The Information System Security Manager serves as the IT Cybersecurity leader for the company. The primary responsibilities of the ISSM are to:
Serve as the leader of the security risk management framework (RMF) function for CRI.
Manage the internal and external security profile of the company’s infrastructure and systems and provide security assurance leadership.
Serve as the security administrator for CRI; review and assess risks and vulnerabilities, recommend criticalities and remediations as the security subject matter expert.
Serve as Program Manager to coordinate, facilitate, and organize all aspects of our compliance and audit program which includes SOX, PCI, FISMA and ISO, as well as our ATO.
Responsible for both the internal and external security of the company’s information systems and physical security.
Must be able to identify, initiate, and influence changes to the company’s security profile, structure, performance and protection as needed to ensure safety of the company’s assets and resources.
Conduct annual PCI, FISMA compliance program reviews for certification and accreditation.
Responsible for the day-to-day review and assessment of risks and vulnerabilities being reported by third parties and determining criticality and timing for corrective action.
Develop and implement a Risk Assessment Methodology for a decentralized application environment.
Develop security controls metrics, in addition to producing any other necessary Information Security reports (e.g., firewalls, intrusion detection and prevention systems, security information and event management systems).
Draft and maintain documentation as it relates to network and security processes or assigns and proactively tract the development, maintenance, and changes to security policies, procedures, processes, and work instructions.
Advise of potential, possible or probable security breaches to the company.
Keep abreast of new technological challenges, as well as new developments in system protection and recognized IT security-related standards.
Ability to communicate security concepts to a technical and non-technical audience.
Conduct periodic audits and due diligence checks of system to evaluate new vulnerabilities and define solutions.
Provide information and training, including company-wide communications to staff, in areas of security breaches and other threats.
Advise senior management about status of security system.
Coordinate with infrastructure admins with maintenance of firewalls, security devices, and other infrastructure.
Responsible for development, modification, and operation of the IDS and IPS.
Provide security training to all new hires.
Provide technical security support to Business Areas and IT staff on products, projects, applications, and services as required.
Participate in monthly patching and security updates as required to keep environment secure.
Create and maintain accurate technical documentation and checklists relating to procedures and controls.
Ability to work with extremely sensitive information and assist HR or executive management with investigations as required.
Sense of ownership and urgency with a strong passion to protect the company from cyber threats, risks and exposures. An equal passion to maintain the audit and compliance programs with top level quality and current certifications.
Provide security experience and knowledge that includes but may not be limited to the following: Active Directory, Exchange, Hyper-V, File and Print sharing, VOIP, Application server support, Client-side OS support, Email services, Security and Spyware protection services, Virus protection, Firewall configuration, Backup and Recovery service, URL and Content Filtering.
Develop disaster recovery plans and serve as the disaster recovery crisis incident leader for tests and in the event of an actual event.
Monitor the company’s intrusion detection and prevention system in response to technological advances.
Monitor operations to ensure compliance with all government regulations.
Supervise the Security Incident Response Team (SIRT) and review reports of any incidents, evaluates response, and recommend modifications to protocols as required.
Recommends physical security and IT assurance best practices.
Track and report the status of all audit, compliance, and vulnerability items.
Communicate the risks of exposures to the VP of IT and Executive team as needed.
Ability to work independently.
Provide project leadership and management for assigned IT projects and tasks.
Other duties as assigned.
Education, Experience, and Qualifications:
Bachelor’s degree in related field with 4 or more years’ experience in Network and System Administration with working knowledge of key security standards or security professional.
General knowledge of infrastructure and application security standards and best practices.
Deep understanding of FISMA and PCI with ability to be conduct conversational discussions at detailed levels of knowledge as a SME.
Understanding of NIST publications with expertise in NIST 800 53.
US Citizenship is required per the contract.
Strong people and communication skills.
Must be willing and able to work outside of core business hours, as needed
Travel within the United States may be required