Information Security Manager-ORCA

Description

• Oversees and manages the ORCA ISMS and recommends appropriate mitigating controls.
• Manages approvals for Identity and Access Management (IAM) and Access Control Administration.
• It is the responsibility of all employees to follow the Agency safety rules, regulations, and procedures pertaining to their assigned duties and responsibilities, which could include systems, operations, and/or other employees.
• Facilitates a committee of Information Security SMEs across the ORCA Agencies to ensure both regional compliance and concurrence on information security-related matters, recommending solutions, and working from the regional ORCA perspective to achieve optimal solutions.
• Coaches, mentors, and develops future ROOT information security staff as the ISMS becomes complete and mature.
• Acts as Incident Commander for Security Incident Response activities, whenever the Information Security Incident Response Plan is invoked by the regional program; plays a stakeholder and oversight role if the plan is invoked by other partners or vendors.
• Utilizing personal computer software programs affecting assigned work and in compiling and preparing spreadsheets and reports.
• Generating metrics and preparing reports to facilitate decision-making on security-related activities.
• Interpreting and administering information security policies, standards, and procedures sufficiently to administer, discuss, resolve, and explain them to staff and other constituencies.
• Participates in information security incident investigation and response efforts; performs root‐cause analysis when incidents occur and prepare incident reports.
• Responding to inquiries with effective oral and written communication.
• Collaborates with the Systems Integrator, other vendors, and partner Agencies to ensure security best practices, standards, policies, and regulatory requirements are incorporated into core payment system design, implementation, and sustainment, as well as supports other future phase projects.
• The Agency promotes a safe and healthy work environment and provides appropriate safety and equipment training for all personnel as required.
• Establishing and maintaining collaborative working relationships with other department staff, management, vendors, and other stakeholders.
• Leading or supporting an Information Security Management System.
• Conducts regular security reviews of both software and processes, advising on information security practices. Reviews and creates threat models and recommends security enhancements consistent with information security strategy and evolving threats.
• Oversees Information Security Risk Management activities, including risk identification, assessment, and communication to relevant stakeholders.
• Supports external IT security audits and assessments that focus on ORCA operation.
• Documenting and explaining risks, recommendations, and incident data to technical stakeholders.
• Researching, analyzing, and evaluating new security processes, products, and techniques.
• As a member of the Change Advisory Board, evaluates change requests to determine potential impacts to Information Security, including IT systems, processes, and policies, and provides appropriate input to the Change Management process.
• Develops and maintains the ISMS in collaboration with regional information security SMEs and technical consultants.
• Provides valuable expertise and leadership directly to the governing ORCA Joint Board executive leadership, including sharing metrics to reflect the performance of the regional security program functions, executive risk score reports, and other guidance on a variety of information security topics.
• Guides security policy and participates in broader Information Security governance efforts for the ORCA partnership.
• Develops, updates, implements, and conducts information security training programs to support the ISMS objectives.
• Keeps up to date on latest information security trends, “best practices”, threats and countermeasures.

Requirements

• Knowledge of Governance, Risk, and Compliance (GRC) tools.
• Writing of technical documentation and standards, including skill in English usage, spelling, grammar, and punctuation.
• Working effectively under pressure, meeting deadlines, and adjusting to changing priorities.
• Champions and models Sound Transit's core values and demonstrates values-based behaviors in everyday interactions across the agency.
• Information Security Management Systems, and applicable industry standards (ISO 27001/2).
• Knowledge and understanding of developing and administering information-security standards, practices, audits, risk management, and policy compliance.
• Environments subject to the Payment Card Industry Data Security Standard (PCI DSS), including compliance-related duties.
• Strong understanding of IT Service Delivery (ITIL) core processes and methodologies.
• Working knowledge of cloud platforms and relevant security controls.
• Candidate should have excellent time management skills including the ability to prepare prioritize and complete work plans.
• Extensive knowledge of risk-based methodologies and one or more of the following frameworks: ISO 27001/2:2017, 27005:2011, and 31000; PCI-DSS; or NIST 800-53.
• Knowledge of one or more governance frameworks such as COBIT 5, ISO, NIST, or COSO.
• Principles, methods, and techniques used in the facilitation of managing projects and leading teams.
• Pertinent federal, state, and local laws, codes, and regulations; particularly those that affect information security for payment systems.
• Information Security Audit principles and practices.
• Other industry relevant certifications in the fields of information security, project management, auditing and/or risk management, such as the Certification in Risk and Information Systems Control (CRISC).
• In-depth knowledge of security software threats and vulnerability mitigation techniques.
• Relevant experience and detailed technical knowledge in security engineering, system and network security, authentication and security protocols, cryptography.
• At least one of the following (in valid status): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA).
• Principles of leadership, supervision, training, and performance evaluation.

Benefits

• Employee Assistance Program.
• Paid Time Off: Employees accrue 25 days of paid time off annually with increases at four, eight and twelve years of service. Employees at the director level and up accrue additional days. We also observe 12 paid holidays and provide up to 2 paid floating holidays and up to 2 paid volunteer days per year.
• Compensation Practices: We offer competitive salaries based on market rates and internal equity. In addition to compensation and benefits, you’ll find that we provide work-life balance, opportunities for professional development and recognition from your colleagues.
• ORCA Card: All full-time employees will receive an ORCA card at no cost.
• Long-Term Disability and Life Insurance.
• Inclusive Reproductive Health Support Services.
• Tuition Reimbursement: Sound Transit will pay up to $5,000 annually for approved tuition expenses.
• Health Benefits: We offer two choices of medical plans, a dental plan, and a vision plan all at no cost for employee coverage; comprehensive benefits for employees and eligible dependents, including a spouse or domestic partner.
• Retirement Plans: 401a – 10% of employee contribution with a 12% match by Sound Transit; 457b – up to IRS maximum (employee only contribution).
• Pet Insurance.
• Parental Leave: 12 weeks of parental leave for new parents.

Training + Development

Interview process

Visa Sponsorship

Security clearance