Information Security Risk and Compliance Program Manager

King County   Seattle, WA   Full-time     Information Services / Technology (IT)
Posted on April 20, 2022
Apply Now

King County Department of Information Technology (KCIT) is seeking an Information Security Risk and Compliance Program Manager to join our team. The Information Security Risk and Compliance Program Manager is responsible for managing and continuously improving King County’s information security risk management and compliance programs which includes managing a small team of analysts who support the risk management and compliance mission. These programs assess and manage information security risk and compliance at Countywide, department, and system levels in alignment with King County Code and policies, U.S federal and Washington State regulations, and industry-based information security frameworks and standards.

King County Department of Information Technology (KCIT) 
KCIT is providing the building blocks for many of the region's most critical services.  As the business solutions partner, we collaborate with the 18 County departments to develop products and services that better serve the needs of our customers and our community. To learn more about KCIT, please visit: 
As the first place recipient of the 15th annual National Association of Counties (NACo) Digital Counties Survey, KCIT was recognized for its vision, strategy, innovation, and collaboration. Previously earning top 10 digital county honors in the last eleven years from the Center for Digital Government, KCIT has a focus of delivering smart technology solutions that support customers, building stronger communities through innovative information technology.  

Teleworking Requirement 
The work associated with this position will be performed through a combination of teleworking complemented with onsite work and meetings as needed. Employees will have access to shared workspaces at various King County facilities. Employees must reside in Washington state and within a reasonable distance to their King County worksite to respond to workplace reporting requirements.
Employees will be provided with a County issued laptop and must maintain a workspace with an internet connection (access may be supplemented in some situations) where they can reliably perform work and remain available and responsive during scheduled work hours. Please note that when an employee conducts work that is likely to bring them in contact with another individual, safety precautions are required, including the wearing of masks in some situations. King County is doing its part to reduce the spread of COVID-19 and remains committed to reducing our carbon footprint.
King County has a robust collection of tools and resources to support working remotely. The individual selected for this opportunity will be joining an innovative and progressive team that is redefining how we work as we transition to the department's hybrid environment.  
King County offers a robust benefits package to support you and your family in a variety of ways. To learn more about the benefits offered here, please click on the Benefits tab or click here:
Work Schedule 
The normal workweek for this position is Monday through Friday, 8:00 a.m. to 5:00 p.m. Alternative work schedules may be considered. This position is not eligible for overtime pay.
If you have questions regarding this recruitment, please contact Shannon Hoeper, or 206-263-6957.    

Job Duties

The Information Security Risk and Compliance Program Manager reports to the Chief Information Security and Privacy Officer (CISPO) and manages a small team of security and compliance analysts and the security and privacy awareness training program coordinator.
 Strategy & Planning

  • Work with the Department of Information Technology (KCIT) leadership team and King County information security and compliance governance structures to align the information security risk management and compliance programs to organizational needs and risk tolerance levels
  • Develop and maintain an information security risk and compliance workplan aligned to organizational prioritization constructs and the Chief Information Security and Privacy Officer security strategy
  • Manage the lifecycle of information security policies at King County including an annual review process.
  • Work with King County information security and compliance governance structures to establish and maintain visibility and alignment regarding compliance management.
  • Develop, maintain and coordinate King County’s annual third party information security risk and compliance audit calendar including assessment services contracts, regulatory bodies and relationships, and internal subject matter contacts.
  • Using the Department of Information Technology portfolio management data, develop and maintain a risk based model for leadership and planning objectives regarding risk management.
  • Project and track the costs of the information security risk and compliance management programs.
  • Participate as a key member of the Chief Information Security and Privacy Officer’s leadership team.
 Operational Management

  • Develop and manage a team of individual contributors supporting the information security risk and compliance mission as well as the King County security and privacy awareness training program coordinator.
  • Manage and continuously improve workflows, tools, and training for identifying and addressing information security risks at various risk tiers such as enterprise, department/division, team, or for individual systems and solutions.
  • Serve as the escalation point and senior review resource for information security risk and compliance assessments conducted by the analyst team, external auditors, or third party consultants.
  • Develop and maintain information security risk registry and compliance finding workflows and tools to track, measure, and report on King County’s information security risk and compliance posture.
  • Coordinate and manage internal and external audit and assessment activities.
  • Coordinate and manage information security risk and compliance governance activities including agenda development, meeting facilitation, decision making, and execution of decision outcomes.

