Information Security Manager - $90K-$180K - MANAG002176
Salary range is $90k to $180k with a midpoint of $135k. New hires typically receive between minimum and midpoint, however, we may go slightly higher based on experience, internal equity and market.
The Information Security Manager - ORCA directs, maintains, and operates the Information Security Management System (ISMS) for the ORCA payment system, including the governance, risk, and compliance components of the regional security function. The Information Security Manager will have an important, visible role in collaboration with the ORCA partner agencies and their Information Security experts. This role partners with other Regional ORCA Operations Team (ROOT) staff to ensure the secure operation of the ORCA system, as well as working closely with vendors and service providers to ensure alignment of their security practices with the risk control strategies outlined in the region’s ISMS.
The following duties are a representative summary of the primary duties and responsibilities. Incumbent(s) may not be required to perform all duties listed and may be required to perform additional, position-specific duties.
• Guides security policy and participates in broader Information Security governance efforts for the ORCA partnership.
• Develops and maintains the ISMS in collaboration with regional information security SMEs and technical consultants.
• Oversees and manages the ORCA ISMS and recommends appropriate mitigating controls.
• Oversees Information Security Risk Management activities, including risk identification, assessment, and communication to relevant stakeholders.
• Provides valuable expertise and leadership directly to the governing ORCA Joint Board executive leadership, including sharing metrics to reflect the performance of the regional security program functions, executive risk score reports, and other guidance on a variety of information security topics.
• Facilitates a committee of Information Security SMEs across the ORCA Agencies to ensure both regional compliance and concurrence on information security-related matters, recommending solutions, and working from the regional ORCA perspective to achieve optimal solutions.
• Collaborates with the Systems Integrator, other vendors, and partner Agencies to ensure security best practices, standards, policies, and regulatory requirements are incorporated into core payment system design, implementation, and sustainment, as well as supports other future phase projects.
• Conducts regular security reviews of both software and processes, advising on information security practices. Reviews and creates threat models and recommends security enhancements consistent with information security strategy and evolving threats.
• Supports external IT security audits and assessments that focus on ORCA operation.
• Develops, updates, implements, and conducts information security training programs to support the ISMS objectives.
• Manages approvals for Identity and Access Management (IAM) and Access Control Administration.
• Acts as Incident Commander for Security Incident Response activities, whenever the Information Security Incident Response Plan is invoked by the regional program; plays a stakeholder and oversight role if the plan is invoked by other partners or vendors.
• Participates in information security incident investigation and response efforts; performs root‐cause analysis when incidents occur and prepare incident reports.
• As a member of the Change Advisory Board, evaluates change requests to determine potential impacts to Information Security, including IT systems, processes, and policies, and provides appropriate input to the Change Management process.
• Coaches, mentors, and develops future ROOT information security staff as the ISMS becomes complete and mature.
• Keeps up to date on latest information security trends, “best practices”, threats and countermeasures.
• Champions and models Sound Transit's core values and demonstrates values-based behaviors in everyday interactions across the agency.
• Contributes to a culture of diversity, equity and inclusion in alignment with Sound Transit’s Equity & Inclusion Policy.
• It is the responsibility of all employees to follow the Agency safety rules, regulations, and procedures pertaining to their assigned duties and responsibilities, which could include systems, operations, and/or other employees.
• It is the responsibility of all employees to integrate sustainability into everyday business practices.
• Other duties as assigned.
Education and Experience:
Bachelor’s Degree in computer science, information technology, management information systems, or closely related field; with five years of information systems security (or cybersecurity) experience, or closely related field; OR an equivalent combination of education and experience.
Required Licenses or Certifications:
• At least one of the following (in valid status): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA).
• Other industry relevant certifications in the fields of information security, project management, auditing and/or risk management, such as the Certification in Risk and Information Systems Control (CRISC).
Required Knowledge and Skills:
• Enterprise-level information-security plans, policies, standards, guidelines, methods, and practices based on current industry standards, best practices, tools, and techniques.
• Information Security Management Systems, and applicable industry standards (ISO 27001/2).
• Pertinent federal, state, and local laws, codes, and regulations; particularly those that affect information security for payment systems.
• Environments subject to the Payment Card Industry Data Security Standard (PCI DSS), including compliance-related duties.
• Knowledge and understanding of developing and administering information-security standards, practices, audits, risk management, and policy compliance.
• Information Security Audit principles and practices.
