Los Angeles County Metropolitan Transportation Authority

Job Specification




Pay Grade
H1N ($94,494.40 - $118,102.40 - $141,752.00)
Job Summary
Manages and oversees the information security function of the Information Technology Services (ITS) Department by planning, developing, implementing and maintaining an enterprise-wide information security program, policies, and systems to protect Metro electronic data and network infrastructure from external and internal security breaches and to ensure that security measures comply with statutory and regulatory requirements regarding information access, security, and privacy.
Duties and Responsibilities
  • Develops, executes, and monitors a comprehensive information security program that protects against external and internal threats, and ensures compliance with statutory and regulatory requirements pertaining to information access, security and privacy for Metro, and its affiliate organizations as requested or necessary; ensures adequate compliance resources and training
  • Leads and coordinates the development, maintenance, and dissemination of electronic information security and data recovery policies, standards, procedures, and practices as it relates to security, privacy, access, and compliance, inclusive of all media formats
  • Prepares and presents Metro-wide information security and privacy policies and procedures for senior management consideration and adoption
  • Directs and manages the development and delivery of education and awareness training programs on information security, privacy issues, and compliance for authorized users regarding policies, standards, and procedures; works with other corporate entities to present them to staff, and participates in local, regional, and national awareness and education events, as appropriate
  • Manages information security risk management processes, programs and strategies; aligns risk management and control activities as appropriate with security frameworks
  • Develops and implements an ongoing, proactive risk assessment program and information security management system to identify technology gaps/deficiencies and target electronic information and infrastructure security and security breach prevention, detection, and remediation for all new and existing systems by ensuring that proper protections are in place, such as intrusion detection and prevention systems, firewalls, and effective physical safeguards
  • Remains familiar with corporate goals and business processes to ensure effective controls are put in place for those areas presenting the greatest information security risk
  • Performs assessments to measure consistent application and usage of policies, standards, procedures, and guidelines related to information security and privacy throughout Metro to detect and deter risks
  • Leads and coordinates the ongoing security monitoring of electronic information systems for security exposures, violations of information security policies and procedures, breaches of information security measures, and reports all significant discoveries to the Chief Information Officer (CIO) in a timely fashion
  • Ensures timely development and implementation of corrective action plans in response to monitoring deficiencies and complaints
  • Leads and coordinates incident response planning and the investigation of electronic security breaches/ incidents to determine what response, if any, is needed, including technical incident response teams, when sensitive information is breached
  • Escalates emerging risks, non-compliance with policies/ standards/ controls, policy exceptions, and risk tolerance breaches in a timely manner; interfaces with outside law enforcement agencies on electronic security breaches in collaboration with affected departments, as needed
  • Leads the planning, testing, implementation, tracking, remediation, and risk acceptance of existing and proposed Metro technology and provides information security guidelines and/or specifications
  • Directs and maintains configuration management (CM) of electronic security systems, software, and data encryption to provide total data security
  • Researches, analyzes, monitors, and anticipates current and emerging electronic information security technologies, security issues, trends, and information privacy legislation and regulations to implement changes to policies, standards, and procedures; promotes implementation of new technology, solutions, and methods to meet organizational objectives/ needs and improve business processes, quality, efficiency, effectiveness, and value delivered to customers
  • Works and coordinates with management and department heads across the enterprise; provides Metro-wide consultation and advisement on data security management
  • Provides for the availability of computer resources by ensuring a business continuity/disaster recovery plan is in place to offset the effects caused by intentional and unintentional acts; participates in or leads the department's information security, disaster recovery, continuity of operations, incident response, and safety programs
  • Directs the activities of assigned staff in accomplishing company business objectives; sets priorities, provides guidance, secures resources, interfaces with peers and senior leadership, and communicates effectively at all levels
  • Proactively fosters the development of all team members
  • Communicates and implements safety rules, policies, and procedures in support of the agency's safety vision and goals; and maintains accountability for the safety performance of all assigned employees
  • Contributes to ensuring that the Equal Employment Opportunity (EEO) policies and programs of Metro are carried out

