CLASSIFICATION SPECIFICATION FORM

Transcription

1 CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information Security Office Information Security Information Technology and Business Transformation cityplace H. R.: DATE: May 2016 A. SUMMARY OF RESPONSIBILITY Security Clearance is required for this position Under the general direction of the Vice President, Information Technology and Business Transformation & Chief Information Officer (CIO), the Executive Director, Information Security Office is responsible for developing and implementing a comprehensive information security program designed to protect information assets and supporting information systems from any unauthorized access, use, disclosure, corruption or destruction. The Executive Director, Information Security Office directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The Executive Director, Information Security Office is a senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected in accordance to the corporate risk tolerance.

2 B. TYPICAL DUTIES Strategic Planning, Development & Execution Leads the development of a long-term Corporate IT Security strategy and programs to ensure information security and information risk management messaging and implementation are aligned on an enterprise-wide level. Monitors integrity, confidentiality and availability of information to ensure it is owned, controlled and processed by the organization. Provides leadership and strategic direction for the function, identifying protection goals, objectives, and metrics that align with the corporate strategic plan. Anticipates threats and opportunities related to corporate reputation, and develops strategies to mitigate risks. Directs, manages, and is accountable for the implementation of IT security components of operational initiatives and projects, from conceptualization and planning through to implementation. Provides strategic direction to related governance functions and stakeholders throughout the organization on information security matters, such as routine security activities, plus emerging security risks and control technologies. Information Security Controls Oversees the corporate information security management system to identify, quantify, catalog, and remedy information security risk across the enterprise and monitors the overall costs. Leads the information security management system governance committee, providing guidance on best-practices, governance and leadership. Responsible for the development and implementation of corporate information security policy, standards, guidelines and procedures to ensure ongoing maintenance of information security. Establishes a centre of excellence for information security management, offering advice and practical assistance on information security risk and control matters throughout the organization and promoting the commercial advantages of managing information security risks more efficiently and effectively. Creates a framework for roles and responsibilities with regard to information ownership, accountability, and protection. Oversees the design and operation of related compliance monitoring and improvement activities to ensure compliance both with internal security policies and applicable laws and regulations to minimize or eliminate risk and audit findings. Responsible for ensuring effective information security awareness, training and educational activities. Responsible for information security activities relating to contingency planning, business continuity management and IT disaster recovery in conjunction with relevant functions and third parties. Oversees information security incident response team (ISIRT) planning as well as the investigation of security breaches, and assists with disciplinary and legal matters associated with such breaches as necessary. Responsible for identity and access management governance. Liaises among information security team, corporate compliance, audit, legal, and HR as required.

3 Develops the metrics and reporting framework to measure the efficiency and effectiveness of IT security components of corporate programs and initiatives. Information Risk Management Defines, implements, and is responsible for the organization s global information risk management strategy and framework, collaborating with business units, stakeholders, and committees to get buy-in and build momentum. Oversees the process to administer policy exceptions, ensuring that they are subject to appropriate controls, both before and after approval. Ensures that strategic information security and risk guidance is provided to third-party suppliers in accordance with internal frameworks, and assesses to ensure compliance with required controls. Coordinates and manages any external resources involved in programs, including interviewing and negotiating contracts and fees. Oversees information security risk assessments and controls selection activities. Works with outside consultants as appropriate for independent security audits. Security Architecture and Engineering Ensures that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs. Collaborates with enterprise architecture to define physical, virtual, and logical information security architecture specifications. Collaborates with application owners to understand the risk position around key business applications. Liaises with the enterprise architecture team to ensure alignment between the security and enterprise architectures, coordinating the strategic planning implicit in these architectures. General Leadership Assists the Vice President, Information Technology and Business Transformation & Chief Information Officer with the planning, management, and implementation of corporate information security projects and initiatives. Conducts all activities of an Executive Director, including participation in strategic planning, long- term human resource planning, budgeting, and support for the Information Technology and Business Transformation division. Provides leadership, coaching and direction to direct reports. Provides direction to Security Operations staff and management (currently titled Security, Compliance and Risk Management) by way of a dotted line reporting structure. Fosters the use of leading-edge business research and analysis for the development of policies and initiatives. Represents the corporation at meetings with external organizations, professional and business associations related to Information Security issues and development. Remains current in new technologies, platforms, threats, and risks; actively engages in a defined process to keep current on trends, new practices and new solutions and emerging technologies and threats. Fosters the use of leading-edge business research and analysis for the development of policies and initiatives.

4 Displays leadership by continually motivating, encouraging and inspiring the development of strong, effective, efficient, ethical and professional teams with a clear focus on the delivery of planned outcomes and the continual development of the capabilities and capacities of the individual team members. C. QUALIFICATIONS 1. Education: Bachelor or Master s Degree in Computer Science, Information Systems, Commerce, Business Administration or related field. Completion of one or more of the following professional designations is preferred: o Information security management qualifications such as: CISSP, CISM, CRISC, CISA or other information security credentials. An MBA would be considered an asset. 2. Experience: Ten years of related senior level experience successfully leading comparable information security management and/or related functions (such as an ISMS, IT audit, and IT Risk Management), including five years at a senior management level. Experience must include a minimum of five years managing multiple, large, cross-functional teams or projects, influencing senior level management and key stakeholders. 3. Technical Knowledge & Skills: Solid understanding of the enterprise information security architecture discipline, processes, concepts, and best practices. Knowledge of information security and risk control frameworks such as COBiT, ISO 27001, ITIL, and ISO is preferred. Knowledge of business continuity and IT disaster recovery frameworks such as BS and BS is preferred. Demonstrated personal values aligned with the corporate values, providing a role model for the team. Demonstrated ability to work effectively with a team, delivering high performance and customer satisfaction, in a global, matrix management environment. Strong facilitation skills and a clear ability to build strong relationships with business stakeholders at all levels, including executive managers and vendors. Strong, proven problem-solving skills and the ability to identify, analyze, and resolve problems, driving solutions through to completion. Proficiency in the use of standard software packages, such as Microsoft Word, Excel, and PowerPoint. Strong affinity with technology and an interest in the wider implications of technology. Proven integrity and the ability to handle confidential matters in a professional manner, applying the appropriate level of judgment and maturity. Strong leadership and management skills and recognized as a key strategic thinker. In-depth knowledge of information technology management, including hardware and software.

5 In-depth knowledge of enterprise application and data architecture principles, and associated tools, technologies, methods. Proven capabilities in research, analysis, and a demonstrated ability to interpret and synthesize complex data. Proven capabilities in the area of project management with the ability to plan and manage multiple complex projects simultaneously. Superior oral and written communication skills, with demonstrated ability to clearly convey complex information in a concise and straightforward manner. Excellent interpersonal skills, with experience of superior performance in public speaking and formal presentations. Proven ability to handle conflict and criticism in a positive and professional manner. Proven ability to adapt to, and effectively contribute to, rapid business transformation. Proven ability to work under pressure and meet deadlines. Superior negotiation skills in working with key stakeholders and vendors. 5. Security Clearance Must be able to obtain and maintain the required level of security clearance as a condition of employment in this classification including: Reliability Status: Consent to a Criminal Name Record Check Consent to a Credit Check Secret (Level II) Security Clearance: Consent to a CSIS (Canadian Security Intelligence Service) Indices Check