Position Title: Chief Information Security Officer
Grade/Classification: 60 - Chief or Equivalent
Hiring Rate: $136,702 - Albany, NY Office
$141,756 (Includes location differential of $5,054) - NYC Office
Location: Albany, NY Office or NYC Office
FLSA Status: Exempt
Last Revised: July 2, 2024
Primary Purpose
The Chief Information Security Officer (ISO) is responsible for protecting and maintaining the confidentiality, integrity and availability of information and related infrastructure assets; managing the risk of security exposure or compromise; assuring a secure and stable information technology (IT) environment; identifying and responding to events involving information asset misuse, loss or unauthorized disclosure; monitoring systems for anomalies that might indicate compromise; increasing the awareness of information security within DASNY. The Chief, ISO has a senior advisory role in decisions affecting information security and assurance, and is responsible for the development, implementation, enhancement, monitoring and enforcement of DASNY and New York State information security policies and standards across the organization.
Essential Functions
Operations
- Conduct regular penetration testing and keep records of all test data and schedule of future testing.
- Maintain security of all electronic data, documents and records and regularly test vulnerabilities.
- Work with IS to plan, install, and maintain required security architecture, software, hardware, firmware, and appliances.
- Provide advice on security issues related to procurement of products and services.
- Review and approve all external network connections to DASNY’s network.
- Escalate security concerns to executive management, as necessary.
- Maintain records and controls for all IT security related matters including but not limited to pro-active investigations, risks, threats, actual security events, technology related assets, system life cycles, penetration testing, data vulnerability testing, and provides up to date time schedules of all reviews and follow-ups.
- Maintain records on system access to the DASNY technology environment with regard to access levels on all technology including but not limited to applications, equipment, and records.
- Maintain records on all DASNY technology assets and equipment including but not limited to: computer hardware and devices, computer monitors and peripherals, mobile phones/equipment/devices, construction technology devices and equipment, infrastructure hardware and devices, applications and software, cloud data storage, off-site physical data storage.
- Recommend, develop, enhance, monitor and update policies, standards, procedures, control processes, and education and awareness programs relating to IT security and risk management to verify appropriate safeguards are implemented; ensure appropriate information security awareness and educate all DASNY employees, and third-party individuals as required.
- Facilitate and ensure compliance with IT security policies, standards and processes, and federal and State laws and regulations affecting security controls and classification requirements of DASNY’s information.
- Ensure DASNY policies/practices align with the NYS Information Security Policy Standards established and issued by the Office of Information Technology Services.
- Coordinate with IS staff to ensure security measures are implemented in accordance with policy requirements.
- Participate in new hire on-boarding providing appropriate system credentials and training new hires on DASNY’s “need to know” information regarding its’ IT network, applications and security.
- Act as liaison between DASNY and external auditors.
- Coordinate DASNY’s technical efforts in response to information and system security compliance reviews or audits performed by external regulatory organizations or auditors.
- Develop or review contracts, service level agreements, memorandum of understanding language and other documents to verify that they meet information security needs and requirements and align with agency and State information security policies.
- Maintain guidelines for the development of secure application code using industry best practices.
Strategic
- Maintain current industry knowledge and build relationships with IT security related organizations on industry and government standards, information security market movement, and current technology risks and threats and evaluate the applicability of the latest information security techniques and tools to DASNY’s security program.
- Protect and maintain the confidentiality, integrity and availability of DASNY proprietary data and user confidential information by securing the applications, endpoints, and infrastructure assets in coordination with the Director of IS and executive management.
- Evaluate security threats and counter measures that could affect DASNY; make recommendations to executive management to mitigate risks.
- Manage and coordinate technology and security risk assessment and management which includes pro-active investigations to test for risk tolerance and potential weaknesses in DASNY’s IT environment including but not limited to infrastructure, on-site and off-site data, applications and asset management.
- Oversee and coordinate information security and information assurance efforts within DASNY, and exercise authority for compliance with DASNY’s information security and assurance policies.
- Work with the IS Director and Assistant Directors to oversee IT network and data security architecture; develop, deploy and maintain information security architecture in accordance with New York State and DASNY information security policies. Improve DASNY’s security infrastructure while also improving DASNY users ease of use.
- Serve as the information security expert and provide consultation to management with regard to all information security.
- Collaborate with peers to develop a multilayered and adaptive approach to counter a dynamic information security threat environment.
- In consultation with Counsel’s office, research relevant laws and regulations that could affect the security controls and classification of information assets and approve adjustments to meet legal and regulatory requirements.
- Develop metrics to measure the efficiency and effectiveness of the security program, facilitate appropriate resource allocation and increase the maturity of the security program.
