Job Description :
Information Security Governance Manager
Los Angeles, California
Long Term
Qualifications:
Must have a Bachelor’s degree or combined education/experience as substitute for minimum education
Minimum of 7 years of directly related experience in Information Technology (or Information Security)
Experience performing, managing and running Information Security audits
Strong knowledge and understanding of Regulatory Compliance and Information Security control measures as defined in ISO 27001
Demonstrated knowledge and understanding of information security, security policies, account security policies and standards for logical and physical security implementations
Demonstrated working knowledge of risk assessment as it is applied to information security
Demonstrated knowledge of security architecture and risk framework principles and concepts
Demonstrated experience running a comprehensive security awareness program
Experience in a Federated or decentralized organization
Strong written communication and professional verbal communication skills
Typically possesses 10 years of experience in Information Technology (or Information Security)
Typically possesses experience GCIH/GSEC, CISM, CISA,CISSP, CRISC Certifications
Typically possesses experience in Governance, Enterprise Risk Management and Regulatory Compliance domains
Typically possesses large complex industry related experience
Job Accountabilities:
Serves as a Subject Matter Expert (SME) on the organization’s strategy for the information security critical processes and associated tools, ensures the process aligns to regulatory, statutory and industry requirements and USC policy and data classification. Recommends programmatic and technical direction with a high degree of independence in matters relating to the investigation, impact and analysis of decisions regarding cyber security risk
Develops, operates and manages comprehensive Information Security strategies, standards, policies and programs to assess, prioritize and mitigate business risk Leads the review and formal approval process for Policy updates. Coordinates updates to the Information Security Standards. Ensures Information Security Policy and Standard documents meet or exceed industry standards, compliance requirements and customer/client expectations
Assesses and manages the adequacy of the mitigation and remediation plans of known cyber security vulnerabilities and threats, aligning with the Information Security Governance & Risk Management (ISGRM) risk framework and processes
Owns, defines, leads and delivers information security governance across technologies, departments and data assets. Ensures any risk is identified, articulated and escalated through standard governance, mitigated and communicated to all stakeholders
Facilitates communication and execution of enterprise-wide information security programs and a comprehensive, multi-pronged security awareness training program. Provides regular guidance and advocacy for best practices for information security
Defines and executes an annual risk assessment plan, and obtains plan sign-off from key stakeholders across the university. Shows key milestones, metrics, KPIs, associated budget and resource impacts to continue an effective risk management program. Create and maintain an agreed upon Risk Appetite and Key Risk Indicators (KRIs) in line with the ISGRM Risk Framework
Manages design and implementation of an enterprise Data Loss Prevention Program (DLP Ensures governance processes are in place to maintain DLP controls across the enterprise. Ensures that DLP controls manage risk in the changing threat landscape, meet business needs and client expectations, and regulatory expectations. Facilitates business rule reviews, threshold setting, and exception management
Engages in preparation of and participates in external and internal compliance audits (PCI DSS, HIPAA, NIST, ISO 27001:2013, etc. Supports overall validation of adherence to policy and standards through control evaluation. Ensures compliance through assessment, remediation and escalation
Utilizes the risk assessment process to educate asset and process owners on information security risks, risk management and appropriate remediation options. Manages the risk acceptance process to ensure the implications of risk acceptance are understood, risks are accepted at the correct level within the organization, and risk acceptances are tracked and reported on throughout their lifecycle. Manages the risk exception process and regular review.
Manages and maintains a risk reporting framework for management teams and governance committees. Defines and manages the Key Performance Indicators (KPIs) to assure effectiveness and compliance across processes and process owners
Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations. Ensures senior management and staff are informed of any changes and updates in a timely manner. Establishes and maintains appropriate network of professional contacts. Maintains membership in appropriate professional organizations and publications. Attends meetings, seminars and conferences and maintains continuity of any required or desirable certifications, if applicable
Develops and implements security related procedures such as office opening and closing routines, recognition of duress signals and key controls. Coordinates security activities with Department of Public Safety. Promotes and maintains standards for security conscious awareness and behavior. Maintains knowledge of University''s crime prevention and suppression programs and services. Ensures dissemination of security related information to staff
Performs other duties as assigned or requested. The university reserves the right to add or change duties at any time
Preferred Qualifications
Bachelor’s Degree
10 years of experience in Information Technology (or Information Security)
GCIH/GSEC, CISM, CISA,CISSP, CRISC Certifications
Experience in presenting to SVP & C Suite Executives
Experience in Governance, Enterprise Risk Management and Regulatory Compliance domains
Large complex industry related experience
Minimum Education
Bachelor''s Degree
Combined education/experience as substitute for minimum education
Minimum Experience:
7 years
Minimum Field of Expertise:
An in depth understanding of information security, security policies, account security policies and standards for logical and physical security implementations. A basic knowledge of Regulatory Compliance as it affects the relevant industry. A good understanding of the information security control measures as defined in ISO-17799. A working knowledge of risk assessment as it is applied to information security. The ability to perform, manage and run information security audits. A sound understanding of security architecture and risk framework principles and concepts. Demonstrable experience in running a comprehensive security awareness program. Experience in a Federated or decentralized organization.