Position Profile

Job Title:  Ministry Information Security Manager

Work Unit:  Information Management and Technology Services (IMTS) / Strategic Information Services

Ministry:  Alberta Culture and Tourism

Competition Number:  1041279

Date:  March 2017
 

Position Summary

 

Reporting to the Director, Strategic Information Services, the Ministry Information Security Officer (MISO) is the primary source of expertise for information security within Alberta Culture and Tourism. This position establishes, monitors, and provides oversight to the ministry's information security program to ensure appropriate protection of business information and related assets across all department program and business areas and associated agencies, boards, and commissions. The MISO is relied on to manage the development, implementation, and monitoring of information security strategies, policies, and practises that are consistent with GoA corporate security policies and standards, applicable legislative and regulatory requirements, and industry best practices.

This position facilitates the informed decision-making of senior ministry representatives relating to information security through provision of specialized expertise, solutions, and recommendations. The MISO develops security reviews, business analyses, business cases, briefing notes, and project proposals along with initiating and managing associated information security projects and initiatives. This position consults extensively with the ministry's leadership and management teams, business clients, internal and external technical resources, security partners including the Corporate Information Security Office (CISO), and other stakeholders to provide advice and direction relating to information security.

The MISO applies in-depth information security expertise to identify requirements and opportunities for improvement that address business needs and ensure appropriate information security policies and standards exist within the ministry. This position focuses on information security and managing related initiatives (including security testing and audits), clearly and concisely describing complex information security issues, and proposing evidence-based options and recommendations to clients and stakeholders. In addition, the MISO is the ministry liaison with the CISO and represents the ministry on cross-government security committees and initiatives. This position also establishes professional relationships with diverse groups to source and integrate information for the ministry information security program, including other MISOs, the local security community, and security communities and standards bodies from across Canada and North America.

Specific Accountabilities

  1.

The ministry information security program, including associated policies, standards and processes, is established, implemented, managed, and continually enhanced.

Activities:

  • Develops an information security strategy and program that supports ministry business plans and goals while aligning with GoA corporate strategies, legislative and regulatory requirements, and industry best practices.
  • Develops and leads implementation of information security policies, standards, processes, and procedures (ensuring compliance with GoA security directives, legislation, and industry best practices) to prevent unauthorized access to and ensure integrity and availability of ministry information and related assets.
  • Analyzes ministry business needs in terms of information security and identifies gaps and opportunities for efficiencies and effectiveness; develops plans and presentations to inform decisions of senior representatives.
  • Defines and operates information security governance mechanisms to ensure ongoing and consistent stakeholder engagement, representation, and participation.
  • Develops, maintains, delivers, and monitors awareness program for ministry staff and stakeholders to promote compliance with information security strategy, policies, and procedures; ensures roles and responsibilities are defined and clarified in relation to information security and associated controls to mitigate risks.
  • Develops, maintains, and executes communication strategy and plan for the ministry information security program and policies to facilitate adherence to information security procedures across the ministry.
  • Develops strategies to manage and reduce identified information security risks within acceptable business levels; provides associated recommendations and solutions to senior management and stakeholders.
  • Defines and communicates metrics and performance measures to ensure ministry information security objectives are being achieved and reported.
  • Ensures that information security issues and concerns are sufficiently addressed in IMT disaster recovery and business resumption plans.
     
  2.

The ministry information security architecture and operations are provided with leadership and direction to ensure appropriate protection of business information and related assets against threats and vulnerabilities.

