Information Security Officer
$82,450.00 – $126,950.00
Orlando, FL – VLC
Job Description Summary:
Our Mission is to deliver a high quality, technology-based education that provides the skills and knowledge students need for success.
FLVS does not discriminate in admission or access to, or treatment or employment in its programs and activities on the basis of race, color, religion, age, sex, national origin, marital status, disability, genetic information or any other reason prohibited by law.
Position General Summary:
This Information Security Officer reports to the CEO. The Information Security Officer manages the development and implementation of global security policies, standards, guidelines, and procedures to ensure ongoing maintenance of security. Information protection responsibilities will include enterprise security architecture, data access, data protection and monitoring policies, employee education and awareness, and periodic risk assessment.
The Information Security Officer will establish an enterprise information security strategy and overarching risk management framework for the organization and direct the implementation and monitoring of information security standards and policies. The Information Security Officer is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate.
For complete Job Description please visit: www.FLVS.net/Careers
Essential Position Functions and Responsibilities:
- Establish Governance and Build Knowledge
- Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
- Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
- Work with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations.
- Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
- Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
- Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
- Lead the security champion program to mobilize employees in all locations.
Lead the Organization
- Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals.
- Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
- Manage the budget for the information security function, monitoring and reporting discrepancies.
Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews.
Set the Strategy
- Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization’s business objectives and ensure senior stakeholder buy-in and mandate.
- Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
- Assist with the identification of non-IT managed IT services in use (“citizen IT”) and facilitate a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
- Work effectively with business units to facilitate information security risk assessment and risk management processes and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
Develop the Frameworks
- Develop and enhance an up-to-date information security management framework based on the following: COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
- Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
- Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
Information Security Administration:
- Leads and develops a team that provides global coordination and oversight of divisional and business unit Information Risk Management processes and strategies
- Accountable for defining enterprise policy, developing technology architecture, implementing global controls and monitoring/reporting of performance
- Coordinates audit and regulatory inquiries and external vendor activities to help represent the
- Company from an information security, recovery and technology risk management perspective
Participates in leading industry forums and consortiums to represent business interests and set standards/practices
- As head of the information risk function, is accountable for information security, recovery and technology risk vendor relationship management, product selection and negotiation of high-level contracts and consulting agreements to provide services and capabilities for the protection of organization assets globally
- Develop, maintain, and administer the FLVS Information Security Program, policies, procedures, standards, and guidelines to ensure compliance with applicable requirements. Periodically assess the effectiveness and relevance of the existing security policies, providing modifications to existing policies and new policies as required
- Develop, maintain and administer FLVS’s Information Security Awareness program for agency employees. Collaborate with other staff as needed in Security Awareness Training and initiatives
Oversee and manage security projects and initiatives to enhance the security of the FLVS computing infrastructure and systems
Oversee and approve changes to security settings and standards for FLVS firewall and perimeter defenses in conjunction with IT and/or third-party cloud providers
- Develop and maintain the strategic information security plan and operational security plans Approve security plans specific for FLVS applications and systems.
- Administer vulnerability scanning and remediation activities for existing web applications and new application development
- Manage any staff members assigned to the Enterprise Security Management section who are responsible for ensuring the security of FLVS’s computing infrastructure
Information Security Incident Response Team (ISIRT) Administration:
- Manage the information Incident Response Team (ISIRT) responsible for incident response planning, investigation and root-cause analysis of security breaches, and assists with disciplinary and legal matters associated with such breaches as necessary
- Coordinate ISIRT team activities and periodic meetings to discuss and remediate security incidents
- Administer the reporting of ISIRT incidents to agency Executive Leadership
IT Disaster Recovery Plan Administration/IT Continuity of Operations Plan:
- Oversee the development and maintenance of the agency’s Disaster Recovery Plan, including working with various functional areas in IT for disaster recovery planning and/or testing, working with business units to develop business continuity plans
- Align the disaster recovery plan with the FLVS’s Continuity of Operations Plan (COOP)
Liaison with Data Center, and 3rd party cloud primers and staff for coordination of disaster recovery activities
Risk Mitigation and Audit Support:
- Periodically conduct and update a comprehensive risk assessment to determine the security threats to the data, information, and information technology resources of FLVS.
