THECB - Information Security Officer

Job Description THECB - Information Security Officer ( 00020235 ) **Organization**

: TEXAS HIGHER EDUCATION COORDINATING BOARD **Primary Location**

: Texas-Austin **Work Locations**

: TX Hghr Edu Coordinating Board 1200 East Anderson Ln Austin 78752 * Develops, implements and monitors a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed.

* Advises management and users regarding security policies, procedures and best practices.

* Acts as subject matter expert (SME) on cloud security issues; Designs, develops, reviews and builds security architectures for public, private, and hybrid Cloud based systems within Microsoft Azure, or other cloud providers.

* Reviews guidelines, procedures, rules, regulations and monitors compliance to ensure agency remains in compliance with Texas Administrative Code Section 202.

* Provides strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls, conducts risk pre-screening reviews and security sign-offs as appropriate of all application development projects.

* Participates in Data Center Services (DCS) activities related to security assessment of data centers including Disaster Recovery (DR).

* Oversees and completes Department of Information Resources (DIR) reviews and reports pertaining to information security.

* Proactively works with Information Solutions and Services (ISS) staff and business units to develop security policies and implement practices that meets defined standards for information security. Develops and implements information and cybersecurity policies, standards, guidelines, and procedures to ensure information security capabilities cover current threat capabilities.

* Develops, prepares, and manages THECB information security awareness and role-based user training programs.

* Develops security architecture and policies based on business needs, risk assessments, and regulatory requirements; and conducting information security risk analysis and system audits. Reviews and responds to special investigations, internal and external audits, and related reviews pertaining to information security issues and provide direction and guidance and take ownership of required implementation.

* Conducts an annual agency Risk Assessment as required by TAC 202 as well as other mandated security reviews.

* Coordinates the use of external resources involved in the information security program, including, but not limited to, determining needs, recommending, and assisting with negotiating contracts and fees, and managing external resources.

* Identifies, evaluates and reports on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the agency.

* Manages responses to security incidents and events to prevent unauthorized modification, destruction, or disclosure of information.

* Leads the THECB Security Incident Response team, runs regular meetings, conducts training and exercises. Investigates security incidents. Reports incidents to DIR on a monthly basis.

* Performs internal scan/penetration analysis and testing; and researches and evaluates emerging security related technologies.

* Plans, assigns, and supervises staff; and provides training and evaluations.

* Maintains effective working relationships with all agency staff and representatives of other agencies and stakeholder organizations.

* Represents ISS at meetings, conferences, seminars, or on panels and committees.

* Applies appropriate Family Educational Rights and Privacy Act (FERPA) standards at all times.

* Perform other duties as assigned.

* Knowledge of local, state, and federal laws and regulations relevant to information security, privacy, and computer crime.

* Knowledge of network security threats and ability to implement preventative controls including: firewalls, access controls, authentication systems, intrusion detection systems, VPNs, and cryptography.

* Knowledge of secure application programming guidelines; system development life cycles and limitations and capabilities of information systems.

* Knowledge of cloud security concepts, technologies, and best practices, including but not limited to, automation frameworks, securing containers and container orchestration frameworks, Active Directory, LDAP, Federated SSO, One-Time Password (OTP) technology, SSL, encryption, IDS/IPS, SIEM, malware detection, forensics in a cloud environment, network and web app firewalls.

* Knowledge of principles, practices, and techniques of management controls and information resources management.

* Knowledge of network operating systems and client server hardware and software and have demonstrated the ability to implement and maintain them in a production environment.

* Knowledge of operational support of networks, operating systems, Internet technologies, databases, and security applications.

* Skills in the use of vulnerability assessment and penetration testing tools with in-depth knowledge of network components such as bridges, routers, concentrators, cabling systems and Ethernet in switched environments.

* Skill in identifying, analyzing and mitigating security related issues.

* Skill in configuring, deploying, and monitoring security infrastructure.

* Ability to perform software installation, configuration, and maintenance of servers, routers, switches, firewalls and other network security devices complete project assignments within allocated time frame, demonstrating patience and meticulousness in the implementation of information security solutions.

* Ability to develop and interpret standards, policies, and procedures and analyze systems and procedures, write and review standards and procedures, handle multiple projects.

* Ability to communicate effectively in a variety of forms.

* Ability to establish and maintain effective working relationship with others.

* Ability to work well under pressure and maintain flexibility.

* Ability to plan, assign, and supervise the work of others.

* Ability to identify problems, evaluate alternatives, and implement effective solutions.

* Ability to resolve advanced security issues in diverse and decentralized environments.

* Ability to proactively direct and organize program activities.

Seven years of relevant full-time progressively responsible work experience; with at least:

+ 3+ years supervisory, management, or lead experience.

+ Must possess Certified Information Systems Security Professional (CISSP)

+ Must possess or in the process of obtaining the Certified Cloud Security Professional (CCSP) certification.

+ 3+ years of hands-on experience with Cloud platforms (Azure, AWS, etc.) required.

+ 3+ years of hands-on experience implementing and managing cloud security tools required.

+ 3+ years of experience with implementing and enforcing policies, procedures, and guidelines in a complex environment. * Six months of additional full-time work experience in information technology security, computer information systems, computer science, management information systems, or related field may substitute for 15 semester hours of required education, up to four years.

* Masters degree from an accredited college or university in information technology security, computer information systems, computer science, management information systems, or related field may substitute for two years of required work experience.

* Masters degree or higher from an accredited college or university with course work in computer science, management information systems, or equivalent.

* Cert