• Knowledge of one or more governance frameworks such as COBIT 5, ISO, NIST, or COSO.
• Strong understanding of IT Service Delivery (ITIL) core processes and methodologies.
• Principles, methods, and techniques used in the facilitation of managing projects and leading teams.
• Relevant experience and detailed technical knowledge in security engineering, system and network security, authentication and security protocols, cryptography.
• In-depth knowledge of security software threats and vulnerability mitigation techniques.
• Working knowledge of cloud platforms such as Azure/AWS and relevant security controls.
• Establishing and maintaining collaborative working relationships with other department staff, management, vendors, and other stakeholders.
• Documenting and explaining risks, recommendations, and incident data to technical stakeholders.
• Interpreting and administering information security policies, standards, and procedures sufficiently to administer, discuss, resolve, and explain them to staff and other constituencies.
• Leading or supporting an Information Security Management System.
• Generating metrics and preparing reports to facilitate decision-making on security-related activities.
• Utilizing personal computer software programs affecting assigned work and in compiling and preparing spreadsheets and reports.
• Responding to inquiries with effective oral and written communication.
• Researching, analyzing, and evaluating new security processes, products, and techniques.
• Candidate should have excellent time management skills including the ability to prepare prioritize and complete work plans.
• Working effectively under pressure, meeting deadlines, and adjusting to changing priorities.
• Writing of technical documentation and standards, including skill in English usage, spelling, grammar, and punctuation.
Preferred Knowledge and Skills:
• Knowledge of Governance, Risk, and Compliance (GRC) tools.
• Principles of leadership, supervision, training, and performance evaluation.
• Extensive knowledge of risk-based methodologies and one or more of the following frameworks: ISO 27001/2:2017, 27005:2011, and 31000; PCI-DSS; or NIST 800-53.
Physical Demands / Work Environment:
• Work is performed in a standard office environment.
• Subject to standing, walking, bending, reaching, stooping, and lifting of objects up to 25 pounds.
• The Agency promotes a safe and healthy work environment and provides appropriate safety and equipment training for all personnel as required.
Sound Transit is an equal employment opportunity employer. No person is unlawfully excluded from employment action based on race, color, religion, national origin, sex (including gender identity, sexual orientation, and pregnancy), age, genetic information, disability, veteran status or other protected class.
Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)
Explore more Cyber Security career opportunities
Find open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Analysis, Cryptography, Digital Forensics and Cybersecurity in general, filtered by job title or popular skill, toolset and products used.
- Open Cyber Security Engineer jobs
- Open Staff Application Security Engineer jobs
- Open Penetration Tester jobs
- Open Senior DevSecOps Engineer jobs
- Open Application Security Engineer/Architect jobs
- Open Senior Security Operations Engineer jobs
- Open Cyber Threat Intelligence Analyst jobs
- Open Lead Security Engineer jobs
- Open Senior Information Security Engineer jobs
- Open SOC Analyst jobs
- Open Cyber Security Analyst jobs
- Open Staff Security Engineer jobs
- Open Cybersecurity Engineer jobs
- Open Information System Security Officer (ISSO) jobs
- Open Sr. Security Engineer jobs
- Open Senior Penetration Tester jobs
- Open Security Officer 3 jobs
- Open Offensive Security Engineer jobs
- Open Senior Threat Intelligence Analyst jobs
- Open Cloud Security Automation Specialist jobs
- Open Information Security Officer jobs
- Open Azure Security Engineer jobs
- Open Vulnerability Analyst jobs
- Open Head of Information Security jobs
- Open Senior Information Security Analyst jobs
- Open DevOps-related jobs
- Open Audits-related jobs
- Open Analytics-related jobs
- Open Application security-related jobs
- Open PCI-related jobs
- Open OWASP-related jobs
- Open Threat intelligence-related jobs
- Open Clearance-related jobs
- Open Security assessments-related jobs
- Open IDS-related jobs
- Open Forensics-related jobs
- Open Ruby-related jobs
- Open Splunk-related jobs
- Open Encryption-related jobs
- Open CEH-related jobs
- Open Open Source-related jobs
- Open CISM-related jobs
- Open GDPR-related jobs
- Open Agile-related jobs
- Open Threat detection-related jobs
- Open OSCP-related jobs
- Open Machine Learning-related jobs
- Open Intrusion detection-related jobs
- Open Docker-related jobs