in Cumberland County, ME
Job Description
INFORMATION SECURITY OFFICER I – Information Technology Department – Deadline Extended -
Ideal Candidate - The ideal candidate will have proven knowledge of the technical requirements of HIPAA and/or other sophisticated regulatory frameworks. They will have hands on IT experience, ideally with information security tools and IT access and authentication systems (Active Directory, as an example). They will have a strong sense of responsibility and commitment to the work and the City as suitable to public service. Given the natural tension between quality of security and convenience for users, they will have strong interpersonal and persuasive skills as well as the ability to prioritize and adapt (strategic and tactical). Highly organized and persistent, they need to be self-motivated and customer-centric. They will have relevant professional experience of 3+ years and be a curious and dedicated student of evolving information security practices as well as the inner workings of a municipal government.
Nature of Work - This position is responsible for fulfilling the role of Information Security Officer and will be tasked with ensuring that the City has implemented and maintained necessary administrative safeguards to protect the confidentiality, integrity, and availability of information assets as required by HIPAA and other applicable laws.
Supervision Received - In its capacity of Information Security Officer, this position is supervised by the Director of Information Technology.
Essential Duties and Responsibilities: Information Security Officer - Serve as the City’s designated HIPAA Security Officer for each of the City’s Covered Entities. In that role, the ISO will help to ensure that the City, its participating Departments, and each of the City’s Covered Entities are in compliance with the requirements of the HIPAA Security Standards for the protection of Recipients of Services’ ePHI set forth at 45 C.F.R. Part 164, Subpart C, and (ii) 22 M.R.S.A. §1711-C(7) as outlined in and required by HIPAA Security Policies adopted by each of the City’s Covered Entities. Specifically, the HIPAA Security Officer will fulfill the requirements assigned to the HIPAA Security Officer outlined in the City’s HIPAA Security Policies. Perform annual gap analyses of the City’s information security practices as benchmarked to NIST, HIPAA and/or other applicable guidelines as agreed with customers in various departments. Recommend any needed changes with a weighted/prioritized plan. Update/maintain governing documents, including the Information Security Policies, Standard Operating Procedures and diagrams related to all Information Security procedures. Improve City Staff information security awareness through policy development, training and relationship-building. Proactively monitor for and escalate customer and team training opportunities, recommending changes or additions to IT Admin Standard Operating Procedures or User Self-Help Procedures. Conduct routine assessment work and report-outs and act as the driving member/ organizing force of the Risk Management Team. Maintain the RMT risk log and oversee the work of the Security Incident Triage function. Manage/support work of SIEM and other cybersecurity vendors, escalating risks to the RMT and urgent issues to the Incident Response Team. Assist HIPAA Privacy Officers in the review of all reports of security incidents as outlined in the City’s HIPAA Security Policies. Review IT’s expenditures in operating expense and capital to ensure current spending achieves the most valuable results and propose any reallocation to address high importance investments as recommended by gap analyses. Interacts with customers, colleagues and vendors to understand and correctly execute on work. Manages relationships with some key vendors, ensuring compliance with COP IT policies. Maintains documentation and diagrams in IT’s information stores to keep asset inventories, configurations, and credentials safe and accessible. Conducts work assigned in escalated break-fix or service request activities and records these in the COP IT Service Management System. Proactively monitors for and escalates repeated ticket topics (symptoms of problems) for problem management. Proactively monitors for and escalates customer and team training opportunities, recommending changes or additions to IT Admin Standard Operating Procedures or User Self-Help Procedures. Works with supervisor to identify and develop technical and professional skills valuable to the department’s and City’s objectives. Uses provided resources and guidelines for independent learning. Promotes a culture of caution and persistence as a key factor in the IT Dept Information Security Program. Assists with risk management activities as assigned by IT leadership. Stays current on basic employee responsibilities such as timekeeping, mandatory training, competence using the city’s technology tools, etc.
Requirements of Work - Proven experience in information security, IT auditing or IT with related duties. Bachelor’s degree in Computer Science, Information Technology or related field. Commensurate experience may be considered. Qualitative measurement, reporting and alerting, leveraging diagnostic, monitoring and analysis tools, using formal diagrams and other documentation as suitable. Knowledge of access control models and network security principles preferred. Ability to self-motivate and work independently. A collaborative work style is fundamental to secure buy-in for change. Expected to take and work on trouble tickets in off hours on the rare occasion of an event or work that needs to be conducted off hours; there are infrequent requirements for 24x7 availability and off hours work (less than once per month). This position will work onsite from City Hall, 389 Congress St., Portland, ME unless otherwise required. 37.5 hours per week with some flexibility around the start of day.
Necessary Special Requirements - Offers of employment are contingent upon the completion of a satisfactory criminal background check. Must have additional background checks to gain access to CJIS and TSA controlled work spaces, if these are deemed necessary.
Non-Union position – Grade C44 – Salary range: $73,097 to $92,608/year.
Deadline for applications for this position is Friday, February 10, 2023.
