Chief Information Security Officer

Texas A&M University System•Austin, TX

1d•Onsite

About The Position

GENERAL DESCRIPTION: The Texas Division of Emergency Management (TDEM) is an emergency response entity and this status can affect working hours, travel and change in duties as needed. Serves as the agency's Chief Information Security Officer (CISO). Exercises explicit authority to administer the information security requirements of the Texas Administrative Code agency-wide and establishes vision and direction for the agency’s cyber and cyber-related resources and operations. Employees are subject to working extended hours during evenings and weekends. This position is considered at-will status and serves at the discretion of the head of the agency. Salary is a fixed rate and is non-negotiable. This position is located on-site and not subject to telecommuting. ESSENTIAL JOB DUTIES AND RESPONSIBILITIES: Develop and maintain an agency-wide information security program, and associated information security rules and procedures, that address the requirements of the agency’s information security policies and risks. Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered. Provide guidance and assistance to senior agency officials, information owners, information custodians, and end users concerning their responsibilities to agency information security policies and communicate the value of information security throughout all levels of the organization. Work with business and technical resources to ensure that security controls are utilized to address all applicable requirements of agency information security policies and risks. Develop and recommend rules and establish procedures and practices, in cooperation with the agency CIO, information owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure. Provide for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities. Ensure that annual information security risk assessments are performed and documented by information owners. Review the agency’s inventory of information systems and related ownership and responsibilities. Coordinate the review of the data security requirements, specifications and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or process moderate- or high-impact data. Verify that security requirements are identified, and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or process moderate- or high-impact data. Report, at least annually, to the agency Chief the status and effectiveness of security controls. Inform affected parties in the event of noncompliance with agency information security policies. Represent the agency at State, Texas A&M System, and private-sector cybersecurity events. Under the direction of the System CISO, represent the A&M System at system member institutions during unusual occurrences or incidents where an information security officer is not available. Issue exceptions to information security requirements or controls in agency information security policies. Maintains a regular work schedule and work extended hours and/or on weekends as needed. Performs related work as assigned. Ability to travel (5%). This document represents the major duties, responsibilities, and authorities of this job, and is not intended to be a complete list of all tasks and functions. Other duties may be assigned.

Requirements

Education – Bachelor’s degree in computer science, computer information systems, business administration, information assurance, informatics, or related field; or equivalent combination of education and experience.
Experience – Ten (10) years operational information security management experience involving security assessments, Tier 2/3 security operations, network/security operations, fundamental operations, managing and changing business processes, and aligning strategy and performance metrics to organizational mission.
Two (2) of the ten (10) years must include working as an ISO in a major organization.
Certification - CISSP, CISM, GSLC, C|CISO, or equivalent DoD 8570.01-M IAM Level III certification.
Knowledge of risk management processes.
Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
Knowledge of emerging cyber threats, risks, and vulnerabilities.
Knowledge of specific operational impacts of cybersecurity lapses.
Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities.
Knowledge of capabilities, applications, and potential vulnerabilities of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.
Skill in creating policies that reflect information security objectives.
Skill in communicating with all levels of management (e.g., interpersonal skills, approachability, effective listening skills, appropriate use of style and language for the audience).
Skill to remain aware of evolving technical infrastructures and anticipate new security threats.
Skill to use critical thinking to analyze organizational patterns and relationships.
Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives and exercise judgment when policies are not well-defined.
Ability to tailor technical and planning information to a customer’s level of understanding.
Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
Ability to relate strategy, business, and technology in the context of organizational dynamics.
Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
Ability to ensure information security management processes are integrated with strategic and operational planning processes.
Ability to ensure that senior officials within the organization provide information security for the information and systems that support the operations and assets under their control.
CISSP, CISM, GSLC, C|CISO, or equivalent DoD 8570.01-M IAM Level III certification.
Complete and obtain certification in IS-100, IS-200, IS-700, IS-800 and Professional Development Series or Emergency Management Professionals Program Basic Academy FEMA courses within twelve (12) months of employment and any other training as determined.

Nice To Haves

Master’s degree in cybersecurity or equivalent field.
CISSP-ISSMP or equivalent DoD 8570.01-M cyber security service provider (CSSP) manager certification.
Texas public-sector information/cyber security experience, including experience participating in incident management or response.
Additional work experience of the type described above may be substituted for the education requirement on a year- for-year basis.
Thirty (30) semester hours is equivalent to one (1) year of experience.

Responsibilities

Develop and maintain an agency-wide information security program, and associated information security rules and procedures, that address the requirements of the agency’s information security policies and risks.
Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered.
Provide guidance and assistance to senior agency officials, information owners, information custodians, and end users concerning their responsibilities to agency information security policies and communicate the value of information security throughout all levels of the organization.
Work with business and technical resources to ensure that security controls are utilized to address all applicable requirements of agency information security policies and risks.
Develop and recommend rules and establish procedures and practices, in cooperation with the agency CIO, information owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure.
Provide for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities.
Ensure that annual information security risk assessments are performed and documented by information owners.
Review the agency’s inventory of information systems and related ownership and responsibilities.
Coordinate the review of the data security requirements, specifications and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or process moderate- or high-impact data.
Verify that security requirements are identified, and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or process moderate- or high-impact data.
Report, at least annually, to the agency Chief the status and effectiveness of security controls.
Inform affected parties in the event of noncompliance with agency information security policies.
Represent the agency at State, Texas A&M System, and private-sector cybersecurity events.
Under the direction of the System CISO, represent the A&M System at system member institutions during unusual occurrences or incidents where an information security officer is not available.
Issue exceptions to information security requirements or controls in agency information security policies.
Maintains a regular work schedule and work extended hours and/or on weekends as needed.
Performs related work as assigned.