Scope of Work
The Information Technology Agency, Information Security Office (ITA-ISO) Governance Section requires a Professional Consultant to lead the comprehensive update of the Information Security Policy, originally updated in March 2024, and all associated standards, guidelines, and procedures.
The project involves a full lifecycle policy review: from conducting a gap analysis against modern frameworks (e.g., NIST CSF 2.0, ISO 27001) to drafting specialized standards for emerging technologies (AI, Zero Trust, Cloud Sovereignty). The Consultant is responsible for the momentum of the project, including scheduling stakeholder interviews and driving the approval workflow. The consultant must be an experienced policy professional who serves as an active integrated member of the Governance section team. The consultant is responsible for the proactive momentum of the project and is expected to maintain a high level of initiative. Waiting for supervisor or stakeholder feedback is not considered "idle time"; the Consultant is expected to utilize such periods to develop supporting guidelines, training materials, technical standards, or offer assistance to the "We Secure LA" team on policy-related security initiatives.
Duties and Responsibilities:
The Consultant will provide expertise and proactive project management for the following:
● Policy Gap Analysis: Conduct a formal review of the March 2024 ISP against current regulatory requirements (CCPA/CPRA updates) and industry best practices.
● Stakeholder Engagement & Discovery: Proactively schedule and lead "Policy Discovery" sessions with departments to identify operational hurdles in current security mandates.
● Drafting & Alignment: Author high-level policies, granular technical standards (e.g., Password/MFA standards), and non-technical guidelines. Ensure all documents are cross-referenced and consistent.
● Emerging Tech Governance: Develop specific "Acceptable Use" standards for Artificial Intelligence (AI), automated tools, and remote work infrastructure.
● Approval Pipeline Management: Navigate the administrative approval process, incorporating feedback from the City Attorney, Labor Relations, and ITA Leadership without project stagnation.
● Continuous Support: In periods of administrative delay, the Consultant shall assist the security team with policy-related research, internal audits, or creating "Policy-to-Practice" training decks.
● Proactive "Downtime" Management: In the event of administrative delays or pending approvals, the Consultant is contractually expected to pivot to high-value support tasks, including authoring training decks, assisting with internal security audits, or drafting technical "How-To" guides for the team.
Deliverables: The Consultant is expected to contribute to the following within the contract period:
1. Policy Gap Analysis Report: A formal assessment of current policy deficiencies compared to NIST CSF 2.0.
2. Modernized Citywide Information Security Policy: A finalized, ready-for-adoption Information Security Policy.
3. Policy Interpretation Guide: A simplified "FAQ" or handbook for Departmental ISOs to help them implement the new policies.
4. Governance Desk Manual: A guide for ITA staff on how to maintain, review, and update these policies in the future.
5. Monthly Progress & Engagement Logs: Documentation of all stakeholder interviews and follow-ups conducted to prove active project advancement.
Qualifications:
● Bachelor's degree in cybersecurity, information technology, computer science, or related field; students within six months of graduation may apply. Equivalent combination of education and relevant experience will be considered.
● Bachelor's degree in a related field; professional certifications such as CISM or CISA are highly preferred. Also entry-level cybersecurity certifications are valued, such as:
○ ISC² Certified in Cybersecurity (CC)
○ CompTIA Security+
○ CompTIA Cybersecurity Analyst+ (CySA+)
● Minimum 5 years of direct experience in Cybersecurity Policy Development and Authoring. (Incumbent must be able to contribute immediately with zero training).
● Deep, practical knowledge of NIST 800-53, NIST CSF, and ISO/IEC 27001 is preferred.
● Advanced Communication & Negotiation Skills: Proven ability to lead meetings with high-level executives, explain technical risks to non-technical audiences, and negotiate policy language with legal/labor stakeholders.
● Strong analytical thinking, problem-solving abilities, and attention to detail.
● Proven "self-starter" with the ability to manage the policy lifecycle from research to final approval without daily supervision.
