Designs and directs a citywide information security program and partners with city leadership on risk management to provide the protection and confidentiality of data and other information assets of the city.
This job reports to: Chief Information Officer
Establishes and maintains city operations risk register with risk management department, executive leadership, and designated staff with special accountability tracking and acting on cybersecurity risks to maintain intended level of protection.
Leads the development and promotion of security and privacy awareness training and education for all levels of the organization.
Oversees the development and implementation of citywide information related security policies, guidelines, and governance models to protect the city from internal and external threats and vulnerabilities.
Sets city-wide roles and processes for electronic and physical environment protection, and data governance with detailed cross-departmental processes for responding to identification and handling of process violations and compromised data.
Prepares short and long-term strategies for optimizing the city’s information security plan and formulates and recommends city-wide policies for detecting, deterring, and mitigating information security threats.
Participates in the development and implementation of disaster recovery and business continuity plans, with a focus on holistic operational effectiveness and comprehensive Information Technology engagement.
Serves as a subject matter expert and internal consultant on the data security implications of proposed new major information technology projects and programs, making recommendations to the Chief Information Officer, City Manager's Office, and affected departments.
Designs & enacts architecture and governance for secured limited access to information through technical infrastructure, including processes to monitor, manage, and evaluate ongoing performance of security. Ensure new solutions adhere to policy and standards and solutions are properly controlled and isolated given risk to systems and network.
Leads the handling of information security breaches and related incidents, including overseeing the activation of the City's cybersecurity insurance company, departmental incident response teams, and joint task force response teams pre-arranged with external partners / governmental agencies.
Skill in superior interpersonal and communication skills (oral and written), investigation, critical and coordination of security anomalies and events, road mapping, strategic planning, program management, strong customer service skills, negotiation and mediation, presentation, and public speaking, performing security incident investigations or forensic analysis of a security incident or event.
Knowledge of standard security practices, network architecture, routing and Transmission Control Protocol/Internet Protocol (TCP/IP), general business processes and standards associated with areas of assignment, Risk and Threat assessment processes and practices; project planning and management; business continuity planning, documentation and evaluation; managing the evidentiary process; the use of Third Party Applications and native scripts and languages; maintaining the chain-of-custody process and procedures; strong working knowledge of pertinent laws and the law enforcement community, and knowledge of the principles and methods used in the analysis and development of information security systems and procedures; currently accepted information security standards, guidelines, and theories; advanced computer technology equipment operational capacity & capability.
Ability to analyze and interpret complex data, effectively supervise personnel, and motivate and direct the work of others, prepare and present effective, clear, and concise reports and correspondence, identify and recommend information security needs for the city, analyze problems and identify alternative solutions, deal effectively and harmoniously with city executives, department and assigned staff, customers, and the public.
Education Level & Type: Bachelor’s degree in computer science, cyber security, information systems, electronics engineering, voice/data communications, information security, public/business administration, or a related field.
Experience: Ten years in information technology or security management with five years in concentrated information security. Must have experience and working knowledge with firewalls, routers, anti-virus, virtual private networks (VPN), Multi-factor authentication, public key infrastructure (PKI), encryption, governance, risk and compliance management (including policy and procedure management); zero-trust infrastructure (design, setup and ongoing assurance).
Driver’s License & Type: Valid and Unrestricted Class D - Driver's License
Special Job Requirements
Must possess and maintain certification as a Certified Information Systems Security Professional (CISSP), issued by the International Information Systems Security Certification Consortium, Inc. (ISC)2, or achieve certification within the first 6 months of employment.
Pre-employment Medical Testing Requirements
FLSA Status: Exempt
Occupational Group Code: 06
Occupational Group Description: Data Processing
EEO Job Category Code: A
EEO Job Category Description: Officials and Administrators
Organizational Level: Superintendent/Manager
Bargaining Unit: No Representation
The following information pertains to driving requirements for this classification with the City of Tucson. Under "Driving Level" None, Secondary or Primary, refers to the driving responsibility as it relates to the essential functions of the classification. License Type is just that, the type of Arizona Driving License required for the classification. If the position requires a Commercial Driver’s License (CDL), the endorsements will be listed under "Endorsements." Under Safety Sensitive a "Yes" means employees with this classification are subject to pre-employment and random drug testing. License Type A, B, C, D, or M may require the use of personal or City vehicles on City business. Individuals must be physically capable of operating the vehicles safely, possess a valid license and have an acceptable driving record. Use of a personal vehicle for City business will be prohibited if the employee is not authorized to drive a city vehicle or if the employee does not have personal insurance coverage. Exceptions to classification driving requirements may exist based on position.
Driving Level: Incidental
License Type: Valid and Unrestricted Class D - Driver
CDL Endorsements: None
Safety Sensitive: No
Job Description Disclaimer
This description is not intended to limit or in any way modify the right of management to assign, direct and control the work of employees under supervision. The listing of duties and responsibilities shall not be held to exclude other duties not mentioned that are of similar kind or level of difficulty. They are intended to describe the general nature and level of work being performed by individuals assigned to this position.