decisions considering the relative costs, risks, and benefits of potential actions. Independent judgment is utilized and may represent the Chief Information Security Officer at planning, management and/or customer meetings. Position reports to the ISA CISO.

All applicants will be considered for employment without attention to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran, or disability status. We value diversity in perspectives and experiences among colleagues and the residents of this city of whom we serve.

Position Responsibilities

• Facilitate an information security governance structure through the implementation and management of a hierarchical governance program, including the formation of an information security steering committee

• Directly supports and champions the City-County’s goals of diversity, equity, and inclusion by ensuring compliance with Federal and State compliance frameworks impacting equity and inclusion (e.g., Section 508, WCAG certification, etc.) Ensures that operational security does not negatively impact the City-County’s stated goals of diversity, equity, and inclusion

• Manage and support an information security awareness training program for employees, contractors, and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences

• Work to ensure that information security requirements are included in contracts by working with the CISO, ISA counsel, purchasing and the procurement teams

• Manage the information security function across the City-County enterprise to ensure consistent and high-quality information security management in support of the business goals

• Manage the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of nondigital risk areas

• Assist in the management of the budget for the information security function, monitoring, and reporting discrepancies

• Collaborate in the development of an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate

• Develop, implement, and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled, or/and processed by the organization

• Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite

• Manage and enhance an up-to-date information security management framework based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework

• Manage a unified and flexible control framework to integrate and normalize the wide variety and ever- changing requirements resulting from global laws, standards, and regulations

• Manage a document framework of continuously up-to-date information security policies, standards, and guidelines.

• Manage a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels

• Collaborate with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well informed of the relevant threats identified by these agencies

• Manage the enterprise architecture team building alignment between the security and enterprise architecture, ensuring that information security requirements are implicit in these architectures and security is built in by design. Coordinate and communicate the enterprise architecture with the Enterprise IT Operations team to ensure smooth IT governance throughout the ITIL delivery cycle

• Manage a risk-based process for the assessment and mitigation of any Enterprise information security risk posed by supply chain partners, vendors, consumers and any other third parties

• Manage the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings

• Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices, controls, and guidelines

• Manage technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk

• Manage and contain information security incidents and events to protect City-County IT assets, confidential information, regulated data, and the City-County's reputation

• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action

• Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support, and in-house consulting in these areas

• Assists in setting strategic direction for information security initiatives, processes, and standards

• Assist in the establishment of enterprise architecture standards, processes and procedures based on industry standards

• Researches, evaluates, and drives next-generation security technologies and concepts to keep supported enterprise security architecture ahead of the curve

• Builds relationships and collaborates with other functional areas across ISA to ensure all visions are aligned and in compliance with the ISA enterprise information security program

• Conduct and attend project meetings to provide security and governance input throughout project lifecycles

• Participate in the decision-making in areas of secure network design, access/authentication controls, IaaS (Infrastructure As A Service) and others

• Mange the creation and annual review for unit-level disaster recovery (DR) and business continuity plans (BCP); Provides advice in consultation with Infrastructure team for IT solutioning for business continuity

• Creates, refines, delivers, and champions information security standards to be used throughout the enterprise that balance business needs and external requirements

• Ensure through creation or delegation that all security-related documentation is complete, current, and stored appropriately

• Analyzes enterprise-wide development needs and management of an architecture governance process

• Autonomously prepare reports and audit findings remediation plans in response to Internal audits, penetration tests or vulnerability scans

• Reports to executive team the effectiveness of data security as implemented by internal and external business partners and makes recommendations or proposals for the adoption of new procedures or controls.

• Manages security event investigations producing Incident Response Documentation and ensure corrective actions are implemented

• Manages Day to Day security services through Managed Services Provider and Direct Reports

• Monitors changes in the legislative, regulatory, and contractual landscape to ensure that the information security program is always at least one step ahead

• Must always maintain confidentiality

• Manages EA, Security team and program

• This list of duties and responsibilities is not intended to be all-inclusive and may be expanded to include other duties or responsibilities that management may deem necessary from time to time

Qualifications

Bachelor’s Degree in Information Technology, Computer Science, Informatics, Computer Programming, Information Assurance and Compliance, or a related field with ten (10+) years of IT-related work experience in large, complex technical environments. Demonstrable experience designing or managing an Enterprise IT security and compliance program. Strong understanding of security tenets, such as encryption/key management, network design, access control and incident containment. Knowledge of the intricacies related to National Institute of Standards and Technology (NIST) best practices, CIS Benchmarks, the SANS Institute’s ten security domains, Payment Card Industry Data Security Standard (PCI DSS) and state privacy laws. Ability to maintain strict confidentiality. Excellent written and verbal communication skills, including the ability to interact with team members at all levels within City and County Government from the end user to senior leadership.Ability to think analytically and creatively. Ability to look at all situations objectively. Ability to work independently with minimum direction in a fast-paced environment as well as collaborate effectively while maintaining an "options before obstacles" mindset.

Preferred Job Requirements and Qualifications

Experience in other parts of IT as an administrator or engineer in a non-security role. Experience with hosted and cloud services, especially Software-as-a-Service (SaaS) and Platform-As-A-Service (PaaS), and the related security implications and control approaches with an emphasis on hyper-converged systems. Thorough understanding of governance, compliance, and risk management principles and processes. Industry certifications, such as ITIL 4 Strategist (Direct, Plan, Improve), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), GIAC Security Essentials (GSEC), Certified Information Security Manager (CISM), Payment Card Industry Professional (PCIP), etc. Demonstrable experience in policy and standard creation and acceptance.