Security Manager

Xerox Corporation (NYSE: XRX) is an $11 billion technology leader that innovates the way the world communicates, connects and works. Our expertise is more important than ever as customers of all sizes look to improve productivity, maximize profitability and increase satisfaction. We do this for small and mid-size businesses, large enterprises, governments, graphic communications providers, and for our partners who serve them. We understand what's at the heart of work – and all of the forms it can take. We embrace the increasingly complex world of paper and digital. Office and mobile. Personal and social. Every day across the globe – in more than 160 countries – our technology, software and people successfully navigate those intersections. We automate, personalize, package, analyze and secure information to keep our customers moving at an accelerated pace.

Learn more at www.xerox.com.

Purpose:

• Responsible for planning and implementing risk management strategies, processes and programs. Manages resolution of incidents / problems throughout the information system lifecycle, including classification, prioritization and initiation of action, documentation of root causes and implementation of remedies. Development and execution of information risk controls and management strategies. Governs information risk management services for customer operations.
• The implementation of processes and procedures for the management of operational risk related to Xerox account operations and delivery.
• The development of and execution of information risk controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems.
• The resolution of incidents and problems throughout the information system lifecycle, including classification, prioritization and initiation of action, documentation of root causes and implementation of remedies.
• This role will specialize on a specific technology and/or risk management discipline. Examples of specialization areas can be any technology, technique, method, product or application area as they pertain to the disciplines of information security, privacy, disaster recovery, and regulatory compliance.

Scope:

Specific:

• Autonomy:
• Works under general supervision.
• Uses discretion in identifying and resolving complex problems and assignments.
• Specific instruction is usually given and work is reviewed at frequent milestones.
• Determines when problems should be escalated to a higher level.
• Influence:
• Interacts with and influences customer, external partner and internal department/project team members.
• Frequent external contact with customers and suppliers.
• In predictable and structured areas, may supervise others.
• Decisions may impact work assigned to individual/phases of project.
• Complexity;
• Specialized range of work, of relatively less complexity and standard, in variety of environments.

General:

• Uses best practices and knowledge of internal or external business issues to improve products or services
• Acts as a resource for cusotmers and colleagues with less experience
• Requires in-depth knowledge and experience
• Decisions guided by policies, procedures and business plan

Primary Responsibilities:

• Carries out risk assessment within a defined functional or technical area of business. Uses consistent processes for identifying potential risk events, quantifying and documenting the probability of occurrence and impact on the business. Refers to domain experts for guidance on specialized areas of risk, such as architecture and environment. Coordinates the development of countermeasures and contingency plans.
• Applies standard procedures to enhance security or resilience to system interruptions. Can take immediate action in an incident to limit business impact and escalates event to higher authority.
• Applies and maintains specific risk management controls as required by organizational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems. Determines when issues should be escalated to a higher level. Demonstrates effective communication of risk management issues to business managers and others.
• Maintains knowledge of specific technical specialisms, provides detailed advice regarding their application, executes specialized tasks. Implements and administers risk management technologies and process controls in a given specialism, and conducts compliance tracking. The specialism can be any area of information or communication technology, technique, method, product or application area.
• Specific Tasks:
• Business Risk Management
• Carries out risk assessment within a defined functional or technical area of business. Uses consistent processes for identifying potential risk events, quantifying and documenting probability of occurrence and impact on the business.
• Refers to domain experts for guidance on specialized areas of risk, such as compliance, architecture, finance and environment.
• Co-ordinates response to quantified risks, which may involve acceptance, transfer, reduction or elimination. Assists with development of agreed countermeasures and contingency plans.
• Monitors status of risks, and reports status and need for action to senior management.
• Information Assurance
• Applies procedures to assess security of information and infrastructure components. Identifies risks of unauthorized access, data loss, compromise of data integrity, or risk of business interruption.
• Reviews compliance to information security policies and standards. Applies procedures to assess compliance of hardware and software configurations to policies, standards, legal and regulatory requirements.
• Communicates information assurance issues effectively to users and operators of systems and networks.
• Information Risk
• Demonstrates effective communication of security issues to business managers and others.
• Develops and maintains knowledge of the technical specialism by, for example, reading relevant literature, meeting and maintaining contact with others involved in the technical specialism and through taking an active part in appropriate learned, professional and trade bodies.
• Maintains an awareness of current developments in the technical specialism.
• Applies and maintains specific security controls as required by organizational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems.
• Determines when security issues should be escalated to a higher level.
• Analyzes incidents and problems to show trends and potential problem areas, so that actions can be taken to minimize the occurrence of incidents and to improve the process of problem reporting, analysis and clearance. Assesses and reports the probable causes of incidents and consequences of existing problems and known defects.
• Conducts security control reviews in well defined areas.
• Provides advice, both reactively and pro-actively, to those engaged in activities where the technical specialism is applicable, including those in areas such as budgetary and financial planning, litigation, legislation, and health and safety.
• Identifies opportunities to apply the technical specialism within employing organization and closely associated organizations, such as customers, suppliers and partners, and advises those responsible.
• Carries out specific assignments related to the technical specialism, either alone or as part of a team.
• Maintains knowledge of the technical specialism at a detailed level, and is responsible for own personal growth and technical proficiency.

