Information Security and Compliance Associate Director
HUNTER Technical Resources, Alpharetta GA
Information Security & Compliance Associate Director
The Information Security and Compliance Associate Director is responsible for establishing and maintaining an enterprise-wide and globally oriented information security program to assure information assets are adequately protected. The Information Security and Compliance Associate Director is responsible for the creation and maintenance of enterprise-wide information security policy and establishing and operating IT security technology. He or she is responsible for building an accountable, information security-conscious culture and a system security infrastructure built on high quality standards backed-up by effective operational procedures as well as regular status monitoring and reporting activities.
This position requires a leader with strong management skills, a detailed working knowledge of information security technologies and familiarity in leading IT security organization to achieving security compliance for a diversified global organization (PCI, HIPAA, and SOX). This position serves as the process owner of all ongoing activities related to the availability, integrity and confidentiality of company data including information supplied by customers, business partners, and contractors. Proper protection of such data shall be prescribed through the organization’ s information security policies and standards.
- Develop, publish, and maintain comprehensive information security standards, policies, procedures, and guidelines including data classification and protection (including Data Loss Protection mechanisms) as well as development and execution of an information security training and awareness program
- Draft and propose the enterprise-wide information security strategy and action plans based on enterprise-wide risk assessment and gap analysis. Thus, identify and propose key information security program priorities, initiatives, practices, and tools.
- Provide guidance (e.g., information security risk severity assessments, relative cost benefit analysis, etc.) and recommendations regarding prioritization of system security infrastructure investments that mitigate risks, strengthen defenses, and reduce vulnerabilities.
- Develop the requirements for, and a Standard Operating Procedure covering, information security incident response, and executing such response in the event of an information security event with timely update reporting. Understand potential and emerging information security threats, vulnerabilities, and control techniques and communicate this information to appropriate team members.
- Collaborate with the IT teams to ensure information security risks in both ongoing and planned operations are properly considered.
- Conduct regular and ongoing monitoring of and reporting on enterprise-wide compliance with information security and IT control standards and policies. This includes coordinating the use of external resources involved in the performance of security testing, e.g., penetration tests, vulnerability scans.
- Establish requirements for, and overseeing operation of, an enterprise information security architecture and infrastructure that includes Security Information and Event Management, Network, and Host Intrusion Detection/Prevention Systems, Vulnerability Scanning and Penetration Testing.
- Establish security metrics, evaluating results, and reporting them to senior leadership in the context of how they affect risk.
- Oversee the security of applications and data bases to ensure applicable requirements are met.
- Set requirements for, and oversee execution of, a contract with a Managed Security Services Provider who may supply many of the needs set forth in this section, including running the information security architecture and infrastructure.
Qualifications / Experience
- Requires a BA, BS or Master’ s degree in a Computer Science or Information systems related discipline; an MBA or advanced degree in those fields is a plus.
- Requires a minimum of ten years of progressive leadership experience in computing and information security, preferably 15+ years, as well as at least five years’ experience with Information Security, Internet Technology, and Risk Management.
- Should have an Information Security certification such as the Certified Information Systems Security Professional Certification (CISSP) or Certified Information Security Manager Certification (CISM)
- Requires experience with audit compliance and risk management as it relates to information security.
- Requires experience in leading and managing IT information security implementations.
- Requires the ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. This is a highly responsible position that requires both quantitative and interpersonal skills.
- Requires a demonstrated ability to manage a team of professionals as well as experience with working with Managed Security Services Providers
- Should be a someone who is a thought leader, articulate, consensus builder, and who is persuasive with a demonstrated ability to serve as an effective member of the senior management team and communicate information security-related concepts to a broad range of technical and non-technical team members at all levels of the organization.
- Should have a working understanding of ITIL processes and concepts
- Should have some understanding of Federal, state, local, and overseas laws and regulations governing information security and data privacy
- Should have some experience in the healthcare field especially relative to meeting FDA regulations