Requisition ID: req2904
Job Title: Senior Information Security Officer
Sector: Information Technology
Employment Category: Regular
Employment Type: Full-Time
Location: USA-New York, NY - HQ
Background/IRC Summary: The International Rescue Committee (IRC) responds to the world's worst humanitarian crises and helps people to survive and rebuild their lives. Founded in 1933 at the request of Albert Einstein, the IRC offers lifesaving care and life-changing assistance to refugees forced to flee from war or disaster. At work today in over 40 countries and in 22 US cities, the IRC restores safety, dignity and hope to millions who are uprooted and struggling to endure. The IRC leads the way from harm to home.
The IRC has defined a new strategic mission and vision, along with initiatives and key processes that will deliver to the strategic objectives. The Information Technology department supports the organization's work by providing reliable and scalable application development and infrastructure for the IRC's offices in the US and around the world, including many technologically challenging locations.
Job Overview/Summary: The Senior Information Security Officer (ISO) ensures that IRC Information Resources are secured in accordance with IRC Policy and appropriate regulations and data protection risks in the field are managed The scope of this role is global, and the ISO must be able to fill in for the CISO periodically. Policy is based on ISO 27002 and compliance requirements include PCI DSS Compliance (IRC does not store card holder data), GDPR, as well as various contractual obligations. This is a global leadership role and is a vital team member responsible for keeping our company, donor and beneficiary's data safe. This role must possess the gravitas to interact with all levels of the organization to drive change and advise on risk as well as the technical underpinnings to work with and design, implement and operate cyber security, privacy and compliance technologies.
Leadership, Risk Management & Advisory
- Serves as a trusted advisor to IRC leadership and including risk management, operations, legal & regulatory compliance & policy; and oversees ongoing risk identification, remediation, compliance and vendor risk.
- Drives organizational change and improved risk management through delivery of key projects and capabilities.
- Develops and maintains relationships with key partners at all levels of their organization including Global Supply Chain, General Counsel, Investigations, HR, Finance, etc. Primary internal customers are International Programs (IPD) and US Programs (USP).
- Drives annual risk assessment, predictive threat modelling and budget estimation for risk treatment.
- As subject matter expert identifies critical technologies and creates and maintains project plans to drive key projects to completion. High capability required to manage within matrixed environments; develops, and continually updates, detailed project plans. Ensures IRC IT PM methodology is adhered to.
- Prepares status reporting for multiple audiences including senior executives; must have a proven track record in articulating complex ideas both orally and in writing. Must have a track record in standard project status reporting. (scope, goals, milestones, budget, risk, status, change requests, critical issues, etc.)
- Drives team meetings, proactively documents meeting minutes, tracks issues, decisions and action items, and follow-up between meetings to drive issues to closure.
Policy Compliance and Reporting
- Manages all elements of the GIS Security Policy lifecycle including development, review, update, approve, retire version control, exceptions and communications.
- Works with all relevant stakeholders such as GIS steering committee members, subject matter experts, BU representatives, etc. to ensure policy is aligned to IRC business needs, reviewed and updated as necessary
- Ensures policy complies with appropriate industry standards and regulations such as PCI, GDPR and various directives form authoritative bodies such as US Dept of State; manages reporting including PCI SAQ attestation.
- Provides oversight over GDPR compliance reporting from business units and actions and tracks remediation.
- Leads compliance and audit reporting for key controls including: MDM, end point protection, Firewalls, vulnerability management, DLP, systems event response, anti-virus/malware/spam technologies,
- Leads cyber incident response and collaborates with the organization to improve processes.
- In close collaboration with IT Security maintains the IRC GIS tools catalog and facilitates their adoption and use across the enterprise as appropriate; ensures greater capability for business units to manage their own risk
- Provides information security mentoring and training to IRC IT and other staff as appropriate.
- Leads vendor risk management and responds to outside vendor requests for information questionnaires and baselines and provides status reporting and metrics to leadership on at least a quarterly basis.
- Assists Communications Officer with the development and implementation of security training and awareness programs to educate the company's employees regarding information security requirements and initiatives.
Key Working Relationships:
Position Reports to: Chief Information Security Officer (CISO)
Position directly supervises: NA
Indirect Reporting: US, regional and country program leadership
Other Internal and/or external contacts:
Internal: GIS Steering Committee, IRC leadership and line staff across regions, NYHQ and Nairobi iHub, IPD, UPS, Ethics and Compliance. Significant internal client includes IPD and USP.
External: Legal, industry/sector leadership and vendors. Law enforcement if needed for incident response.
Job Requirements: The requirements should establish a baseline (minimum) for educational background, previous work experience, professional knowledge or certification, specific skills and strengths and any other skill necessary to perform the essential functions of the job.
Education: Bachelor's degree in an information systems-related field required. Master's preferred.
Work Experience: 7 years in information technology demonstrating career progression; 5-10 years in Information Security
Demonstrated Skills and Competencies: proven leadership capabilities across all levels of an organization, proven risk assessment security program management. Working security knowledge, sufficient to engage senior technologists in areas including: AD, firewall / network, endpoint security (such as Airwatch, Sophos, etc.) cloud operations (Azure, AWS), single sign on (OneLogin) Excellent oral and written communication sufficient for executive level presentation. Background in PCI DSS compliance program management. Demonstrated proficiency with legal and compliance concerns and regulations and frameworks such as ISO 27001/2, GDPR, NIST 800-53r5, FEDRAMP, NIST CSF.
Language Skills: English required; French and Arabic a plus
Certificates or Licenses: CISA, CISSP, CISM or like certifications which support adequate aptitude; CISSP strongly preferred.
Minimum Education Required