- Career Opportunities
- Chief Information Security Officer
Chief Information Security Officer
Vacancy Number: 821
Application deadline: August 13, 2021
Reports to: Director, IT
The Security Officer is responsible for the organization's Security Program including but not limited to daily operations of the IT security program, oversight of the annual and ongoing risk assessment process, development, implementation, and maintenance of policies and procedures, ensuring the confidentiality, integrity and access of electronic protected information and of monitoring program compliance as well as investigation and tracking of incidents and breaches and in compliance with federal and state laws.
Duties and Responsibilities
- Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization. Ensures information security policies, standards, and procedures are up-to-date.
- Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
- Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
- Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
- Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
- Ensures the institution/organization complies with the administrative, technical and physical safeguards.
- Collaborates with organization senior management, and Compliance officer to establish governance for the security program.
- Serves in a leadership role for security compliance.
- Works closely with compliance to ensure alignment between security and privacy compliance programs including policies, practices and investigations.
- Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation.
- Responsible for development and implementation of security risk management plan.
- Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected information.
- Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
- Assists as needed with breach determination and notification processes under applicable State breach rules and requirements.
- Establishes and administers a process for investigating and acting on security incidents, which may result in a privacy breach breaches.
- Manages security incidents and events involving electronic protected information, identified vulnerabilities, and remediates any security gaps in line with the security incident management procedure.
- Partners with Human Resources and compliance to ensure consistent sanctions for security violations.
- Serves as information security consultant to all departments for all data security related issues.
- Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
- Leads vulnerability assessment and penetration testing on a periodic basis.
- Monitors and implements remediation actions resulting from vulnerability assessment, Pentests and external 3rd party security risk assessments.
- As subject matter expert on the team, maintain understanding of current technology, database management, programming practices, and future trends through ongoing education, conference attendance and industry press.
- Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
- Coordinate with external sources for threat intelligence relevant for OPEC Fund and initiate remedial actions.
- Coordinate with national cyber security agencies and forums.
- Contributes to the drafting of policies, procedures, and related guidelines within an area of expertise to meet defined key principles and ensure compliance with external requirements.
- Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities.
- Maintains and renews a deep knowledge and understanding of the organization’s policies and procedures and of relevant regulatory codes and codes of conduct, and ensures own work adheres to required standards.
- Identifies patterns of non-compliance with the organization’s policies and procedures, and with relevant regulatory codes and codes of conduct, taking appropriate action to report and resolve these and escalating issues as appropriate.
- Coordinates major cross-departmental activities related to cyber security.
- Leads corporate level incident response.
- Ensure external vendors are compliant and conduct periodic vendor risk assessments.
- Coordinate SWIFT customer security assessment and annual attestation to SWIFT.
- Maintains good relations/ contact with external partners/ consultants to acquire goods, services and support, and with other OPEC Fund departments/ units to ensure satisfaction and efficiency.
- Deals with authorized IT consultants hired by the OPEC Fund on the subject of consultancy projects and problem solution, on an on-going basis.
- Deals with all the Fund’s departments/ units on the subject of IT services and consultation, on an on-going basis.
- Carries out other tasks/ duties assigned by the supervisor that are related to the job function.
Qualifications and Experience
- Master’s degree in Computer Programming, security field or respective studies.
- CISSP/ISO 27K/NIST Certification.
- A minimum of seven years of relevant professional experience.
- Preferably at least 3-5 years at an international institution.
- Fluent in English. Good working knowledge of French, Arabic, German or Spanish is an added advantage.
- Demonstrable strategic orientation and critical thinking skills. He/she must generate valuable insight regarding external issues such as shifts in threats and countermeasures and internal matters such as business implications of information security policies and protocols.
- Familiarity with relevant software, including SAP ERP, SWIFT, Treasury Management Systems and Bloomberg’s information and trading platforms.
- Demonstrable project management skills.
- Must understand, develop, and define network security architectures.
- Excellent understanding of protocols that can manage firewalls, intrusion discovery, and intrusion prevention.
- Excellent experience with computer networking components, including DDoS and DoS mitigation approach, DNS, authentication, TCP/IP, and VPN proxy services.
- Demonstrable ability to work in an international multi-cultural environment, with sensitivity and respect for diversity.