Title: Security and Privacy Professional
Reports to: CIO
Salary: DoE

POSITION SUMMARY

This position resides within the  Digital Services  group of  CLIENT. The  Security  and Privacy  Professional,  in close partnership with the CIO and CISO, oversees  and coordinates day-to-day  activity  related to information security  and privacy   oriented initiatives,  policies, standards  and procedures   throughout  the organization.  The Security  and  Privacy Professional  is responsible  for  planning,  influencing,  and coordinating the company's information security  policies, setting procedures and guidelines  to ensure that all information systems  are functional,  secure  and safeguarded throughout  the  company  and are  in compliance  with privacy  and information security  laws and regulations  applicable to retail institutions.  Additionally,  the Security  and Privacy  Professional  is responsible for providing leadership during security  events,  as well  as ensuring the technical  and administrative  support for  the development  of  Disaster  Recovery  and  Business Continuity programs for the company. The incumbent  interfaces with theInformation and Digital
Services  Core IT Operations  team on matters of security  and privacy  operational  controls. In addition, the  incumbent  acts as an internal consultant and to the organization  on issues involving security  and privacy.
 
 

RESPONSIBILITIES

• Work to determine acceptable risk levels for the enterprise and ensure that the IT environments are adequately protected from potential risks and threats

Participate in development and implementation of the appropriate and effective controls to mitigate identified threats and  risks
Assist in tactical follow-up on detected security issues and drive the design and implementation of solutions to reduce security risks
Drive the  research, development,  and communication  around  Security  and Privacy matters,  by maintaining and working  with the  operational  units on the enforcement ofIT security  architecture,  policies,  procedures, solutions  and standards
Participate in and provide specific IT security oriented leadership during incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary
Keep abreast and advise the company with regard to the latest industry security and privacy   best-practices  and technologies
Coordinate with Business Owners to analyze, document and define requirements associated with new development or maintenance and enhancements to existing security  roles  and permissions.
Deliver services that meet regulatory specifications. Work with internal and external auditors to document and confirm that all security administrative duties are properly performed as well as demonstrate overall compliance .

 

Qualifications

A minimum of 5 years operational and strategic experience in IT controls and information security, IT compliance, networking security or IT audit is required.
Artifact management experience including the development and maintenance of Policies, Standards, and other supporting documentation. Ability to document and maintain the details of IT remediation projects, committee meetings, and the findings  of security testing and assessment   projects.
Operational experience with IT compliance requirements and processes, especially PCI DSS and adjacent PCI industry controls, mitigations, and incident   responses.
Operational experience in the inventory and classification of IT assets, and the update and maintenance thereof
Access control and identity management experience, including the principles and management of access to network infrastructure, server platforms, Active Directory domains, and databases. Ability to provide subject matter expertise in the areas of configuration management and maintenance of access control and assessment of access for these systems. Knowledge of RADIUS, LDAP, and Cloud SSO solutions  is a plus
Skilled in the principles and management of key management and encryption systems, for information in transit and at rest. Extensive knowledge of both symmetric  and  asymmetric  cryptographic systems
Demonstrate  extensive  experience  with  vulnerability management
 
 

Education

4-year  college  degree or demonstrated  equivalent  experience  with appropriate time-in-role,  with subject matter majors  in Computer  Science, Information Management, Information Security  or equivalent  disciplines
A SANS, CISSP or other equivalent industry-recognized Security certification is required.
Additional certifications in IT audit or IT controls design and management are preferred
CObIT and/orITIL certifications, education, or equivalent experience  with control  and operational  frameworks  a strong  plus
 
 

Technical Skills

Information security  assessment  and auditing  procedures, from  both technical  and business perspectives,  and the  use of formal  methodologies  such as  NSAIAM

• Vulnerability sanning and auditing tools

Enterprise-scale  network and host-basedIDS architectures Enterprise-scale firewall  architectures
E-commerce  application security