Experience, Qualifications, Knowledge, Skills

  • 7+ years' experience as an information security risk manager or 10+ years as an information security analyst performing work applicable to this role, or any combination of relevant experience, education, or training that provides the required knowledge, skills and abilities to perform the work.
  • Experience in managing and developing a team
  • Demonstrated knowledge in developing and implementing an information security risk program, methodologies, and tools in large organizations and driving change through innovation
  • Expert knowledge of risk management practices and principles
  • Demonstrated knowledge in managing complex enterprise information security risk assessments and audits 
  • Demonstrated knowledge of security regulations, standards and frameworks (HIPAA, CJIS Security Policy, PCI DSS, NIST CSF, ISO 27K, HITRUST CSF, CIS20.)
  • Demonstrated ability to thoroughly review technical, contractual, and legal documentation
  • Familiar with privacy management practices and principles 
  • Strong collaboration and communication skills at all levels of an organization with the ability to influence decisions, build durable relationships, and engage teams up, down, and across the County’s organization
  • Excellent communication and writing skills including the ability to communicate technical topics to non-technical audiences
  • Critical thinking and ability to achieve outcomes for customers
  • Ability to take independent initiative while also understanding where escalation is necessary
  • Ability to plan, manage, and execute multiple tasks and projects within adjusting and defined timelines. 
  • Incident handling training or certifications are desired (GCIH, NIMS ICS, Kepner Tregoe, etc.)
  • Skilled in problem and conflict analysis and resolution
  • Bachelor’s degree in risk management, information technology, business administration, computer science or related field
  • Technical certifications related to information security, risk or compliance, information technology such as network, server, database, cloud infrastructure or engineering, project management methodologies, leadership or other relevant certifications are desired (CISSP, CISRM, CRISC, CISA, CPA, CISM, CIMP, GIAC, or other relevant certifications)

Supplemental Information

Forbes recently named King County as one of Washington State's best employers.

Together, with leadership and our employees, we're changing the way government delivers service and winning national recognition as a model of excellence. Are you ready to make a difference? Come join the team dedicated to serving one of the nation's best places to live, work and play.

Guided by our "True North", we are making King County a welcoming community where every person can thrive. We value diversity, inclusion and belonging in our workplace and workforce. To reach this goal we are committed to workforce equity. Equitable recruiting, support, and retention is how we will obtain the highest quality workforce in our region; a workforce that shares and will help advance our guiding principles--we are one team; we solve problems; we focus on the customer; we drive for results; we are racially just; we respect all people; we lead the way; and we are responsible stewards. We encourage people of all backgrounds and identities to apply, including Native American and people of color, immigrants, refugees, women, LGBTQ+, people living with disabilities, and veterans.

COVID-19 Vaccination Requirement

King County Executive Branch employees are required to be fully vaccinated against COVID-19. If you are the successful candidate for the position you applied for, the County will send you a conditional offer letter.

As a condition of employment, prior to a final offer of employment, you will be required to:

  • submit proof of vaccination, or
  • have an approved request for medical or religious exemption and an approved accommodation. Philosophical, political, scientific, or sociological objections to vaccination will not be considered for an exemption or accommodation.
People are considered fully vaccinated against COVID-19 two weeks after receiving the final dose of a vaccination approved by the Center for Disease Control and Prevention (CDC).