- Provide assistance and information as requested by General Counsel, Executive Director, Human Resources in support of audit activities.
Work with outside entities, as appropriate, for independent security audits
- Advise the President/CEO, General Counsel, and CIO of security issues and/or breaches. Advise them of security weaknesses and recommend solutions.
External Liaison Support:
- Serve as the FLVS point of contact for all information security matters.
- Participate in periodic meetings of Education and State of Florida Agency Information Security Managers to discuss issues related to enterprise security
- Maintain relationships and serves as a point of contact for information security matters with other local, state, federal, law enforcement agencies, etc.
Manage, control, direct, and supervise assigned direct reports, including general leadership, planning, organizing, and reviewing
- Meet professional obligations through efficient work habits such as, meeting deadlines, honoring schedules, coordinating resources and meetings in an effective and timely manner, and demonstrating respect for others
- All work responsibilities are subject to having performance goals and/or targets established
(These essential functions are not to be construed as a complete statement of all duties performed. Employees will be required to perform other job-related duties as required.)
- Bachelor’s degree; or equivalent combination of education and relevant experience
- CISSP and/or CISM Certification.
- Seven years’ IT and Network Security experience
Three years’ Project Management experience
- 7+ years of professional experience in running an information security function, including analyzing and applying information security risk, risk management, and privacy practices
- 8+ years of relevant work experience, including consulting and general industry experience
- 8+ years of experience working with national and international regulatory compliance frameworks such as ISO, SOX, BASEL II, EU DPD, HIPAA, and PCI DSS
- Extensive experience in strategic planning, budgeting, and allocation
- Previous military, law enforcement, or national security experience preferred
- Audit, Compliance, or Governance experience, preferred
Knowledge, abilities and skills:
- An ability to motivate and manage a team of information security staff supporting the organization’s goals and an ability to lead the process of developing an information security vision for the future
- An ability to cultivate and build collaborative working relationships with a broad range of enterprise stakeholders
- A well-developed understanding of and appreciation for business needs and a commitment to leading the information security team in delivering high-quality, prompt, and efficient service to the business
- A well-developed understanding of and appreciation for organizational mission, values, and goals and consistent application of this knowledge
Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one
- An ability to effectively influence others to modify their opinions, plans, or behaviors
- An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, and actionable manner
- A working knowledge of the following areas of technical expertise: information policy formulation, information security management, business risk management, IT risk assessment and management, IT continuity management, IT governance formulation, and organizational change management, IT financial management and IT audit
Knowledge of pertinent Data & Information recovery law
- Skill in implementing information security policies and procedures for the organization
- Knowledge and skill with business continuity planning, auditing, and risk management
- Knowledge of systems administration processes, tools and disciplines
- Knowledge of industry best practices for managing server environments in a secure manner
- Knowledge of operating system and/or telecommunication concepts
- Knowledge of information security best practices
- Knowledge of encryption technologies and file transfer protocols Knowledge of project management and control
- Knowledge of the concepts and theories of information processing Knowledge of IT
- Infrastructure Library (ITIL) concepts
- Ability to supervise people
- Ability to analyze and interpret technical data Ability to effectively lead and motivate people
- Ability to handle multiple priorities
- Process development, implementation and improvement skills
- Strong teamwork and interpersonal skills; ability to communicate and thrive in a cross-functional environment Demonstrated ability to apply technology solutions to business processes
- Effective written and verbal communications skills
Physical Requirements and Environmental Conditions:Frequency of travel: Occasional travel is required for meetings, trainings and conferences; location may vary and may require overnight stays
Light physical activities and efforts required working in an office environment
(Reasonable accommodations will be made in accordance with existing ADA requirements for otherwise qualified individuals with a disability.)
To apply for this job please visit flvs.wd1.myworkdayjobs.com.