Activities:

  • Manages design, implementation, and ongoing enhancement of the ministry information security architecture and operations and ensures compliance with associated policy and standards through development and monitoring of baseline technical controls and delivery of education and awareness resources to ministry staff.
  • Develops recommendations and business cases for senior management relating to information security architecture and operations, including developing project charters, securing funding, procuring assets and services, implementing and managing solutions, and maintaining operating budgets.
  • Provides direction, advice, information and recommendations to ministry staff, internal IT teams and vendors on security-related matters to ensure confidentiality, integrity, and availability and maintenance of sensitive data.
  • Identifies, analyzes, and evaluates risks to ministry business information and information technology systems and assets; manages vulnerability and threat risk assessments and audits by leading internal and external resources, including vendors and contractors, in assessing threats and evaluating effectiveness of controls.
  • Manages provision of support to IT projects to mitigate security risks related to access control and infrastructure and ensures change requests within the technical environment are reviewed to assure security is not impacted.
  • Collaborates with the CISO to develop, implement, and monitor the information security incident response function to address unexpected and disruptive security events within the ministry, including developing strategies and procedures to respond to incidents, control and limit damage, recover and restore normal operations, and reduce incidence of similar events happening in future.
  • Works with internal operations teams and ministry users to investigate security breaches, communicating and following up with appropriate individuals or agencies to report and investigate security incidents.
  • Collaborates with external agencies (e.g. law enforcement, Office of the Information and Privacy Commissioner) to further investigate or provide evidence of illegal activities.
  • Assists Human Resources and/or senior management with investigations of misuse of ministry and/or GoA assets.
  • Evaluates information security tools and technologies to determine application to ministry requirements.
  • Reviews current security controls to provide direction for improvement based on security directives, legislation, and/or established and emerging industry best practices.
  • Participates in and serves as key contact for information system and security audits, including leading the annual General Computing Controls Audit with the Office of the Auditor General (OAG).
     
  3.

The ministry is appropriately represented on cross-ministry, GoA, and external committees, collaboration efforts, working groups, and other initiatives pertaining to information security issues and initiatives.

Activities:

  • Liaises with the CISO on information security matters of a GoA-wide nature and represents the ministry and serves as a technical resource on information security committees and working groups established by the CISO.
  • Participates in cross-ministry and GoA information technology initiatives, including providing information security expertise and advice (e.g. assisting in the development of RFPs, contractor selection, etc.).
  • Establishes and manages communication channels and shares information with ministry agencies, boards, and commissions relating to information security program and issues.
     
  4.

Information Security unit operations are planned and managed to deliver established outcomes.

Activities:

  • Manages staff (e.g. supervising and coaching; overseeing training and development; managing workload and performance; developing plans to meet human resource needs).
  • Participates in the IMTS management team and supports the IMTS leadership team by providing input to the development, implementation, and evaluation of plans, determination of priorities, and coordination of operations.
  • Develops and manages contracts for procurement of information security-related goods and services, including developing and evaluating RFPs, selecting vendors, establishing contracts and ensuring key service levels and deliverables are met and deficiencies addressed.
  • Manages information security projects and initiatives involving staff members, contracted resources, and business area representatives, ensuring adherence to established project management principles and guidelines.
  • Responds to action requests and other inquiries and provides senior management with decision support by preparing correspondence, briefing notes, background documents and recommendations.
  • Remains current on legislation, policies, research, directions, trends and issues applicable to information security and the IMTS mandate.

Knowledge / Experience

 

The MISO requires in-depth knowledge of:

  • Security architecture relating to information risk and security management and controls, including ability to manage and maintain diverse technology platforms and systems related to information security control and monitoring.
  • Information security principles and practices, including those pertaining to controls, risk assessment and analysis, incident response, and threat and vulnerability analysis.
  • Current and emerging technologies, trends, and practices relating to information security.
  • Current and emerging threats, security risks, and vulnerabilities to identify and implement cost-effective prevention and mitigation solutions.
  • Information security incidents and resultant business impacts and how to plan, establish, and manage capabilities to detect, investigate, respond to, and recover from those impacts.
  • The client and stakeholder community affected by the information security program, including relevant organizations, committees, advisory groups, and representatives.
  • Firewall, access control, encryption, and other security tools and controls.
  • Federal and provincial legislation relating to information security, privacy, evidence, and electronic transactions.
  • The ministry information technology and application architecture.