The Executive Branch includes employees in the Executive branch, the Assessor's Office, Elections, the King County Sheriff's Office, and the Executive Office.

King County is an Equal Employment Opportunity (EEO) Employer

No person is unlawfully excluded from employment opportunities based on race, color, religion, national origin, sex (including gender identity, sexual orientation and pregnancy), age, genetic information, disability, veteran status, or other protected class. Our EEO policy applies to all employment actions, including but not limited to recruitment, hiring, selection for training, promotion, transfer, demotion, layoff, termination, rates of pay or other forms of compensation.

To Apply

If you are interested in pursuing this position, please follow the application instructions carefully. If you need this announcement in an alternate language or format, would like to request accommodation or assistance in the application or assessment process or if you have questions please contact the recruiter listed on this job announcement.

Application Requirements 
A completed King County Application and Resume are required for consideration. Applications submitted without all material will not be considered. 
The recruitment for this position is open to all qualified candidates. This recruitment may be used to fill future vacancies. 
Union Status: This position is represented by L117: IT Managers and Supervisors
(For internal use only: Strategic Information Resources Manager - 1241100)     

King County offers a highly-competitive compensation and benefits package designed to meet the diverse needs of our employees and support our employees' health and well-being.  Eligible positions receive the following benefits and have access to the following programs:

  • Medical, dental, and vision coverage: King County pays 100% of the premiums for eligible employees and family members
  • Life and disability insurance: employees are provided basic coverage and given the opportunity to purchase additional insurance for both the employee and eligible dependents
  • Retirement: King County employees are eligible to participate in a pension plan through the Washington State Department of Retirement Systems and a 457(b) deferred-compensation plan
  • Transportation program and ORCA transit pass
  • 10 paid holidays each year (plus 2 personal holidays)
  • Generous vacation and paid sick leave
  • Paid parental leave, family and medical leaves, and volunteer leave
  • Flexible Spending Account
  • Wellness programs
  • Onsite gyms and activity centers
  • Employee giving program
  • Employee assistance programs
  • Flexible schedules and telecommuting options, depending on position
  • Training and career development programs
For additional information about employee benefits please visit our Benefits, Payroll, and Retirement Page.

This is a general description of the benefits offered to eligible King County employees, and every effort has been made to ensure its accuracy.  If any information on this document conflicts with the provisions of a collective bargaining agreement (CBA), the CBA prevails.  Also, in the event of any incorrect information in this document, applicable laws, policies, rules, CBAs, or official plan documents will prevail.
NOTE:  Benefits for Term Limited Temporary (TLT) or Short Term Temporary (STT) positions, including leave eligibility and/or participation in the pension plan through the Washington State Department of Retirement Systems, will vary based upon the terms and details of the position. Short Term Temporary positions are not eligible for an ORCA transit pass.
For inquiries about the specifics of this position, please contact the recruiter identified on this job posting.

Are you authorized to work in the United States?
  • Yes
  • No
Does your authorization require sponsorship now or in the future from an employer or other source? (This does not preclude you from being considered for this position.)
  • Yes
  • No
The person hired for this position must successfully pass a background investigation. Are you willing to undergo a thorough background investigation prior to an offer of employment? This will include reference checks with previous employers, a criminal background check and fingerprinting.
  • Yes
  • No
Are you applying to this position as an eligible current or previous King County Employee Priority Placement Program Participant? Is this position the same or lower percentage of full-time when compared to the position held at the point of the notification of layoff? Do you possess the skills and abilities to qualify for this position?
  • Yes, I was given a layoff notice from my role at King County and I am within two years of the effective date of my layoff. Additionally, the position I was laid off from was the same or a higher percentage of FT status when compared to this one.
  • No.
If you answered yes to the question above and you are applying for this position as a Priority Placement Participant, to be considered, you must provide the following three pieces of information in the space provided: 1. The title you held when you received your layoff notice 2. The department you worked in 3. The effective date of your layoff

Required Question