Director, IT Security

Serves as the Smithsonian's Computer Security Manager and plans and directs the activities necessary to protect the integrity, confidentiality, and availability of the Institution's data, enterprise-level systems, and supporting information technology infrastructure. Plans and manages the implementation, operation, and maintenance of an enterprise-wide IT Security Program; provides computer security consulting services; develops IT security policies and provides computer security training.

Qualifications:

BASIC QUALIFICATIONS:
Applicants must demonstrate on their resume that they have IT-related experience demonstrating each of the four competencies:

1. Attention to Detail - Is thorough when performing work and conscientious about attending to detail.

2. Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services.

3. Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately.

4. Problem Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations.

SPECIALIZED EXPERIENCE
In addition, applicants must have one year of specialized experience at or equivalent to the GS-15 level. Specialized experience is defined as demonstrated knowledge and leadership skills in managing a comprehensive IT security program to protect the integrity, confidentiality, and availability of an organization’s data, enterprise-level systems, and supporting the IT infrastructure of a large organization.

1. Demonstrated experience in planning, directing, and executing a strategy for an enterprise-wide IT Security Program. This includes providing computer security consulting services, developing IT security policies, and providing computer security training to enterprise-wide staff.

2. Demonstrated experience conducting regular risk assessments to identify and evaluate potential security threats and vulnerabilities. This should include developing and implementing risk mitigation strategies, including security controls, policies, and procedures.

3. Possess interpersonal and communication skills in building relationships, trust, and credibility. This includes ability to effectively persuade and influence stakeholders and to form successful partnerships with a wide variety of constituencies (i.e., senior leadership, auditors, industry peers, and external partners).

4. Skill in leading and managing a multi-disciplined and culturally diverse workforce, including developing team-work and high morale; attracting, retaining, motivating, and providing guidance; and implementing EEO/Affirmative Action policies and programs for a highly performing team.

Responsibilities:

Develops plans and strategies for implementing, operating, and enhancing SI’s IT Security Program. Evaluates federal IT security requirements, industry best practices, SI mission/business goals, and other factors to determine program needs. Documents and maintains IT Security Program Plan, Enterprise IT Security Architecture, Enterprise IT Security Risk Assessment, Information Security Continuous Monitoring  Strategy, and other key plans to ensure that the program effectively addresses SI’s IT security needs.

Coordinates the development and implementation of IT security policies, procedures, and guidelines ensuring that security is considered throughout the system and data life cycle. Develops and maintains guidelines for implementing and maintaining IT security controls, processes, and standards.

Works with the Chief Information Officer  to advise and address IT security risks. Reviews the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the Institution. Advises management and system stakeholders on IT security risks and risk mitigation strategies. Monitors and evaluates new security risks, requirements, and protection strategies, and incorporates them into the IT Security Program. Implements and manages tools to automate and report on security risk management processes.

Manages IT security operations. Provides enterprise-level technical and procedural controls to protect SI networks, devices, systems, websites, and computing infrastructure. Plans, implements, maintains, and supports enterprise security systems such as firewalls, intrusion detection, anti-malware, vulnerability scanners, and security monitoring tools. Provides Security Operations Center  services for detecting, investigating, and resolving security incidents, managing security vulnerabilities, managing network access into the network, and protecting end points. Develops and implements procedures for conducting IT security operations. Reports on security incidents and activities to management and US-CERT. Coordinates with other SI stakeholders to ensure operational security measures are in place for access control, configuration management, and monitoring. Conducts incident response training and exercises. Develops and documents corrective action plans and implements lessons learned based on incidents experienced.

Coordinates the security assessment and authorization of systems. Oversees security assessments of major IT systems. Identifies and engages system sponsors to encourage adequate security protections, testing and remediation. Guides the activities of Systems Information System Security Officers’  support for Risk Assessments, Security Assessment Reports, Interconnect Security Agreements, Authorizations to Operate, and other agreements. Provides continuous monitoring and risk assessment for major systems. Facilitates remediation of security control deficiencies and vulnerabilities. Supports and ensures Contingency Planning activities for major systems. Maintains a system for monitoring and tracking system security assessment and authorization activities. Maintains a process for evaluating and documenting security deficiencies.

Administers the Institution's computer security training and awareness program and ensures all users annually receive training.

Supports and coordinates SI participation in Office of Inspector General (OIG) computer security related audits.. Develops responses to audit findings and coordinates closure requests for OIG recommendations.

Represents SI to professional, governmental, and industry organizations in computer security. Negotiates technical working agreements with other Federal agencies, and other public and commercial organizations.

Develops project plans, operating plans, and supporting budgets; determines scope, methods, and resource requirements and schedules for IT security projects and supporting analyses; and coordinates actions required to implement new security technology.

Serves as a co-chair of the Institution’s PCI workgroup which manages PCI-related policies, assessments, and reporting for all payment card activities. Oversees management of SI’s PCI Data Security Standard (DSS) compliance program.

Prepares technical specifications, statements of work, task orders, and other acquisition-related documentation necessary to the effective use of obtaining and managing contractor-supported computer security activities. Develops contract language for security requirements supporting major procurements, web, and external services.

Supervises IT security staff. Assigns projects and tasks; prepares performance plans and writes performance appraisals;' approves work schedules, leave, and overtime; resolves conflicts and takes disciplinary action when required; and nominates staff for awards to reward exceptional performance

Salary : $141,022 - $212,100