The City of Boston has a distributed technology system, where the Department of Innovation and Technology plays a central role in enabling governance across multiple departments and agencies. The Director of Risk, Compliance, and Auditing will lead the development of city-wide risk management, compliance, and auditing capabilities as a key member of the Cybersecurity team at the Department of Innovation and Technology. As a leader within the Cybersecurity Team, the Director of Risk, Compliance, & Auditing plays a central role in actively promoting a culture of exceptional cybersecurity practices throughout the City of Boston. This role will report directly to the Chief Information Security Officer (CISO) and collaborate closely with the CIO, Director of Cybersecurity Operations, Direction of Identity & Access Management, Director of Governance and Policy, and the technology leadership and other City departments, including legal and policy staff members.

The Director of Risk, Compliance & Auditing will take a proactive approach in continually assessing the security of the City of Boston’s information systems and technology infrastructure throughout their lifecycle, providing recommendations for enhancing security and adapting to new threats and vulnerabilities.

As part of our team, your main responsibilities will be:

• Manage the risk, compliance & auditing team (e.g. risk, compliance & auditing analysts) and set long-term strategy, project priorities, and structure for their day-to-day operations.
• Assist the CISO in the ongoing maturity of the enterprise cybersecurity program. Ensure relevant policies and SOPs are written, approved, published, and kept up to date.
• Chair necessary committees and meetings to include all required stakeholders who should be notified and/or involved with policy-making decisions.

Serve as Functional Lead for the following:

a) Enterprise Risk Management:

• Implement enterprise risk management tools to analyze, report & manage enterprise risks in order to safeguard the City's digital assets, both in DoIT and in other Departments and Agencies connected to City systems, or that are affiliated with the City.
• Conduct thorough risk assessments to identify and evaluate potential cybersecurity threats and vulnerabilities.
• Establish and maintain a risk register, regularly updating key stakeholders on risk profiles and mitigation progress.
• Build and manage a robust third-party vendor/supplier risk program to quantify and recommend compensating controls or risk mitigation techniques to reduce inherent risk within business operations, and work with the relevant teams in technology Governance and Procurement to put these programs into practice.

b) Compliance Oversight:

• Ensure adherence to federal, state, and local laws, regulations, and industry cybersecurity standards (e.g. NIST Cybersecurity Framework, PCI-DSS, CJIS, FERPA, HIPAA, etc.).
• Conduct regular compliance assessments to identify gaps and implement corrective measures.
• Provide oversight for the City's vulnerability management program and work with stakeholders to remediate identified vulnerabilities/reduce overall risk to the City's information and technology resources.
• Keep abreast of changes in compliance requirements and update policies and procedures accordingly.

c) Internal & External Auditing:

• Design and manage the City's internal technical audit program.
• Coordinate information security external audit and regulatory reviews.
• Audit the effectiveness of IT-related internal processes, controls, risk management, and governance activities.
• Consistently update and communicate the flow of information as changes and modifications may occur monthly and/or annually.

Perform other related work as required.

• Five (5) years of full-time, or equivalent part-time, experience in Information Security, Risk Management, or business-related fields. A Bachelor's degree in a related field may be substituted for two (2) years of the required experience. A Master's degree can be substituted for three (3) years of the required experience.
• Preferred certifications: CISSP, CISM, CISA, CRISC, or other relevant security certifications.
• Previous hands-on technical experience is desirable.
• Extensive experience managing, developing, and implementing enterprise risk management, compliance, and auditing activities.
• Strong knowledge of information security & risk management frameworks (e.g., NIST, ISO, etc.).
• Proven ability to work with other teams to create new processes and procedures to meet security and compliance requirements.
• Ability to manage multiple concurrent objectives or activities and effectively make judgments in prioritizing and time allocation in a high-pressure environment.
• Ability to work well with others, harness different skills and experience, and build a strong sense of team spirit.
• Highly self-motivated and directed.
• Ability to leverage best practices and lessons learned from external organizations and academic institutions dealing with cyber issues.
• Experience working in the public sector or a highly regulated environment is preferred.
• Demonstrated successful delivery of a major project or change management effort.
• Ability to exercise good judgment and focus on detail as required by the job.

BOSTON RESIDENCY REQUIRED

Terms:

Union/Salary/Grade: Non-Union/MM2-10

Hours per week: 35