Note: Work Order will be awarded on an individual basis, based on the specific needs described herein.
Contract Term: 6 months with opportunity to renew
Requesting Department: Privacy Office
Schedule: Full-Time – On-site All work hours will be at billed at the same base rate regardless of the number of hours worked per billing period.
The IT Security Specialist will be responsible for supporting the implementation and administration of our privacy initiatives within the Privacy Office.
The successful candidate will have knowledge of common privacy practices, laws, and regulatory frameworks as well as a solid understanding of various technologies, including exposure to information security and risk management.
S/he will identify emerging privacy technology trends/standards, regulatory and compliance requirements, and privacy needs as part of an effort to develop, establish and maintain a cohesive privacy direction for our mission to provide services to residents. S/he serves as a member of staff supporting the Chief Privacy Officer (CPO) in furthering the County’s mission and commitment towards privacy excellence.
As part of the privacy team, the IT Security Specialist will collaborate with the technology services and security teams to integrate and monitor privacy gates within the software development life cycle (SDLC), vendor vetting process, and other organizational processes.
• Builds and applies a strong working knowledge of the County’s mission and objectives, including the County’s privacy strategy and program, as well as knowledge of compliance and privacy concepts and practices (strategies, internal controls, information analysis, reporting, including trending and communication);
• Maintains an awareness of and monitoring advancements in information privacy technologies;
• Conducts privacy-related risk assessments (e.g., Assessment to support privacy integration through Privacy-by-Design, Privacy Impact Assessments), support incident response activities, and assist with integrating privacy into the software development life cycle (SDLC), data sharing projects, and other processes;
• Conducts basic usability evaluations to assess the usability and user acceptance of privacy-related features and processes;
• Identifies, develops, and aligns techniques to aggregate, anonymize, or deidentify data, and understand the limits of de-identification;
• Develops and communicates mitigation actions and design recommendations.
• Coordinates with developers, system owners, and others on remediation activities and alternate solutions to protect data and reduce risk;
• Develops technical solutions to help mitigate privacy vulnerabilities;
• Assists with documenting and assessing privacy risks associated with applications (and solutions in general) that are scheduled to be integrated in information systems; ranking and prioritizing these risks; and following up with developers and other stakeholders on remediation;
• Assists with vetting vendors and help to make sure that adequate privacy protections are embedded in solutions and processes;
• Help to ensure information systems designs adequately incorporate privacy controls around choice, consent, collection, notice, use, retention, and disposal, and third party disclosures where applicable;
• Performs research and advise Privacy Office management on applicable technology privacy trends, best practices, and risks;
• Integrates perspectives that span product design, software development, cyber security, human computer interaction, as well as business and legal considerations; and leverage team members when necessary;
• Works with team members and Privacy Office management to define and incorporate technology related privacy controls into the organization’s processes, initiatives, and development of information systems;
• Engages with cross-functional teams to investigate incidents that involved sensitive or personal information;
• Supports the development of technical privacy training and communication programs to educate and update employees on privacy requirements, best practices, and expectations;
• Lends expertise to enhance effectiveness of privacy enhancing technology (PET) controls;
• Assists and provides expertise to the organization’s departments to better identify and classify data and manage information throughout the information life cycle;
• Serves as a liaison to technical bodies for privacy related matters.
Training and Experience: Sufficient education, training, and experience to demonstrate the possession and direct application of the following knowledge and abilities.
The knowledge and abilities required to perform this function are attained through training and experience equivalent to possession of a bachelor’s degree from an accredited college in Information Systems, Computer Science, Communications,
Information Privacy, Privacy Law, Data Management, or a related field.
- AND -
Two (2) years of experience in the privacy, legal, technology, compliance or information security fields, one (1) of which must have been working with medium to large scale information privacy or security projects.
Relevant experience with a governmental entity and understanding or interpreting privacy regulations is desirable, but not required.
• May be required to work irregular hours on occasion (e.g., due to a data breach or disaster event).
• Privacy engineering and design principles, practices, terminology, trends, and usage utilized by large complex organizations;
• Privacy-by-Design, best practices, terminology, and current trends in privacy;
• Knowledge of two or more of the following privacy laws or standards, such as: Fair
Information Practice Principles (FIPPs), HIPAA/HITECH, PCI, FCRA, GLBA, FACTA, ISO,
GAAP, SOC II, FERPA, COPPA, CCPA, NIST privacy and security standards and guidance,
California data breach or other privacy related laws, or other relevant privacy frameworks;
• Information privacy or security forensic tools or privacy enhancing technologies;
• Technical understanding of information systems development, implementation, and maintenance;
• Experience with PII inventory, information classification, and privacy threat modelling;
• Experience in conducting privacy impact assessments (PIA);
• Optional: Wireless / mobile communications technologies and privacy issues, and wireless IT security systems, cloud technology and privacy concerns;
• Preferred, but not required, privacy certifications, such as: CIPP/US, CIPT.
• Support PIA activities and recommend technical solutions that provide the proper level of privacy protection over personal and sensitive information;
• Troubleshoot basic privacy and security problems and identify and recommend alternative solutions;
• Work and communicate effectively, both orally and in writing for technical and nontechnical audiences;
• Write and produce presentations exceptionally well;
• Establish and maintain effective working relationships within the team and across departments;
• Operationalize and proactively assist in the implementation of privacy solutions;
• Collaborate with other technical professionals;
• Prepare detailed technical reports, analyses, and other documentation;
• Maintain a positive attitude and work calmly and effectively in a dynamic environment;
• Synthesize information and communicate privacy concepts to technical and nontechnical audience;
• Apply information privacy principles to business processes and information systems from a technical perspective.
On-Site Requirements: On-call help may be required.