Information Security Manager

The Information Security Manager (ISM) is a critical member of the CIO’s team. The ISM will work to maintain and monitor the security practices and systems implemented by the Firm and will implement and manage security systems and tools as directed by Firm policies, procedures, and management.  The ISM works in concert with the IT organization’s technical activities to implement and manage security infrastructure, and to provide regular status and compliance reports to management.

The ISM is a hands-on role that requires an individual with a strong technical background, as well as an ability to work with the IT organization, to align priorities and plans with key IT objectives. ISM will act as an empowered representative of the CIO during IT planning initiatives to ensure that security measures are incorporated into strategic IT plans and expectations are clearly defined.

Responsibilities

The ISM’s job is composed of a variety of activities, including very tactical, operational and strategic activities in support of the CIO’s program initiatives, such as:

• Strategic support.
• Security liaison.
• Architecture/engineering support.
• Operational support.

Strategic Support

• Work with the CIO to develop a security program and security projects that address identified risks and business security requirements.
• Manage the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing the CIO with a realistic overview of risks and threats in the enterprise environment.
• Work with the CIO to develop budget projections based on short- and long-term goals and objectives.
• Monitor and report on compliance with security policies, as well as the enforcement of policies within the IT department.
• Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.

Security Liaison

• Provide security communication, awareness and training all firm personnel.
• Work as a liaison with vendors to establish mutually acceptable contracts and service­ level agreements.

• Serve as an active and consistent participant in the information security committee.
• Provide support and guidance for legal and regulatory compliance efforts, including audit support.

Architecture/Engineering Support

• Consult with IT staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
• Develop a strong working relationship with the IT team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

Operational Support

• Respond to client security assessments and manage any tactical changes as a result of assessments.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Manage and coordinate operational components of incident management, including detection, response and reporting.
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
• Manage security projects and provide expert guidance on security matters for other IT projects.

• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.
• Design, coordinate and oversee security testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks.

Requirements and Qualifications

• A minimum of ten years of IT experience, with five years in an information security role.
• A bachelor’s degree in information systems or equivalent work experience.
• CISSP or equivalent certifications and/or experience.

The ISM must have the following:

• A strong understanding of the business impact of security tools, technologies and policies.
• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, management and business personnel; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.
• Experience developing and maintaining policies, procedures, standards and guidelines.
• Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x.

• Familiarity with applicable legal and regulatory requirements, including, but not limited to, the U.S. Sarbanes-Oxley Act, the U.S. Health Insurance Portability and Accountability Act (HIPAA), etc.
• Strong project management skills and experience in creating and managing project plans, including budgeting and resource allocation.
• Experience in system technology security testing (vulnerability scanning and penetration testing).