|Date Posted||March 12, 2020|
The CISO Cybersecurity Strategic Consultant provides his/her Subject Matter Expertise in consultation with the Deputy CISO, OPS Director, and Business Operations Director to help protect HHS' ability to provide mission-critical operations against potential information technology (IT) threats and vulnerabilities. He/she acts as an experienced executive-level manager who has directed security strategy, operations and the budget for the protection of enterprise information assets. The scope of responsibility for this position will encompass communications, applications and infrastructure, including the policies and procedures that apply.
Primary Responsibilities Include Providing SME Consultation for the Following CISO Activities:
- Supporting enterprise-wide information security and privacy program by addressing the evolving cyber threat environment, increased sophistication of attacks, risk management, and rapid proliferation of health data resources without impeding or inhibiting missions and business objectives.
- Supporting strategic program goals geared towards deploying threat management and information protection capabilities and standards; strengthening the cybersecurity workforce; increasing stakeholder engagement; and offering secure solutions and enterprise services to Programs across HHS.
- Engages in systems development and operations for security and privacy compliance and provides advice and guidance to ensure compliance standards are included throughout system life cycle development.
- Ensures compliance with federal mandates and legislation, including the Federal Information Security Management Act (FISMA), President’s Management Agenda, and applicable Government policies and regulations
- Directing and approving security systems design;
- Ensuring that disaster recovery and business continuity plans are in place and tested;
- Reviewing and approving security policies, controls and cyber incident response planning;
- Approving identity and access policies;
- Reviewing investigations after breaches or incidents (forensics), including impact analysis and recommendations for avoiding similar vulnerabilities;
- Maintaining a current understanding of the IT threat landscape for the industry;
- Identifying risks and actionable plans to protect the enterprise;
- Providing guidance in scheduling periodic security audits;
- Overseeing identity and access management;
- Ensuring that cyber security policies and procedures are communicated to all personnel and that compliance is enforced;
- Managing all teams, employees, contractors and vendors involved in IT security, which may include hiring;
- Providing training and mentoring to security team members;
- Updating the cyber security strategy to leverage new technology and threat information;
- Briefing the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget; and
- Communicating best practices and risks to all parts of the business, outside IT.
Education and Years of Experience:
- BA or BS technical degree in Computer Science, Cyber Security, Information Technology or a related technical field and at least 10 years of related experience.
- Minimum experience of 5 years working as a CISO;
- Exposure to executive-level management engagement;
- In-depth IT security knowledge and experience;
- Ability to interact effectively and harmoniously with other people;
- Practices and methods of IT strategy, enterprise architecture and security architecture;
- Security concepts related to DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies;
- ISO 27002, ITIL and COBIT frameworks;
- PCI, HIPAA, NIST, GLBA and SOX compliance assessments;
- Windows, UNIX and Linux operating systems;
- Firewall and intrusion detection/prevention protocols;
- TCP/IP, computer networking, routing and switching;
- Network security architecture development and definition;
- Knowledge of third-party auditing and cloud risk assessment methodologies;
- Possess at least one industry recognized certification; preferred: CCNA, CEH, CISSP, CISM, GCIH, GCTI, GNFA, GCFE, GSLC, CISSP-ISSMP, Security+
Clearance Level Required:
Must be eligible for Public Trust/Moderate Risk (Level 5 Public Trust (PT) SF85P MBI Moderate Risk NACLC),