Candidate Education:

Minimum Bachelor's Degree Computer Science, Information Systems, or related field.

Professional Certifications:

Minimum Technical certifications such as CISSP, SANS GSEC, CompTIA Security required

Minimum ITIL V3 Foundation.

Candidate Background:

Minimum Significant experience in Information Technology, which includes substantial experience in a risk management specialism.

Minimum Understands and uses appropriate methods and tools and applications.

Minimum Demonstrates analytical and systematic approach to problem solving.

Minimum Takes initiative in identifying and negotiating appropriate development opportunities.

Minimum Contributes fully to the work of teams.

Minimum Can plan, schedule and monitor own work.

Minimum Is able to absorb and apply new technical information.

Minimum Is able to work to required standards and to understand and use the appropriate methods, tools and applications.

Minimum Appreciates wider field of information systems, how own role relates to other roles and to the business.

Minimum Has a basic business knowledge and an understanding of current and emerging information and communications technologies and their level of maturity.

Minimum Is able to obtain information from business people in face to face situations, and to analyze information on users occupational tasks obtained by a variety of formal and informal means.

Minimum Has an analytical and creative approach to problem solving.

Minimum Is familiar with the principles and practices involved in development and maintenance and in service delivery.

Minimum Has good technical understanding and the aptitude to remain up to date with IS security and developments.

Minimum Possesses a general understanding of the business applications of IT.

Minimum Is effective and persuasive in both written and oral communication.

Minimum Demonstrates basic knowledge of information security principles.

Minimum Has experience in moderate to large technology implementations and background as an administrator of IT systems, databases, or processes.

Additional Role Requirements:

Information Security Domain

Basic understanding the following 10 security domains with technical expertise in at least one of the domain areas:

Access Control Systems and Methodology

Network Security

Business Continuity Planning and Disaster Recovery Planning

Security Management Practices

Security Architecture and Models

Law, Investigation, and Ethics

Application and Systems Development Security

Cryptography

Computer Operations Security

Physical Security

Relevant industry standards awareness / governmental regulations awareness

Disaster Recovery Domain

Basic understanding of the following 10 Business Continuity domain areas with technical expertise in at least two of the domain areas:

Project Initiation and Management

Risk Evaluation and Control

Business Impact Analysis

Developing Business Continuity Strategies

Awareness and Training Programs

Exercising and Maintaining Business Continuity Plans

Public Relations and Crisis Coordination

Coordinating with External Agencies

Relevant industry standards awareness / governmental program awareness.

Xerox is an Equal Opportunity Employer and considers applicants for all positions without regard to race, color, creed, religion, ancestry, national origin, age, gender identity, sex, marital status, sexual orientation, physical or mental disability, use of a guide dog or service animal, military/veteran status, citizenship status, basis of genetic information, or any other group protected by law. People with disabilities who need a reasonable accommodation to apply or compete for employment with Xerox may request such accommodation(s) by sending an e-mail to XeroxStaffingAdminCenter@xerox.com. Be sure to include your name, the job you are interested in, and the accommodation you are seeking.