Develops organizational security policies and strategy that are aligned to agency mission, goals, and objectives.
This class is intended for use at the senior to executive-level for positions that exercise organization-wide authority and accountability for information security goals and business objectives.
Implements and manages a strategic, comprehensive enterprise information security and IT risk management program. Manages the agency's security compliance program requirements. Advises agency executive leadership on information system risks and their impacts to agency mission, goals, and objectives. Develops, maintains, and publishes up-to-date security program resources such as strategies, plans, policies, standards, and guidelines, Oversees training, dissemination and enforcement of security program resources and related activities. Facilitates information security governance, risk and compliance program strategies that integrate with the business objectives of the agency. Creates, communicates, and implements a risk-based process for vendor risk management, service acquisition and consumption including assessment and treatment for risks that may result from partners, consultants, hosted services (i.e., cloud) and other service providers. Identifies, communicates, and enforces requirements for IT security and services. Creates a framework for roles and responsibilities about information ownership, classification, accountability, and protection. Works directly with customers, stakeholders, and executive management to achieve information system risk assessment and risk management objectives. Leads activities, such as projects and work efforts to address risks in a manner that reduces overall risk to acceptable levels. Integrates security considerations with agency procurements. Oversees the selection, development, deployment, monitoring, maintenance, and enhancement of the agency’s security technology. Oversees performance of IT risk assessments, audits, security incident investigations, and responses.
Expert-level knowledge of information system security with the ability to apply that knowledge at the enterprise level. Strong knowledge of project management, security assessment, risk management, and service oversight. Expert technical knowledge of on-premises and hosted (i.e., cloud) technology solutions and services, application and operating system hardening, vulnerability assessments, system security audits, and incident response, resolution, and recovery activities. Expert analytical and problem-solving skills. Expert knowledge and understanding of information risks concepts and principles as a means of relating business needs and security controls. Expert-level understanding of information protective technologies and processes. Excellent documentation and presentation skills. Ability to explain information security concepts to audiences of varying degrees of knowledge in the field.
A bachelor's degree in information technology systems, computer science, or related field and experience in the information technology field to include experience in a security-focused role. Relevant experience may be substituted for the bachelor's degree on a year-for-year basis.