Chief Information Security Manager

Chief Information Security Manager
Address: Syosset, NY (Hybrid)
Full Time Position

Scope of Work:
The vCISO shall provide expert virtual cybersecurity services during normal business hours except in the event of a security incident or breach.
HCC seeks a fresh perspective on its security measures and protocols to not only improve its posture, but also to identify new risks and opportunities. The vCISO will also be responsible for leading HCC's efforts to address the nine (9) elements of the Gramm-Leach-Bliley Act (GLBA) for compliance purposes.

• Perform a detailed cyber risk assessment that includes the following, but not limited to:
  • Identifying, estimating, and prioritizing information cyber security risks at college;
  • Examining HCC's current technology, security controls, policies, and procedures to assess potential threats or attacks; and
  • Evaluating HCC's threat landscape, vulnerabilities, and cyber gaps that pose a risk to its assets.
• Act as HCC's Qualified Individual (QI) to present quarterly reports to HCC Board of Trustees and leadership as required and specified by GLBA.
• Develop an information security program using a framework such as National Institute of Standards and Technology (NIST) 800-53, Center of Internet Security (CIS) Critical
• Security Controls, or CIS Implementation Group 1 (IG1) that protects HCC in accordance with GLBA security requirements.

• Provide information security leadership, communication, investigation, mitigation, containment and post-incident analysis in the event of a cyber incident.

• Update and enhance existing cybersecurity policies and procedures as required by GLBA.

The policies include but not limited to:

• Vulnerability management
• Data management
• Incidence response
• Software management
• Hardware asset management
• Provide guidance when analyzing real-time threat analysis identified by HCC's security operations center.

• Perform third-party and partner evaluations Higher Education Community Vendor Assessment Toolkit (HECVAT).
• Develop and implement the strategy to conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with security policies.
• Write a clear and concise incident response plan that meets industry standards.

CYBERSECURITY INCIDENT OR BREACH
In the event of a cybersecurity incident or breach, the vCISO will:

• Notify HCC within twenty-four (24) hours of the discovery of an incident or breach by telephone and in accordance with the agreed upon incident response plan unless a shorter notice time is required by law.
• Implement the incident response plan, ensuring that all relevant teams are mobilized and aware of their roles and responsibilities.
• Oversee the initial assessment to understand the scope and impact of the incident or breach.
• Coordinate with internal stakeholders, including senior management and the board of directors, to keep them informed about the incident or breach and the steps being taken to address it.
• Lead the investigation to determine the cause of the incident or breach, how it occurred, and what data or systems were affected.
• Oversee the remediation efforts to fix vulnerabilities and restore affected systems.
• Ensure that all actions taken during the incident or breach response are thoroughly documented.
• Conduct a post-incident review to evaluate the response and identify lessons learned.
• Provide a full written report of the incident, nature of the breach, compromised information, and correction actions taken to prevent future incidents or breaches.

All devices and equipment necessary to perform duties under this contract will be provided by HCC.

EDUCATION
At a minimum, the Contractor must possess a bachelor's degree in cybersecurity, computer science, information technology, or a related field from an accredited higher education institution in the United States. A master's degree is preferred.

EXPERIENCE

• IT Security: The Contractor must possess at least 7-10 years of experience in IT security-related roles such as security analyst, network administrator, or similar positions.
• Leadership: The Contractor must possess experience in management or leadership roles as CISOs need to lead teams and make strategic decisions.

CERTIFICATION(S)
The Contractor must possess at least one of the following related certifications:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)

KNOWLEDGE & SKILLS

• Technical Skills: Demonstrates a deep understanding of information security principles, practices, and technologies.
• Leadership and Communication: Possess strong leadership, communication, and strategic planning skills are essential.
• Compliance and Risk Management: Possess knowledge of regulatory requirements and risk management practices.

Skill Matrix:

1. Technical Expertise:

Knowledge of Security Frameworks: Demonstrate an understanding and application of industry-standard security frameworks, such as the National Institute of Standards and Technology (NIST) 800-53, Center of Internet Security (CIS) Critical Security Controls, and CIS Implementation Group 1
(IG1).
Cybersecurity Technologies: Demonstrate familiarity with current security technologies, especially any commonly used technologies in higher education.
Threat Intelligence and Incident Response: Demonstrate experience in threat detection, vulnerability/risk assessments, and incident response.

1. Experience & Qualifications:

Education: Possess a bachelor's degree or higher in cybersecurity, computer science, information technology, or a related field from an accredited higher education institution in the United States.
Experience: Demonstrate years of experience providing CISO-level services, specifically virtual or remote services. Prove the ability to convey complex security concepts to non-technical stakeholders. Demonstrate leadership experience, especially in advising executive teams and boards on cybersecurity.
Certifications: Demonstrate relevant professional certifications such as CISSP, CISM, or CISA to validate skills and knowledge.

1. Compliance & Risk Management:

Demonstrate knowledge of regulatory requirements and risk management practices.

About Us:

InterSources Inc. is a Small, Woman, and Minority-Owned Business Enterprise, ISO/IEC 27001, SOC 2 Type 2 certified company with massive 18+ years of diversified experience in providing IT Consulting Services, Artificial Intelligence, Data Analysis, Application Development, Cloud Services, Cybersecurity, Digital Marketing, ERP Management, Custom Software Development, Web Development, UI/ UX Design, System Integration, QA Support etc. We make reasonable accommodations for clients and employees, and we do not discriminate based on any protected attribute including race, religion, color, national origin, gender sexual orientation, gender identity, age, or marital status. We also are a Google Cloud and Oracle partner company.