- Produce and/or present reports for the Audit Committee addressing DASNY’s information and cyber risk to assist the Audit Committee in its responsibilities for oversight of DASNY’s systems over internal controls and risk assessment, including information technology security and control, as it relates to the annual external audit of DASNY’s financial statements.
Event Responses
- Work with the IS Director and the Business Continuity Policy Analyst to develop, maintain and test DASNY's Disaster Recovery Plan (DRP).
- Work with Counsel’s Office and Communications & Marketing to develop, implement and maintain incident response plans and reports, consistent with New York State standards, to effectively respond to security incidents.
- Investigate and report security incidents and malfunctions to management and ITS in accordance with the ITS Incident Reporting Policy.
- Identify potential information security violations; refer and coordinate with Counsel’s Office and the Office of Professional Integrity for further investigation.
- Ensure appropriate follow up to security violations.
Other Duties and Responsibilities
- Supervise, train and evaluate employees.
- Ensure supervisors meet their obligations in the supervision, training and evaluation of their staff.
- Handle disciplinary matters and assist in handling stage 1 grievances and disciplinary measures in accordance with applicable collective bargaining agreements.
- Participate in collective bargaining and other employee relation matters; administer and ensure adherence to applicable bargaining agreements.
- Assess, develop and implement internal controls, and oversee the review and testing of same.
- Undertake special assignments as directed.
- Must adhere to the NYS Information Security Policy Standards established and issued by the Office of Cyber Security and Critical Infrastructure Coordination.
- Must maintain regular attendance in accordance with DASNY attendance and leave policies.
- Maintain current knowledge and proficiency in Information Security through training and receiving annual Continuing Professional Education (CPE) credits directly related to Information Security.
Supervision
May train and supervise employees.
Physical/Mental/Visual Demands
Travel is required, using public transportation, DASNY vehicle, rental vehicle or personal vehicle. This travel may include overnight stays at public accommodations and related establishments. Must be able to work overtime or extended work hours as needed.
Work Environment
Standard office environment, including the use of one or more of the following: PC, telephone, fax machine, printer, copier, electronic stapler/hole punch/date stamp, shredder.
Minimum Qualifications
Bachelor's degree in Business Administration or a technology-related field and professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials plus seven years of combined experience in IT Security and IT Risk Management. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST. Experience in developing and executing Disaster Recovery programs. Hands-on experience working with PCs and servers as well as security tools such as Qualys, Varonis, Sophos and MFA.
Preferred Qualifications
Master's degree in Computer Science and professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials plus seven years or more of combination experience in IT Security and IT Risk Management. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST. Experience in developing and executing Disaster Recovery programs. Hands-on experience in LAN/WAN management. Experience with IT Asset Management. Experience with contract and vendor negotiations. Management experience with the ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. Hands-on experience working with PCs and servers as well as security tools such as Qualys, Varonis, SecureDocs, Sophos and MFA.
Essential Skills
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
- Demonstrated analytical and conceptual skills.
- Demonstrated ability to work in a team environment.
- Demonstrated ability in disaster recovery and business recovery planning and testing.
- Demonstrated ability to identify and suggest ways to minimize business risk.
- Ability to communicate security and risk-related concepts to technical and nontechnical audiences.
Benefits information:
DASNY provides financing and construction services to public and private universities, not-for-profit healthcare facilities, and other institutions which serve the public good.
We offer a comprehensive benefits plan, which includes:
- Choice of several health insurance plans
- Dental & vision insurance
- Membership in the NYS Retirement System
- Deferred Compensation Investment Plan
- 13 vacation days per year
- 13 sick days per year
- 5 days of personal leave per year
- 12 paid holidays per year (plus one float day)
- Tuition reimbursement
- Training & development opportunities
We offer additional benefits, which includes:
- Telecommuting Work Plan - Employees are required to apply and obtain approval through management to telecommute according to DASNY’s Telecommuting Program Guidelines. The days designated as telecommute days must be consistent with operational needs as determined by DASNY division, department and/or unit management. Employees may only telecommute on up to four (4) workdays per pay period and shall be limited to no more than two (2) contiguous telecommute workdays. Eligibility applies after 3 months of employment.
- Limited Work from Home (LWFH) – additional telecommute days according to DASNY’s Telecommuting Program Guidelines. Eligibility applies after 6 months of employment.
- DASNY is a government employer for purposes of the Public Services Loan Forgiveness Program (PSLF Program). The PSLF Program forgives the remaining balance of certain student loans after making 120 qualifying monthly payments. For more information regarding PSLF Program and whether you qualify please visit the Studentaid.gov website.