Assistant Director, Business Information Security Officer at Metrolink

PURPOSE OF POSITION

The Southern California Regional Rail Authority (SCRRA), operator of the METROLINK Commuter Rail System, is seeking a Assistant Director, Business Information Security Officer, who will understand the key assets and processes, identify and evaluate risks and controls, and suggest incremental controls or risk mitigation strategies where necessary. Additionally, the Assistant Director, Business Information Security Officer will ensure business compliance with Information Security Policies and Standards while continuously monitoring and reporting on risks and documented exceptions. The Assistant Director, Business Information Security Officer helps the business achieve their objectives while not compromising the security posture. The Assistant Director, Business Information Security Officer will work under the general direction of SCRRA’s Chief Technology Officer, and the position will collaborate with internal and external auditors to ensure compliance with SCRRA’s cyber security procedures and industry standards.

WHAT TO EXPECT: This recruitment will have a review of applications on January 13, 2025. Interested applicants are encouraged to apply immediately.

DISTINGUISHING CHARACTERISTICS

This job description is not part of a job series.

SUPERVISION EXERCISED AND RECEIVED

• Receive general oversight from executive level management.
• This position will have no direct reports.

The duties listed below are intended to describe the general nature and level of work being performed and are not to be interpreted as an exhaustive list of responsibilities.

• Lead, develop, and implement SCRRA-wide or large-scale business unit information and operational technology security strategies, programs, plans, programs, policies, and procedures designed to protect the integrity and security of the SCRRA network, data resources, operations, and other information assets in accordance with SCRRA policies and industry standards.
• Develop and maintain in-depth understanding of region/business unit processes, systems, technologies, data, customers, consumers, partners.
• Evaluate the overall technology portfolio for adherence to security policies and procedures for all SCRRA corporate and operational systems (e.g. positive train control (PTC)).
• Coordinate auditing and compliance and certification requirements.
• Leads cyber security training program for the agency, consumers, and partners as needed.
• Act as the key security resource for the IT leadership and the IDTS Business Partners and other local personnel.
• Partner with all Departments to achieve effective working relationships that can further the effectiveness of the Security program.
• Lead development of the Information Security Policies and Standards throughout the agency.
• Lead implementation of cyber security solutions required to meet business objectives.
• Review and audit technical implementations of physical security solutions required to meet business objectives.
• Lead information security operations in partnership with all departments.
• Proactively identify noncompliance and areas of potential improvement, and issue corrective actions to department manager.
• Engage with clients and customers as needed to assist the business to achieve its objectives by representing our security program, supporting internal and external audits, assisting in customer communication of security incident, etc.).
• Participate in region/business unit related conferences, client facing engagement, industry forums to represent the Cyber Security program.
• Provide regular and timely reporting on the status of cyber security throughout the agency.
• Provide escalation path for security issues, incidents and inquiries.
• Review work of the Security Incident Response and Crisis Management teams to ensure effectively driving incidents to acceptable resolution; assist with investigations as needed.
• Provide Cyber Security Guidance for agency personnel.
• Drive remediation activities throughout the agency.
• Work with the Compliance and Information Risk Management team to drive policy and regulatory compliance.
• Responsible for the PCI-DSS annual compliance submission requirement and develop monitoring program to ensure SCRRA is PCI compliant.
• Performs other related duties as assigned.

Education and Experience

• Bachelor’s degree in computer science, Information Systems, Cybersecurity, Auditing or a related field.
• A minimum of seven (8) years of relevant experience.
• A combination of training, education and or experience that provides the required knowledge, skills and abilities may be considered when determining minimum qualifications. Advanced relevant coursework may also substitute for a portion of required experience.
• Valid Class C Driver's License with a satisfactory driving record of no more than three moving violations and no DUI's within the last three years.

PREFERRED QUALIFICATIONS

• A minimum of five (5) years of experience in business security policy development, metrics capture, and analysis and system authorization.
• Certification pertaining to information security and data privacy protection (CISSP, CISA, CRISC, CISM, CEH, etc.)
• Experience in compliance, government or financial industry.
• Experience in the design and implementation of information security programs.
• Knowledge and experience with security and governance frameworks: SSAE-18 (SOC-2), HIPPA, PCI-DSS, ISO27991, NIST, Fedramp.

Knowledge, Skills, and Abilities

Knowledge of:

• Advanced level understanding of business theory, business processes, management, and business operations.
• Advanced level understanding of planning, organizing, and developing Information Technology security and physical security system technologies.
• Extensive experience in enterprise security document creation.
• Experience in designing and delivering employee security awareness training.
• Experience in developing Business Continuity Plans and Disaster Recovery Plans.
• Strong understanding of IP, TCP/IP, and other network administration protocols.
• Expert level understanding of key network and technical security controls.
• Security best practices including experience with NIST 800-53, ISO27001 and PCI DSS.P

Skilled in:

• Applying IT in solving security problems.
• Setting and managing priorities.
• Executive level presentations.
• Maintaining interpersonal relationships.

Ability to:

• Analyze and solve problems.
• Apply organizational information security policies at a business unit level.
• Develop conceptual frameworks and apply sound principles for the secure operation of SCRRA technology resources.
• Define and develop security strategy and roadmaps.
• Facilitate cross-functional team meetings and build consensus.
• Understand business needs and work collaboratively with business stakeholders and team members.
• Implement and manage the administration of relevant security systems and solutions.
• Recommend and implement changes in security policies and practices in accordance with changing needs.
• Promote and oversee strategic security relationships between internal resources and external entities, including other government agencies, vendors, and partner organizations.
• Communicate effectively, both orally and in writing.
• Maintain, and accurately complete records.
• Establish and maintain effective working relationships with supervisors, fellow employees, and the public

Following a review of applications and resumes, the most highly qualified candidates will be invited to continue in the selection process. Eligible applicants will be notified of the exact time and place of assessments and interviews. Candidates will be interviewed to determine their relative knowledge, skills, and abilities in job-related areas. Offers of employment may be contingent upon successful completion of a reference check(s), including degree verification and criminal records check provided through SCRRA. Internal Candidates: Employees with active discipline as defined in the HR Policy No. 5.3 Positive Discipline Program and/or with performance that does not meet the standard for "meets expectations" as defined in the Performance Planning and Appraisal Process may be precluded from consideration and placement in the position.

Southern California Regional Rail Authority is an Equal Opportunity Employer. In compliance with the Americans with Disabilities Act, the Authority will provide reasonable accommodations to qualified individuals with disabilities and encourage prospective and current employees to discuss potential accommodations with the employer.

The SCRRA is an Equal Opportunity Employer. EEO/ADA