The California Independent System Operator (ISO) manages the flow of electricity across the high-voltage, long-distance power lines that make up 80 percent of California's power grid. We safeguard the economy and well-being of 30 million Californians by operating the grid reliably 24/7.

As the impartial grid operator, the California ISO opens access to the wholesale power market that is designed to diversify resources and lower prices. It also grants equal access to 25,865 circuit-miles of power lines and reduces barriers to diverse resources competing to bring power to customers.

The California ISO's function is often compared to that of air traffic controllers. It would be grossly unfair for air traffic controllers to represent one airline and profit from allowing that company's planes to go through before others. In the same way, the California ISO operates independently—managing the electron traffic on a power grid we do not own—making sure electricity is safely delivered to utilities and consumers on time and reliably.

The California ISO is committed to the health, safety, and work/life integration of it employees and is proud to offer flexible work arrangements. This position would be eligible to participate in a fully remote schedule. 

Under the general direction of the Manager, supports the information security compliance requirements and company risk tolerance to ensure a culture of information security compliance. Supports the security, controls and lifecycle process to ensure alignment and compliance with security policy and regulatory compliance requirements. Assists in security compliance programs, creating assessments, and tracks risk mitigation and remediation activities.

What You Will Be Doing:

• Maintains IT governance, risk and compliance (GRC) tool that cross references standards against CAISO policies, procedures and controls. Identifies gaps and helps develop CAISO specific policies, procedures and controls that meet external requirements and CAISO information security needs.
• Assists in the evaluation of compliance of all processes, procedures, and standards applicable to the position including (but not limited to): SSAE18 (Statement on Standards for Attestation Engagements No. 16), NERC CIP (Critical Infrastructure Protection), and ISO 27000 series (Information Security Management Systems (ISMS) standards as defined by the International Organization for Standardization), NIST Cyber Security Framework (CSF).
• Ensures consistent compliance with applicable requirements, supporting the requirement owners with identification and proactive collection of evidence for audits. Supports requirement owners with remedies to findings.
• Collects evidence for quarterly NERC CIP Compliance and SSAE18 reviews. Leverages GRC tool for collection.
• Maintains schedules, reports, and materials for compliance-related activities pertaining to IT and other control-related matters.
• Maintains tracking tools and reports for compliance measures.  Assists in preparation of reports and briefs explaining standards issues and compliance status.
• Supports the team in benchmarking existing and planned IT environments.
• May identify trends and predict future issues to effectively implement courses of action.

Level of Education and Discipline:

A Bachelor's degree (BA, BS) or equivalent education, training or experience in Computer Science, Engineering, or related technical field.  Master Degree preferred.

Amount of Experience:

Equivalent years of education and training, plus two (2) or more years related experience.

Certifications:

CISSP, CISA or equivalent professional certifications desired.

Type of Experience

Experience in an Information Security corporate environment.  Experience in IT Audit, IT Risk, system administration, network and application security concepts.  Experience with NERC Reliability Standards including NERC CIP.  Direct experience or exposure to the following technologies: Windows, Linux, or other UNIX operating systems, SSO, LDAP, Java, XML, Enterprise Directory or Active Directory Domain Administration.  Familiarity following Governance and Access Control models required. Experience with IT GRC (Governance, Risk and Compliance) tools such as Archer or MetricsStream.

Experience in one or more of the following areas:

• One or more directories, including Active Directory, IBM Directory Server, and SunONE Directory Server, Novell e-Directory, Open LDAP, or CA Directory
• Audit management and internal audit standards.
• Process control design and testing methods
• Risk Management methodologies and tools
• Business Continuity and Disaster Recovery methodologies
• Governance frameworks including ISO27000, NIST-800, and/or CERT-GES.
• Compliance Standards including NERC-CIP, SSAE-16, SOX, HIPPA, and/or PCI
• In depth knowledge of regulatory compliance requirements and risk management. Ability to solve business problems through technology.
• Experience in a cross platform environment.

Additional skills and abilities:

Must be able to work effectively in a team environment as facilitator and team member.  Excellent analytical, verbal and written communication and documentation skills required, with a demonstrated attention to detail.  Excellent planning and organizational skills.  Ability to use deductive reasoning and analytical thinking with sound judgment and decision-making skills.  Strong interpersonal and conflict resolution skills are also essential.  Must be self-starting and willing and able to work independently in a dynamic corporate organization under pressure of tight deadlines and aggressive expectations.  Self-motivated, problem solving skills and the ability to influence others without direct authority. 

**We will also consider this position at the Senior level, which requires A Bachelor's degree (BA, BS) or equivalent years of education, training, or Computer Science, Engineering or related technical field, plus five (5) or more years related experience.

All your information will be kept confidential according to EEO guidelines.