This job listing has expired and the position may no longer be open for hire.

Information Security Officer (IT Security Unit Manager) at Metropolitan Water District Southern California

Posted in Other 30+ days ago.

Type: Full Time
Location: Los Angeles, California

Job Description:
The Metropolitan Water District of Southern California is a consortium of twenty six cities and water districts that provides drinking water to nearly 19 million people in Southern California. Metropolitan's mission is to provide its service area with adequate and reliable supplies of high quality water to meet current and future needs in an environmentally and economically responsible way. Metropolitan's facilities include the 242-mile Colorado River Aqueduct, five conventional water treatment plants with a combined capacity of 2.6 billion gallons per day, nine surface water reservoirs, 800 miles of pipeline, and 16 hydroelectric power plants.

Metropolitan's Information Technology Group has one (1) opening for an Information Security Officer (ISO)  available at its Headquarters in Los Angeles, California.

As the Information Security Officer you will be responsible for establishing and maintaining a corporate-wide information security management program to ensure that information assets are adequately protected. The information assets at Metropolitan includes Standard Information Technology environments such as financial, human resources, engineering & facility maintenance systems and mission critical systems such as real time treatment plants operation, conveyance, distribution, and water quality monitoring detection and remediation systems.

1. Develops, implements, and monitors a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.

2. Develops, maintains, and publishes up-to-date information security policies, standards, and guidelines. Oversees the approval, training, and dissemination of information security policies and practices. Creates and manages information security and risk management awareness training programs for all employees, contractors, and approved system users.

3. Creates, communicates, and implements a risk-based process for vendor risk management, including assessment and treatment for risks that may result from partners, consultants, cloud services and other service providers.

4. Provides regular reporting on the current status of the information security program to senior Metropolitan business leaders and the Board of Directors as part of a strategic enterprise risk management program.

5. Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection. Develops and enhances an information security management framework based on national standards such as, ITIL (a set of best practice publications for IT service management), and National Institute of Standards and Technology (NIST). Creates and manages a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.

6. Provides strategic risk guidance for IT projects, including evaluation and recommendation of technical controls. Ensures that security programs are in compliance with relevant laws, regulations, and policies to minimize or eliminate risk and audit findings.

7. Liaises with the Enterprise Architecture Team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures. Understands and interacts with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems, and services, including, but not limited to, privacy, risk management, compliance, and business continuity management.

8. Coordinates information security and risk management projects with resources from the IT organization and business units and teams.

9. Liaise amongst the information security team and corporate compliance, Audit Department, Legal Department, and Human Resources Group management as required.

10. Defines and facilitates the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings. Manages security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the District's reputation. Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action. Liaises with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong information security posture.

11. Coordinates the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

12. Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.

13. Understands and interacts with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.

14. Performs legislative reviews and analysis on cyber security proposed bills and executive orders.

15. Serves as the cyber security lead representative for the Metropolitan's North American Electric Corporation/ Western Electricity Coordinating Council (NERC/WECC) Compliance Program or its successor.

Work Schedule: 9/80, Alternate Fridays Off.

Education and Experience Bachelor's degree from an accredited college or university and

twelve years of increasingly responsible relevant experience, of which four years must have been

in a management or supervisory position; OR

An advanced degree from an accredited college or university and ten years of increasingly responsible relevant experience, of which four years must have been in a management or supervisory position.

Relevant Experience is defined as: work experience within information technology of which six (6) years must be within cyber security.

Required Knowledge of: Information security and risk related concepts; principles and practices of maintaining secure computing environment; information security management frameworks, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, ITIL, Control Objectives for Information and Related Technologies (COBIT), and ones from NIST; principles and practices of system design, development, and implementation; principles and practices of intrusion detection, firewall software, and antiviral software and practices of intrusion recovery; supervisory methods and techniques; team building; contract administration; project management including planning, scheduling, and costing; report writing; personnel management practices; practices and principles of strategic planning; performance measurement tools and metrics; policies and procedures related to budget, procurement, and human resources; programming theory and design; and basic understanding of Microsoft and UNIX operating systems.

Required Skills and Abilities to: Develop information security . . . To apply for this position, please copy and paste the following link into your browser address bar: