Certified Informational Security Professional

MANDATORY SKILLS
candidates must meet all the requirements below to be considered for the Certified Information Security Professionalposition.

• Minimum of five (5) years experience as an Information Security Professional.
• Certification as a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager(CISM) with either one of the following: Certified Risk & Information Systems Control (CRISC), Certified Information SystemsAuditor (CISA), Certified Secure Software Lifecycle Professional (CSSLP) or SANS GIAC (ISO-27001 preferred, but not required)certified.
• Possess strong business acumen with excellent communication skills. Must have good presentation skills and comfortable communicating with mid and executive management. Strong documentation skills in policy and standards writing in addition tooperational procedures. Must have conceptual skills to demonstrate complicated examples with visual illustrations for non-ITusers.
• Experience with Windows, Linux, UNIX and Citrix Thin Client environment. Ability to recommend Operating System hardening for all environments and systems. Expert Active Directory security experience is required
• Possess a broad knowledge of information security system controls (e.g. CISSP certified) and knowledge to identifytechnical, operational and business risks.
• Able to multi-task, be pro-active in project planning and requirements gathering and capable of setting priorities based onimpact and risk to the business without supervision.
• Excellent interpersonal skills including negotiation, problem resolution and customer service.
• Must have experience with Data Leakage Prevention, Endpoint Security, Intrusion Prevention Systems, Integrity Controls,Encryption, Access Controls, Incident Response Procedures, Log Management, and Security Architecture & Design.
• Experience presenting security proposals to senior management and the ability to present complex ideas clearly andpersuasively.

PREFFERED EXPERIENCE

• Prior experience as an Information Security Manager or Director of Information Security.
• Prior and proven experience in Information Security with a focus on Enterprise Risk Management and Compliance.

ASSUMPTIONS REGARDING CONSULTANT TASKS AND DELIVERABLES

The Information Security Professional shall provide Information Security consultant services to NYCERS for the completion ofNYCERS’ ongoing Information Security Program. The following descriptions and deliverables shall apply:

• Role:
  • The Information Security Professional must align and document risk management expertise as it pertains to the businessand IT operations; act as a subject matter expert (SME) on risk assessment, analysis and remediation. There are 18 securitydomains contained in the Information Security Management Program.
• Objective:
  • The Information Security Professional will aide in the establishment of a formal Enterprise Risk Managementprogram and document the agency IT Security Governance and Compliance framework.
• Deliverables. The Information Security Professional is responsible for the following:
  • Complete the Information Security Operations and IT Standards documentation.
  • Standardize and document the agency Enterprise Risk Management plan.
  • Identify critical assets, risk owners, remediation strategies and document in the agency risk register..
  • Execute and certify the Enterprise Risk Management Program.
  • Create an executive dashboard for reporting metrics, Key Risk Indicators and Key Performance Indicators foridentified critical business systems using a SIEM solution.