JOB SUMMARY

Under the general guidance of Chief Information Officer (CIO), Information Security Officer (CISO) is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem of City of College Station. The ISO is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The ISO will proactively work with business units and partners to implement practices that meet agreed-on policies and standards for information security. The ISO will be responsible for implementing and running the enterprise information security program.

PRINCIPAL JOB DUTIES

1. Establish Information Security Governance and Build Knowledge by implementation of an information security steering committee or advisory board. Provide regular reports to City’s senior management as part of a strategic enterprise risk management program, thus supporting business outcomes.   Work with the City’s Legal and Fiscal Affairs Department to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations.  Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
2. Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
3. Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
4. Assist the Chief Information Officer in formulating and implementing Information Security policies, programs, procedures, and standards for the City.
5. Lead the information security function at the City to ensure consistent and high-quality information security management in support of the business goals.  Determine the information security approach and operating model in consultation with departments and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
6. Manage the budget for the information security function, monitoring and reporting discrepancies.
7. Manage the cost-efficient information security organization, consisting of direct reports and/or indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
8. Develop an information security vision and strategy that is aligned to City priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.
9. Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the City.
10. Assist with the identification of non-IT managed IT services in use ("citizen IT") and facilitate an IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
11. Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
12. Develop and enhance an up-to-date information security management framework based on best industry practices. 
13. Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
14. Create the necessary internal and external networks among the information security team and line-of-business executives, compliance, audit, physical security, legal and HR management teams as well as industry experts.
15. Perform related duties as assigned. 

     

JOB QUALIFICATIONS

Required:    Bachelor’s Degree in computer science or related field and five (5) years experience in the information technology, computing, and communications environment; and two (2) years Information Security administration experience; or an equivalent combination of education and experience.

Valid Texas Driver’s License

Ability to communicate clearly and effectively, both verbally and in writing

Ability to analyze and asses programs, policies and operational needs and make appropriate adjustments

Information Technology Infrastructure Library (ITIL) Foundation Certification, or the ability to obtain within twelve (12) months of employment

Professional security management certification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials, or the ability to obtain one or more security management certifications within 12 months of employment

Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework

Ability to establish and maintain effective working relationships

Preferred:   Master’s Degree in computer science, public administration or business

Familiar with the structure and various functions of City government.