Job Descriptions
Use this tool to access job descriptions for your next hire. Search by skills or job titles and download the job description to help you get started. Tip: You can use this tool to help ensure your own resume is up-to-date with the latest job requirements.
Information System Security Officer (ISSO)
Skills
Job Description
Other Titles Include:
- Chief Security Officer
- Departmental Security Officer
- Information Security Director
Note: depending on the size of the organization and the reliance on information technology, this occupational role may be subsumed within the responsibilities of the Chief Information Officer, Chief Technology Officer, Chief Resiliency Officer or similar role
Reporting relationship
This role may report indirectly or directly to the CISO or another authority (e.g. Corporate Security Officer or Chief Information Officer or their delegate).
Job purpose / summary
This is an adhoc management role within cybersecurity that is primarily engaged in oversight and reporting of information system security within a department, branch, or organization. This role is primarily responsible for local planning and management of the security of system(s) over which they have been given authority.
This is commonly a part-time role assigned or assumed by an individual with some technical experience but is not normally a ‘cybersecurity professional’. In small and medium organizations this role may also be an IT manager or senior manager with some technical or security experience.
Duties and responsibilities
- Collaborate with key stakeholders to establish an effective cybersecurity risk management program.
- Ensure compliance with the changing laws and applicable regulations
- Develop and implement strategic plans that are aligned to the organizational objectives and security requirements
- Direct and approve the design of cybersecurity systems over which they have responsibility
- Identify, acquire and oversee management of financial, technical and personnel resources required to support cybersecurity objectives
- Advise senior management on cybersecurity programs, policies, processes, systems, and elements
- Review, approve, oversee monitoring of cybersecurity policies and controls over which they have responsibility
- Ensure incident response, disaster recovery and business continuity plans are in place and tested
- Draft terms of reference, oversee and review cybersecurity investigations
- Maintain a current understanding the IT threat landscape for the business context;
- Schedule and oversee security assessments and audits over which they have responsibility
- Oversee and manage vendor relations related to acquired IT security products and services
- Ensure security requirements are identified for all IT systems throughout their life cycle.
- Provide training and mentoring to security team members
- Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered.
Underpinning this occupation are those competencies demonstrated for an executive level which include those identified within the US NICE Cybersecurity Workforce Framework.
Competencies
Basic application of the following KSAs:
- Integrated/organizational security concepts, principles and practice (software, system, data, physical and personnel)
- Preventative technical, operational and management controls available and organizational responsibilities for those controls
- Sector/context relevant threats, business needs and technical infrastructure
- Required to support project management and security requirements throughout the project life-cycle
Advanced application of the following KSAs:
- Organizational threats and vulnerabilities including:
- Cybersecurity threat landscape
- Vulnerability management requirements and the range of potential mitigations available when a vulnerability management protocol does not exist
- Organizational security infrastructure including protective and defensive systems
- Cybersecurity team management
- Developing, implementing and allocating resources, personnel and technology to address organizational security objectives.
- Identifying requirements for and developing cybersecurity and cybersecurity risk management policies and procedures.
- Supplier management (if IT or security services are outsourced)
- Organizational communications, public communications and communicating during a crisis.
- Cybersecurity program management, measures and monitoring
Tools and Technology
- Strategic and business plans
- Threat and risk assessments
- Vulnerability management processes and vulnerability assessments
- Incident management processes and procedures
- Security event and incident management systems and/or incident reporting systems and networks,
- Cybersecurity risk management processes & policies
- Privacy and security legislation
- Organizational security infrastructure and reporting systems
Direct reports (if appropriate)
To be completed by the user of this job description as appropriate
Qualifications
Education. Post-secondary education in a cyber or IT related field (e.g.; Computer engineering, Computer Science, Information Technology, Business Technology Management – Digital Security or equivalent training and experience)
Additional Training as required to support the role for example cybersecurity team management, incident management and cybersecurity planning would be an asset.
Certifications.
To be completed by the user of this job description as appropriate
Other relevant qualifications.
To be completed by the user of this job description as appropriate
Key Attributes.
To be completed by the user of this job description as appropriate
Experience. 3-5 years’ experience in IT domain with some management experience.
Working conditions (if required)
If the job requires a person to work in special working conditions this should be stated in the job description. Special working conditions cover a range of circumstances from regular evening and weekend work, shift work, working outdoors, working with challenging clients, and so forth.
Physical requirements (if appropriate)
If the job is physically demanding, this should be stated in the job description. A physically demanding job is one where the incumbent is required to stand for extended periods of time, lift heavy objects on a regular basis, do repetitive tasks with few breaks, and so forth.