    May be required to perform other related job duties

Essential Knowledge, Skills and Abilities

Knowledge of (defined as a learned body of information that is required for and applied in the performance of job tasks)
  • Theories, principles, and practices of information security, digital security, data communications technology, application controls, and statutory and regulatory requirements pertaining to information access, security, and privacy
  • Process capabilities and functioning of Metro's digital infrastructure and application systems
  • Digital security product and tool uses
  • Project management and control practices
  • Broad information security issues, requirements, and trends, including compliance requirements related to Federal Rules of Civil Procedure (FRCP) and e-Discovery
  • Health Insurance Portability and Accountability Act (HIPAA),), Payment Card Industry Data Security Standard (PCI DSS), and relevant information security related laws and regulations
  • Risk assessment methods and techniques
  • Security software and tools
  • Application architecture and design, development environments, database design and normalization, network security, and infrastructure
  • Authentication, authorization, and encryption technologies
  • Forensic techniques for investigating incidents
  • Auditing standards and techniques
  • Contract and vendor negotiation

Skill in (defined as the proficient manual, verbal, or mental utilization of data, people, or things)
  • Planning, organizing, and constructing the design and implementation of a comprehensive information access, security and privacy program
  • Project management
  • Applying professional and technical expertise to the job
  • Determining strategies to achieve goals
  • Analyzing information and situations, identifying problems, and recommending solutions
  • Critical and logical thinking
  • Exercising sound judgment
  • Communicating effectively orally and in writing
  • Interacting professionally with various levels of Metro employees and outside representatives
  • Developing teamwork to achieve shared goals

Ability to (defined as a present competence to perform an observable behavior or produce an observable result)
  • Keep up to date on the latest security and privacy legislation, regulations, advisories, alerts, and vulnerabilities pertaining to information security and privacy as it relates to Metro
  • Understand, interpret, and apply laws, rules, regulations, policies, procedures, contracts, and budgets
  • Navigate through legal and regulatory requirements to ensure compliance
  • Comprehend technical written material
  • Compile, analyze, and interpret complex data
  • Pay close attention to detail of work content, work steps, and final work products
  • Ensure projects are on time, within budget, and achieve objective(s)
  • Oversee lower-level staff
  • Travel to offsite locations
  • Read, write, speak, and understand English
Minimum Qualifications
A combination of education and/or experience that provides the required knowledge, skills, and abilities to perform the essential functions of the position. Additional experience, as outlined below, may be substituted for required education on a year-for-year basis. A typical combination includes:

  • Bachelor's Degree in Computer Science, Information Systems, or a related field

  • Six years of relevant experience or three years of relevant supervisory-level experience performing information security work in Windows, Unix, WAN /LAN (Wide Area Network/ Local Area Network) environments

Certifications/Licenses/Special Requirements
  • Professional certification in two of the following are required Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Computer Hacking Forensic Investigator (CHFI), Global Information Assurance Certification (GIAC), Systems Security Certified Practitioner (SSCP), or equivalent
  • A valid California Class C Driver License or the ability to utilize an alternative method of transportation when needed to carry out job-related essential functions
  • On-call for emergencies, 24 hours a day, 7 days a week
  • Exposure to various environmental factors when at offsite locations
Special Conditions
The physical demands described are representative of those that must be met by the employee to successfully perform the essential functions of this job. Metro provides reasonable accommodation to enable individuals with disabilities to perform the essential functions.

Working Conditions
  • Typical office situation
  • Close exposure to computer monitors and video screen

Physical Effort Required
  • Sitting at a desk or table
  • Operate a telephone or other telecommunications device and communicate through the medium
  • Type and use a keyboard and mouse to perform necessary computer-based functions
  • Standing
  • Walking (distance 5' to 100')
  • Light lifting or carrying 25 lbs. or less
  • Communicating through speech in the English language required


Job GroupJob Class CodeFLSA StatusDate OriginatedDate Revised

This classification is at-will and the incumbent serves at the pleasure of the hiring authority when classified as an Intermittent, Emergency, or Temporary employee and/or is assigned to the Office of Inspector General (OIG) or Board Clerk's Office.

This job specification is not to be construed as an exhaustive list of duties, responsibilities, or requirements.