Along with comprehensive knowledge of:

  • GoA information security and technology directives and guidelines, audit requirements established internally and through the OAG, and industry recognized information security standards, frameworks, and best practices.
  • GoA strategic and policy directions relating to information security.
  • Ministry business plans, goals, objectives, strategies, priorities, and business needs related to information security.
  • Business analysis and business case development principles, methodologies, and processes.
  • Project planning and management principles, methodologies, and processes.
  • The political environment within which the ministry operates and government decision-making processes.
  • Other applicable legislation, regulations, policies, guidelines, and directives.
  • Various aspects of operating systems, common business applications and services, networking and network protocols, and general understanding of concepts related to databases and application development.

University graduation in Computer Science or related field or equivalent education and experience. Specific experience / training in information security is also required as is extensive experience as an information security professional and additional experience specific to information security management.

Professional security certification such as a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC) or equivalents is required.

Leadership and Business Know-How

 

The MISO requires well developed and demonstrated:

  • Self-awareness, self-management, social awareness, and relationship management skills to work with considerable uncertainty and ambiguity.
  • Strategic thinking skills to work within a broadly defined conceptual framework and manage multiple complex issues, activities, and functions while delivering results.
  • Critical thinking skills to analyze complex situations, determine associated security risks and benefits, and provide range of recommendations that meet security and business requirements.
  • Leadership, influencing, and change management skills to promote innovation, build consensus, adapt to changing requirements, and motivate others to accept and adopt innovative concepts.
  • Professional judgement and problem solving skills to conduct risk management, risk assessments, options analysis, and investigations and manage emergency situations.
  • Facilitation skills to present complex problems in appropriate business language and chair meetings.
  • Negotiation and conflict resolution skills, including ability to deal effectively with others while facing complex situations and managing competing demands.
  • Relationship management skills and a client-focused orientation.
  • Written and verbal communication and presentation skills.
  • Organizational and time management skills, including ability to prioritize activities, respond to time sensitive issues, and handle emergency situations.
  • Project management skills, including ability to lead project teams of internal and external resources.
  • Ability to operate effectively within a complex organization and continually changing business environment.
  • Human resource management skills, including commitment to staff development, mentoring, and building capacity.
  • Financial and contract management skills.
  • Vendor management skills including ability to write and publish statements of work, evaluate vendor proposals, establish contracts, and monitor vendor performance.
  • Results orientation and a commitment to continuous improvement and innovation.

Problem Solving

 

This position is challenged with establishing, managing, and continually enhancing an information security program for Alberta Culture and Tourism and its associated agencies, boards, and commissions. Threats, vulnerabilities, and risks to ministry business information and related assets are constantly evolving and the MISO is relied on to identify and respond to information security issues in a systematic and timely manner while limiting additional risk to business goals. Furthermore, this position must ensure the ministry information security program and associated policies, standards, and operations align with GoA directions, legislative and regulatory requirements, and industry best practices.

The MISO develops effective relationships with business areas and stakeholders to address the challenges of identifying and communicating information security issues, analyzing and developing mitigation measures, implementing solutions to maintain safe business operations, and reducing risk to acceptable levels. This position has considerable independence to plan and manage the implementation of the information security framework, policies, standards, processes, and controls needed to protect information regardless of the form the information takes, the information handling technology employed, or the people involved (e.g. employees, contractors, consultants, outsourcing firms, etc.).

Issues relating to information security management are highly complex and strategically sensitive. This position must be able to identify, understand, and communicate risks to the Ministry's business information and related assets and develop and adapt information security management program components, mechanisms, and processes to reduce, transfer, avoid, or accept risks as appropriate. Among the most challenging situations faced by this position are those which occur when a critical system and/or network or segments of a network are disabled due to a security breach. The MISO is expected to perform initial triage within the ministry, quickly and decisively determine innovative solutions to the problem, and work with internal and external resources (e.g. software vendors, CISO, CanCERT) to respond appropriately.

