Plan, direct, implement and manage the Countywide Information Security Program that includes security awareness, risk assessment, business impact analysis, disaster recovery, and business resumption; protect the confidentiality, integrity, and availability of the County’s information assets; develop and implement information and communications security standards, guidelines, and procedures.
This is a single position classification responsible for the management and oversight of the Countywide Information Security Program.
SUPERVISION RECEIVED AND EXERCISED
Receives administrative direction from the Chief Information Officer.
Exercises direct supervision over supervisory, professional, technical, and clerical staff.
EXAMPLES OF ESSENTIAL DUTIES
Duties may include, but are not limited to, the following:
Supervise the information technology security program team; manage the daily operational functions of the program.
Maintain and continually revise the Countywide Information Security Program and related policies.
Establish the Countywide cyber security roadmap ensuring policies are followed.
Perform role of HIPAA Security Officer; attend monthly and quarterly meetings; review contracts for information security compliance; prepare HIPAA training; review and update countywide HIPAA policies.
Maintain current knowledge of developing security threats, train management and staff on security risks and vulnerabilities.
Lead investigations into suspicious County network activity; recommend and execute remediation steps.
Develop and manage Countywide security awareness training.
Develop and maintain the Countywide Business Continuity Plan; conduct business impact analysis for each County department and perform disaster recovery tests.
Develop, administer, and maintain security program budget; monitor expenditures; implement adjustments to expenditures.
Direct and manage the work of consultants; manage program contracts and purchases; set expectations and priorities and monitor outcomes.
Perform security assessment on new and proposed projects.
Organize and communicate with the Cyber Security Incident Response Team (CSIRT) under the leadership of the Chief Information Officer (CIO).
Contract with and supervise third party penetration tests and network assessments for security.
Build and maintain positive working relationships with co-workers, other County employees and managers, outside agencies, and the community utilizing accepted principles of effective customer service.
Process, research, and provide recommendations to Leadership Committee on Security Exemption requests.
Represent the County of Placer to the public and other agencies in a positive and productive manner; lead the Countywide Security Working Committee.
Perform related duties as required.
Work is typically performed in an indoor office environment with controlled temperature conditions.
Position may require travel to and from locations in a variety of outdoor weather conditions.
Experience and Training:
Any combination of experience and training that would provide the required knowledge and abilities is qualifying. A typical way to obtain the required knowledge and abilities would be:
Experience: Five years of increasingly responsible experience in Information Technology Security involving direct experience in system development, management and/or operations, including two years of supervisory responsibility.
Training: Equivalent to a bachelor’s degree from an accredited college or university with major course work in cyber security, computer science, information systems, information technology, business administration, public administration, or related field.
Required License or Certificate:
Must complete the Certified Information Systems Security Professional (CISSP) certification within twelve (12) months of appointment .
May need to possess a valid driver’s license as required by the position. Proof of adequate vehicle insurance and medical clearance may also be required.
KNOWLEDGE, SKILLS, AND ABILITIES
Principles of information security.
Principles covered on the Certified Information Systems Security Professional (CISSP) including security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.
Risk and threat assessment process and practices.
Countywide organization, operations, and business practices.
Applicable federal, state, and local regulations and recommendations regarding information security.
Principles and practices of supervision, training, and personnel management.
Advanced principles and practices of budget planning, preparation, and implementation including financial forecasting and analysis.
Modern office practices, methods, computer equipment and applications related to assignment.
Techniques for effectively representing the County in contacts with governmental agencies, community groups and various business, professional, educational, regulatory, and legislative organizations.
On a continuous basis stay current with pertinent laws, regulations, and guidelines; focus on tasks for a long period of time; work with interruptions, in teams or alone; observe performance and evaluate staff; problem solve department related issues; remember and recall various rules and regulations; interpret policy; utilize, interpret, and apply pertinent information.
On a continuous basis sit at a desk and in meetings for long periods of time; intermittently twist to reach equipment surrounding desk, perform simple grasping and fine manipulation to utilize standard office equipment; use telephone and communicate through written means; see with sufficient visual acuity to perform essential job functions; hear with sufficient acuity to perform essential job functions; lift light weight.
Understand the benefits and risks of various IT security solutions.
Develop policies and strategies related to information security.
Establish goals and objectives; exercise a high degree of initiative and dependability.
Influence all levels of the organization through written and oral communication; prepare and present effective, clear, and concise documents, reports, and correspondence.
Interpret and apply County and Department policies, procedures, rules, and regulations.
Establish and implement policies and standards.
Address security needs unique to each department’s business practices; analyze problems, identify alternative solutions, project consequences of proposed actions and implement recommendations in support of goal.
Coordinate efforts across divisions in the Information Technology Department and between departments to reach Countywide Information security goals.
Manage varying priorities and competing objectives throughout the County at the departmental level.
Supervise, train, and evaluate personnel.
Work with various cultural and ethnic groups in a tactful and effective manner.
Make high impact decisions.
Establish and maintain effective working relationships with those contacted in the course of work.
Maintain the confidentiality of information.
Length of Probation:
This classification serves at the pleasure of the Appointing Authority and has no specific term and no right to continuous employment.