Job Description :
Short Description:
Candidate serves as an Information Security Risk Manager (ISRM) within the Information Security Office of Pennsylvania’s Infrastructure and Economic Development (I&ED) IT Delivery Center. Work location is at The Server Farm.
Complete Description:
*The PO for this req goes through 9/30/20 *First round, in-person interviews are required for this position *The agency prefers candidates local to the Harrisburg, PA Area *Work hours are somewhere between 8AM – 5PM (some flexibility on start, lunch and end times* *Disregard the 11/5/18 start date. This particular req was put on hold on 10/25/18 and eventually reopened and again put on hold on 3/8/19. The anticipated start date is 2 weeks from an offer *Do not resubmit candidates from previously similarly released req #: 593101 Overview Collaborative Influence: works collaboratively with staff, agencies and peers to further enterprise initiatives and objectives. Embraces Challenge: operates as a change agent in the enterprise by continually seeking ways to improve how services are offered in a cost-effective manner. Embraces change opportunities while encouraging staff to do the same. Earns Trust: operates in a trustworthy manner such that they earn the trust of their peers, their staff, and the enterprise. Enables Performance: enables the objectives of peers and agencies who have specific objectives to accomplish by removing barriers and enabling or improving key services. Informed Judgement: overcomes situations where decisions will need to be made with little information and as such, the individual in this position should feel comfortable making strategic decisions with the information currently available. Thinks Horizontally: seeks to work horizontally across the enterprise to solve and prevent problems collectively and leverage the collective expertise contained in the organization. Job Responsibilities The successful candidate manages information security risk throughout the risk lifecycle for a NIST-based governance structure and provides risk-based decision-making information to organizational stakeholders. Balances risk with reward to business processes to ensure security while maintaining agility within IT lifecycles. Responsible for conducting IT audits applicable to the state agencies supported within the I&ED IT Delivery Center. Assess the degree to which information security controls are in place and functioning as intended; systems and processes are effective/efficient; and compliant with Commonwealth policies and legislative/regulatory requirements. Reports on issues of non-compliance and participates in corrective action plans to remediate non-compliance and meet the organization’s operational resiliency requirements. Performs analysis of information systems to identify gaps in information security controls. Collaborates with key stakeholders to determine, justify, document, and monitor exceptions and risks. Analyzes data for sensitivity and value to protect it according to the state data classification schema. Performs access reviews to maintain the correct level of user privileges. Utilizes risk assessment methods and tools to identify the likelihood and severity of negative impact events potentially occurring. Prioritizes risks according to the calculated risk and develops risk mitigation recommendations or plans. Participates in site tests and surveys to ensure facilities are appropriately sited to minimize environmental risks. Evaluates and reports on access control processes to determine effectiveness of organization facilities and assets. Assists in the review of physical controls to ensure sufficient protection of organization facilities and assets. Monitors and prepares reports for leadership on identified risks and opportunities to ensure business will be successful. Identifies critical information assets within the organization, and provides recommendations regarding business continuity, recovery, and resources needed to continue or resume operations and manage the impact of disruptive events. Evaluates a variety of industry standard security/risk assessment reports (NIST CSF/800-53, ISO 27001, SOC 2 Type II, etc, and reviews contract language to identify gaps in 3rd party vendor information security controls. Provides consultative expertise to business unit owners of key vendor relationships by providing actionable intelligence on the information security findings. Makes recommendations regarding vendor issue remediation and continued vendor relations. Recommends enhancements to the information security program based on results from risk analysis, key risk indicators, key performance indicators, and findings articulated on various security audits, assessments, and tests. Promotes awareness of risk-based issues among management, employees, and other stakeholders to ensure sound security principles are reflected in the organization’s vision and goals. Provides information security advice and guidance to leadership and employees in the organization. Requirements • Professional Information Security Risk Management or Information Technology Auditing experience in large-scale environments – Required 3 years • Professional oral and written communication skills – Required • Excellent soft skills such as observation, listening, presenting, negotiating, and documenting - Required • Experience with one or more industry standard security/risk framework (NIST, COBIT, ISO, Etc - Required • Holds at least one of the following: • Bachelor’s degree in an Information Technology related field (a focus/concentration in cybersecurity, risk management, or auditing is preferred) • Certified in Risk and Information Systems Control CRISC Certification • Certified Information Systems Security Professional CISSP Certification • GIAC Information Security Professional GISP Certification • GIAC Systems and Network Auditor GSNA Certification • Certified Information Security Manager CISM Certification • Certified Information Systems Auditor CISA Certification