Challenges faced require well developed and demonstrated analytical, reasoning, evaluation, judgment, problem solving, and people skills. Significant interpretative and critical thinking is required, along with the ability to facilitate decision-making processes involving diverse clients and stakeholders to understand complex business and technology relationships. Solutions developed by the MISO typically must not only address the particular problem but also be implemented with limited resources including minimal budgets and short time frames.

Relationships / Contacts

Clients Frequency Nature and Purpose of Contact
Internal

Information Security Team Members

Regular / ongoing

Provide supervision, management and guidance; monitor performance; resolve complex issues; facilitate collaboration.

CIO / Exec. Director and other members of IMTS leadership team

Regular / ongoing Provide updates, advice and recommendations; receive guidance, direction, and approval for initiative and budgets; identify opportunities and solutions; ensure information security program meets business requirements.

IMTS Management Team

Regular / ongoing Collaborate on major initiatives; assist in problem solving and planning, exchange information, and provide technical advice.

Representatives of program areas (all levels of staff)

Regular / as required Define security gaps and requirements/ resolve security problems, provide training and awareness of security initiatives, policies and standards.

Executive Team

As required Provide strategic and business advice, research, and analysis related to information security to support business decisions and planning; respond to specific issues and concerns.
External

Department agencies, boards and commissions

Regular / ongoing Establish relationships, share information, and resolve issues regarding information security program.
Corporate Information Security Office (CISO) Regular / ongoing Exchange information, implement security policy, integrate corporate direction, business practices, and requirements of the GoA Information Security framework in the ministry information security program, and ensure that issues and recommendations are understood at a corporate level.
Colleagues in other ministries (MISOs) and cross-government committees Ongoing / as required Exchange knowledge and information, collaborate on project development / implementation, develop consistent cross-government practices, and provide expert advice.
Vendors and Contractors Ongoing / as required Engage vendors and contractors to obtain product information, trouble shoot technical problems, and provide services for security initiatives.
Consultants, academics, professional security organizations, security personnel, policing agencies, etc. Ongoing / as required Exchange information; collaborate on resolution of issues and problems; obtain resources to meet requirements; seek out information and expertise; remain current as to industry best practices.

Impact and Magnitude of Job (Scope)

 

Long-term direction and key priorities for IMTS are determined by senior officials of the ministries and government, with relevant legislation, regulations, policies and frameworks providing broad parameters for operations. The work carried out is complex and affected significantly by political decisions and priorities established in strategic business plans, as well as being impacted by the priorities and expectations of other ministries and external clients and stakeholders.

The MISO plans, establishes, and executes an information security program to ensure that information assets of the ministry are adequately protected. The information security program involves and affects all department business and program areas and staff members located throughout the province. In addition, the department's agencies, boards, and commissions are key stakeholders involved and affected by the information security program and leadership of the MISO.

Included in the MISO's key accountabilities are establishing and operating a framework to identify, measure, and capture information risk decisions for ministry information assets and provide recommended risk treatment options. This position also establishes security controls to be used in the treatment of information risks; maintains a mapping of information asset risks to controls selected for their treatment; establishes and maintains guidelines and standards to ensure effective design and operation of controls used to treat information risks; and establishes a process to measure the effectiveness of controls used to treat information risks across all ministry information assets. Other key aspects of the position include establishing and implementing processes to identify and respond to security incidents and continually enhancing the information security program based on feedback from internal and external reviews and audits.

The MISO directly affects the ministry's ability to ensure the confidentiality, availability, and integrity of its information assets. Breaches of ministry systems or the loss of computing assets significantly impact the ministry's ability to perform its business functions. In addition, security breaches have the potential to affect the ministry's reputation and could result in lawsuits.

This position ensures executive managers and senior officials have evidence-based information to determine acceptable levels of risk and approve information security program design elements. The MISO is responsible for keeping the Chief Information Officer, Deputy Minister, and other senior representatives apprised of their accountabilities, major security concerns and appropriate responses. Decisions made by the MISO impact the entire ministry and its stakeholders, with failure of information security program policies, operations, and controls having the potential to compromise information security, privacy, systems availability, and ministry and government reputations.

Back to Top