Oversee and approve the Information Security program including the employees, contractors, and vendors who safeguard the company’s information systems and data, as well as the physical security precautions for employees and visitors;
Ensure an appropriate level of protection for the information resources; whether retained in-house or under the control of outsourced contractors;
Issue the Written Information Security Program (WISP) policies and guidance that establish a framework for an Information Security Management System (ISMS);
Identify protection goals, objectives, and metrics consistent with corporate strategic plan;
Ensure appropriate procedures are in place for Security Testing & Evaluation (ST&E) for all information systems; and monitor, evaluate, and report to company management on the status of IT security within the company;
Ensure that persons working in an Information Security role are properly trained, and supported with the appropriate resources;
Assist in compliance reviews and other reporting requirements;
Provide feedback to company management on the status of the Information Security program, and suggest improvements or areas of concern in the program or any other security-related activity;
Promote best practices in Information Security management;
Monitor and evaluate the status of the Information Security posture by performing annual compliance reviews of the WISP and system controls (including reviews of security plans, risk assessments, security testing processes, and others);
Provide security-related guidance and technical assistance to all operating units;
Develop the Computer Incident Response Program (CIRP) and act as the central point of contact for incident handling, in concert with the Computer Incident Response Team (CIRT).
Maintain liaison with external organizations on security-related issues; and
Identify resource requirements, including funds, personnel, and contractors, needed to manage the Information Security program.