Job ID: NC-594753 (912590531)
PCI/DSS PM with payment card industry/data security standards, security and audit/compliance experience
Location: Raleigh NC (City of Raleigh)
Duration: 6 months
Skill Required / Desired Amount of Experience
Ability to lead the PCI Program including attestations, remediations, and overall project plan. Required 3 Years
Demonstrated knowledge and understanding of relevant legal and regulatory requirements around Payment Card Industry/Data Security Standard (PCI DSS) Required 5 Years
Analyzes and recommends security controls and procedures in acquisition, development, and change management lifecycle of information systems. Required 5 Years
Lead both internal and external audits to ensure compliance with all industry-mandated regulations. Required 3 Years
Assist Legal and Technology organizations with all required compliance/security-related documentation. Required 5 Years
Refine and revise existing policies and procedures to support internal and external compliance programs. Required 5 Years
Enterprise IT PCI Program Manager
The City of Raleigh is seeking a transformational, technology savvy Enterprise IT PCI Program Manager with a track record of providing operational and tactical direction within PCI, PII, PHI, etc. This position reports directly to the Chief Information Security Officer and interfaces with City department leadership and other IT division leaders.
The IT Department plays a major role in the City’s recognition for innovation. For example, the department has recently won awards such as the Next Century Cities Charles Benton Next Generation Engagement Award for proposing innovative programs that will use high-speed broadband to improve civic engagement and democratic participation.
In addition, we work with partners in academia and other local governments on forward-thinking initiatives to improve the quality of life, realize a digital future, and foster economic development in Raleigh.
Raleigh is frequently recognized in the national media for a variety of measures of the health of our community. Some of those accolades include:
• Second place in Forbes’ 2017 Best Places for Business and Careers
• Second most educated city in the U.S. (WalletHub, 2017)
• Sixth best state capitol in which to live (WalletHub, 2018).
The City employs over 4,100 staff to support its 450,000+ residents and is consistently ranked as one of the top locations in the nation to live, work and learn.
This position provides centralized coordination, administration and support for the many elements of a distributed security infrastructure operated by the City of Raleigh. This position will use and apply the knowledge of various technologies to help the City meet its business requirements in a secure manner while managing risk. Candidate also serves as the subject matter expert for the GRC areas including PCI and SOC 2 audits, NIST and ISO 27001 frameworks. The candidate must be a team oriented self-motivator with excellent interpersonal skills and the ability to discuss complex security requirements in simple non-technical terms. The Enterprise IT PCI Program Manager must be able to demonstrate a high degree of proficiency in risk management related to information security concepts.
The position reports to the Chief Information Security Officer and works closely with teams in other information security disciplines, business capability owners, application development, technology support and operations to provide guidance on the compliance and protection of the City of Raleigh information assets. Participate in the planning, design, installation, and maintenance of security systems in support of security policies. Work with Information Technology staff and business units to assess risk and address security issues.
Essential Duties and Responsibilities (Not intended to be all inclusive)
• Leads the PCI Program for City of Raleigh including attestations, remediations, and overall project plan.
• Architects, designs, implements, maintains and operates information system security controls and countermeasures.
• Analyzes and recommends security controls and procedures in acquisition, development, and change management lifecycle of information systems.
• Analyzes and recommends security controls and procedures in business processes related to use of information systems and assets.
• Monitors information systems for security incidents and vulnerabilities; develops monitoring and visibility capabilities; reports on incidents, vulnerabilities, and trends.
• Responds to information system security incidents, including investigation of, countermeasures to, and recovery from computer-based attacks, unauthorized access, and policy breaches; interacts and coordinates with third-party incident responders, including law enforcement.
• Administers authentication and access controls, including provisioning, changes, and deprovisioning of security/access roles and access permissions to information assets.
• Analyzes trends, news and changes in threat and compliance environment with respect to organizational risk; advises organization management and develops and executes plans for compliance and mitigation of risk; performs risk and compliance self-assessments, and engages and coordinates third-party risk and compliance assessments.
• Lead both internal and external audits to ensure compliance with all industry-mandated regulations.
• Manage compliance initiatives to ensure operational effectiveness with applicable laws and regulations, as well as internal policies and procedures.
• Assist Legal and Technology organizations with all required compliance/security-related documentation. Ensure documentation is standardized, updated and organized.
• Participate in the development and implementation of new business initiatives involving compliance to ensure functionality required to support required compliance.
• Provide guidance to business functions on compliance/security-related matters.
• Coordinate audit-related tasks to ensure the readiness of managers and their teams for audit testing and facilitate the timely resolution of any audit findings.
• Initiate improvement activity to reduce risk, ensure compliance, lower cost, and improve quality within IT processes.
• Conduct/support periodic risk assessments and develop appropriate mitigation plans in support of deliverables.
• Refine and revise existing policies and procedures to support internal and external compliance programs. Author new policies and procedures and ensure adequate training for adherence by employees.
• Evaluate effectiveness of the internal security control framework and recommend adjustments as business needs change.
• Deliver findings, recommendations and remediation steps for all activities, in a clear, concise and audience-specific format.
• Perform periodic security risk assessments and advise business stakeholders on best practices to reduce risk and overall breach profile.
• Demonstrated knowledge and understanding of relevant legal and regulatory requirements, including Payment Card Industry/Data Security Standard (PCI DSS), Money Transmitter regulations, the Health Insurance Portability and Accountability Act (HIPAA), and IT and Data Security.
• Bachelor’s degree in information technology or directly related field, ten years of professional experience related to assignment.
• An equivalent combination of education and experience sufficient to successfully perform the essential duties of the job such as those listed above, unless otherwise subject to any other requirements set forth in law or regulation.
Certifications, Licenses, Registrations
• Project Management Professional (PMP) certification.
• Internal Accessor Certification as issued by PCI.
• CISSP certification is preferred but no required.
• Detailed knowledge of the PCI, SOX standards and compliance requirements.