Thursday, March 27, 2008
CSSAL in Albany, NY
Thursday, March 27, 2008The client's office of Cyber Security & Critical Infrastructure Coordination has developed an Information Security Policy for all entities to protect information assets and their supporting process. The Information Security Policy is a statement of the minimum requirements, ethics, responsibilities and accepted behaviors required to establish and maintain a secure environment, and achieve the state's information security objectives. Compliance with this policy is mandatory. The Information Security Policy sets the direction, gives broad guidance and defines requirements for information security related processes and actions across entities (SE's). The policy follows the framework of ISO/IEC 17799 for Security Policy guidelines. The client is seeking the services of a qualified Information Security Consultant to work within the Information Security Office (ISO) to be primarily assigned to providing assistance in areas of technical controls (identification and authentication), management controls (review of security controls), security administration and analysis, implementing security solutions to meet the OCSCI C
Security Policy requirements, and mentoring ISO staff.
The Consultant and client will jointly develop work plans with prescribed timeframes as required to accomplish each consultant's tasks as identified by the client
Experience: Mandatory Requirements:
3 years minimum experience as an Information Security specialist.
. Has valid information security credential(s) from reputable and verifiable source(s); this may include the CISSP designation
Desirable Requirements:
Demonstrated experience with information security technical controls for identification and authentication for access and accountability
. Demonstrated experience with management controls to ensure conformance with confidentiality requirements promulgated by control agencies and/or federal authorities; this may concern experience with United States Department of Labor (USDOL) confidentiality requirements, in particular Demonstrated hands-on experience with Information Security management and mentoring staff of an Information Security office
.Demonstrated knowledge and experience in developing information security policies and procedures
. Demonstrated experience using security best practices, technologies, and approved methods to improve an information security program
. Demonstrated experience in developing documented procedures to assist staff in following approved standards and guidelines to promote information security.
. Demonstrated experience developing clearly defined organizational responsibilities to protect information and information systems
. Demonstrated experience working with security awareness and training to inform staff, customers, and business partners about the need to adhere to proper rules and methods that concern information security
. Demonstrated experience using hardware/software solutions to promote information security and mitigate risks
. Required strong communications skills both written and verbal as presented in an interview where the candidate will demonstrate the required knowledge, skill sets and abilities.
3) Deliverables to Information Security Officer by September 30, 2009:
A. The security consultant will provide expertise to ensure that client's technical controls are appropriate to ensure identification and authentication of its users, both internal and remote, to promote individual accountability. In order too achieve this, the consultant will use appropriate methods, best practices, and take action that includes, but is not limited to, the following items:
Assess the current identity and access management methods used to protect information maintained by computers
Inventory computing devices to determine level of security necessary for access to safeguard information
Evaluate identity and access management software options to improve security on portable devices and personal computers that comprise the agency's network and recommend solutions to provide an appropriate level of protection
Determine that appropriate information is available for use by staff concerning proper identification, individual accountability, and secure use of computers
Ensure purposeful use of existing resources to obtain necessary software/equipment to the extent funding allows.
Determine that the appropriate technical controls for identification and authentication are applied to ensure individual accountability and protection of information and information systems.
The security consultant will review clients security controls and related operations to ensure that information systems used to support the unemployment insurance (UI) program, meets US DOL confidentially standards and guidelines . In order to achieve this, the security consultant will use appropriate methods, best practices and take action that includes, but is not limited to, the following items:
Review US DOL confidentiality standards to determine clients compliance with safeguards for internal use of UI data; identify requirements imposed on client as a recipient of information that concern standards for security, which may include: New Hires, Health and Human Services,
NYS Department of Taxation and Finance, NYS Department of Motor Vehicles, and Internal Revenue Services; and determine rules for external uses, which may include interagency
exchanges, agents, contractors or otherwise available under FOIL.
Assess clients operations to determine that appropriate security and safeguard controls are sufficient in the following areas: only use the disclosed information for authorized purpose; store the information in a place physically secure from access by unauthorized person; store and process the information maintained in electronic format in such a way that unauthorized persons cannot access by any means; undertake precautions to ensure that only authorized personnel are given access to information stored in computer systems; instruct all personnel having access as to the confidentiality requirements and consequences for non-compliance; sign acknowledgement of having instructing such staff of requirements and that will adhere to confidentiality procedures; disposal of information when purpose for use has been served; maintain a system sufficient to allow an audit of compliance with these requirements
Recommend application of appropriate security controls or other corrective measures to ensure compliance with US DOL confidentiality requirements.
Determine that clients systems and interconnected systems have adequate security controls to ensure confidentiality of information.
To Apply to this job go to http://www.GadBall.com or click here