Description

PURPOSE OF POSITION

The Senior Manager, Business Information Security Officer will understand the key assets and processes, identify and evaluate risks and controls, and suggest incremental controls or risk mitigation strategies where necessary. Additionally, the BISO will ensure business compliance with Information Security Policies and Standards while continuously monitoring and reporting on risks and documented exceptions.  The BISO helps the business achieve their objectives while not compromising the security posture. The BISO will work under the general direction of SCRRA’s Chief Technology Officer, and the position will collaborate with internal and external auditors to ensure compliance with SCRRA’s cyber security procedures and industry standards.

DISTINGUISHING CHARACTERISTICS

This job description is not part of a job series.

SUPERVISION EXERCISED AND RECEIVED

• Receive general oversight from director or executive level management.
• This position will have no direct reports.

ESSENTIAL DUTIES AND RESPONSIBILITIES

The duties listed below are intended to describe the general nature and level of work being performed and are not to be interpreted as an exhaustive list of responsibilities.

• Develop and maintain in depth understanding of region/business unit processes, systems, technologies, data, customers, consumers, partners.
• Evaluate the overall technology infrastructure for adherence to security policies and procedures for all SCRRA corporate and operational systems (e.g. positive train control (PTC)).
• Coordinate auditing and compliance and certification requirements.
• Act as the local security resource for the IT leadership and the IT Business Partners, IT Infrastructure, IT Architecture, HR, Finance, Legal and other local personnel.
• Partner with all Departments to achieve effective working relationships that can further the effectiveness of the Security program.
• Review and audit the Information Security Policies and Standards throughout the agency.
• Review and audit technical implementations of security solutions required to meet business objectives.
• Proactively identify noncompliance and areas of potential improvement, and issue corrective actions to department manager.
• Engage with clients and customers as needed to assist the business to achieve its objectives by representing our security program, supporting internal and external audits, assisting in customer communication of security incident, etc.)
• Participate in region/business unit related conferences, client facing engagement, industry forums to represent the Cyber Security program.
• Provide regular and timely reporting on the status of cyber security throughout the agency.
• Provide escalation path for security issues, incidents, and inquiries.
• Review work of the Security Incident Response and Crisis Management teams to ensure effectively driving incidents to acceptable resolution; assist with investigations as needed.
• Provide Cyber Security Guidance for agency personnel.
• Drive remediation activities throughout the agency.
• Work with the Compliance and Information Risk Management team to drive policy and regulatory compliance.
• Drive the development, implementation, and translation of information security policies.
• Responsible for the PCI-DSS annual compliance submission requirement and develop monitoring program to ensure SCRRA is PCI compliant.

Requirements

MINIMUM JOB QUALIFICATIONS

EDUCATION AND EXPERIENCE

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field.
• A minimum of eight (8) years of relevant experience.
• Experience in compliance, government, or financial industry.
• Experience in the design and implementation of information security programs.
• A combination of training, education and or experience that provides the required knowledge, skills and abilities may be considered when determining minimum qualifications.  Advanced relevant coursework may also substitute for a portion of required experience.
• Valid Class C Driver's License with a satisfactory driving record of no more than three moving violations and no DUI's within the last three years.

PREFERRED QUALIFICATIONS

• A minimum of five (5) years of experience in business security policy development, metrics capture and analysis and system authorization.
• Certification pertaining to information security and data privacy protection (CISSP, CISA, CRISC, CISM, etc.)
• Knowledge and experience with security and governance frameworks: SSAE-18 (SOC-2), HIPPA, PCI-DSS, ISO27991, NIST, FedRAMP.

KNOWLEDGE, SKILLS AND ABILITIES

Knowledge of:

• Microsoft Windows CE Operating System.
• Zebra programming language.
• Data Warehouse table layout and relationships.
• Expert level understanding of key network and technical security controls.
• Security best practices including experience with NIST 800-53, ISO27001 and PCI DSS. P.

Skilled in:

• Incident response and coordinating activities.

Ability to:

• Analyze and solve problems.
• Apply organizational information security policies at a business unit level.
• Stay up to date in BI technology trends and provide solutions.
• Apply organizational information security policies at a business unit level.
• Effectively communicate relevant IT-related information to superiors and peers across the organization.
• Manage and organize timely and materials.

PHYSICAL REQUIREMENTS

• Transition between a stationary position at a desk or work location and move about Metrolink facilities or other work site locations.
• Operate tools to perform the duties of the position; such as computers, office equipment and work-related machinery.
• Transport equipment or boxes up to 25lbs.
• Exchange ideas by means of communication.
• Visual acuity to detect, identify and observe employees or train movement and any barriers to movement when working on or near railroad tracks.
• Hear and perceive the nature of sounds when working on or near railroad tracks.
• Balance, ascend/descend, climb, kneel, stoop, bend, crouch or crawl within assigned working conditions and or locations.

WORKING CONDITIONS

Position requires work in a normal office environment with little exposure to excessive noise, dust, or temperature. Work may also be conducted in outdoor environments, at construction sites, Railroad Track and Right-of-Way environments, and warehouse environments, with possible exposure to individuals who are hostile or irate, moving mechanical parts, and loud noises (85+ decibels, such as heavy trucks, construction, etc.). Telecommuting may be available for this classification.

Southern California Regional Rail Authority is an Equal Opportunity Employer. In compliance with the Americans with Disabilities Act, the Authority will provide reasonable accommodations to qualified individuals with disabilities and encourages both prospective and current employees to discuss potential accommodations with the employer.