Lead the strategic and tactical activities of the Identity and Access Management function reporting to the Sr. Director, Client Services. The role has ownership of the access management compliance program that includes all NERC CIP and SOC1 access related requirements and control objectives. Ownership includes (1) the primary responsibility to define, maintain, operate and improve the program, including its documentation, processes, and supporting technology; (2) staff the program appropriately with qualified employees, contractors and matrixed support from ITS and other divisions as needed; and (3) ensure the program is meeting the requirements set by governing organizations as well as PJM by: analyzing processes, documentation, metrics, and workflows through interviews with staff performing security and human resource related duties, developing gap analyses and identifying and prioritizing process improvements based on current risk. The identity and access management program scope includes PJM on-premise and cloud systems for all PJM personnel. As required by advances in technology, internal business needs, and changing control requirements, make upgrades and improvements to processes and systems to achieve objectives using the department's operating budget and PJM's capital portfolio process. Establish appropriate service-level targets for systems and staff to meet compliance and customer service objectives. Provide reporting of program operations through routine reports or presentations and achieve other deliverables as needed. Works with other divisions and departments to ensure access and identity management activities are performed to ensure compliance and meet customer service objectives.
Essential Functions:
Oversee the administration, analysis, and execution of a compliance strategy including development of specific activities related to all aspects of compliance; including but not limited to: access management team, personal risk assessment (PRA), onboarding and off-boarding of personnel, and other in-scope NERC CIP and SOC1 related activities, requirements and control objectives.
Define, maintain, implement a formal program to enhance and centralize the Identity and Access Management (IAM) function, and improve department programs, including its documentation, processes, and supporting technology (specifically includes PJM’s Access Management program and Identity Manager technology and all systems that are used for access and account management work)
Ensure PJM meets its corporate and governmental compliance requirements in the areas of cyber and physical access, personnel risk assessment (PRA), mandatory training and policy creation and enhancement.
Provide security technical expertise and project leadership for the Identity and Access Management department.
Review projects, new applications, and existing user access for appropriate security controls
Analyze, define, and prioritize the business functional specifications for IAM initiatives. Help to develop project scope, charter, constraints and assumptions for IAM projects
Staff department programs appropriately with qualified employees, contractors and matrixed support from ITS and other divisions as needed. Provide leadership and management to department staff in the execution of departmental responsibilities, providing appropriate opportunities for development, ensuring staff are trained in necessary skills and competencies, and staff performance is managed to accomplish departmental goals
Understand and remain current on all IAM functions including but not limited to user entitlement reviews, centrally managed user security and entitlement reviews and certifications, personnel onboarding and separation procedures, personnel transfers, access request requirements and responsibilities for each functional area within the IAM department.
Oversee the creation of documents and retrieval of data and related evidence for NERC, FERC and I-9 audits and data requests.
Oversee all employee system access requests to include the following procedures: employee access authorization initiations and changes, personnel changes in responsibilities and reduced access, employee terminations and temporary disablements and employee access re-establishments and re-enablements.
Oversee the creation and delivery of training across the organization for policies, procedures, processes, and system operations related to the access management program
Oversee the Privileged Account role management, access authorization and retirement procedure.
Oversee all access reconciliations and re-certifications. Ensure all access reconciliations and re-certifications are aligned with governmental compliance regulation timeframes.
Manage the quality of automated access security services delivered under the Access Management Program by monitoring metrics and KPI’s to ensure compliance and customer satisfaction objectives.
Foster a high-performance culture and team by developing team member skills by working directly with them on individual development plans (IDPs)
Ensure compliance with SOC1/SSAE-16 control activities related to access and account management.
Periodically and regularly review evidence of compliance with PJM’s control activities.
Ensure that all findings of undocumented and unauthorized accounts are remediated on a timely basis. Drive responsible parties to make process and procedural changes for repeat undocumented account findings.
Ensure that documented standards and procedures for the Access Management Team are accurate and updated in a timely manner.
Ensure PJM’s compliance with mandatory corporate and regulatory training such as Code of Conduct and Standard of Business Ethics, NERC/FERC training and annual harassment prevention training for employees and management.
Lead related IAM audit activities to ensure compliance with control activities and objectives for NERC CIP, SOC1 and support the PJM Internal Audit teams annual audit plan
Assist the Director in the establishment and implementation of long-range programs in the areas of compliance and mandatory training.
Manage the department's operating budget.
Formulate and maintain, in collaboration with Director and senior management, compliance policies and processes which support company and regulatory requirements.
Educate and inform managers and supervisors of compliance policies and processes which support company and regulatory requirements.
Possess and maintain a general understanding of the following technologies and their IAM security features: Microsoft SQL, Linux, Oracle, Active Directory, SailPoint, CyberArk, Multi-factor Authentication (RSA).
Stay current on developments within the Identity and Access Management space and implement ways to innovate, automate, improve user experience, and deliver services more efficiently
Periodically provide reports to the executive team (ET) and other senior leadership on IAM program metrics and project status.
Characteristics & Qualifications:
Required:
BS degree in Computer Science, Information Technology or at least 5 years of experience Information Technology systems administration & operations, IT/cyber security systems operations and administration, identity and access management technology systems administration and operations, Identity and Access Governance processes and tools, IT or Cyber Security system governance.
At least 5 years of experience Information Technology systems administration & operations, IT/cyber security systems operations and administration, Identity and access management technology systems administration and operations, Identity and Access Governance processes and tools, Governance, Risk & Compliance (GRC) IT or Cyber Security system governance.
2-5 years of leadership experience in a managerial/supervisory role. Leading teams with responsibilities for one or more of the following functions: Identity and Access Management, Information Technology, Governance, Risk & Compliance (GRC), Cyber Security
Experience in quantitative and qualitative analysis
Ability to solve problems that proactively address customer needs and requirements with innovative, creative, and cost-effective solutions
Ability to understand business needs, while establishing and maintaining a high level of customer trust and confidence
Ability to develop strong relationships with multiple departments and divisions
Ability to use Microsoft Office Suite (MS-Word, MS-Excel and MS-PowerPoint)
Ability to communicate effectively with management, peers, and customers
Experience using effective verbal and written communications skills
Ability to develop and maintain policies and procedures to reflect the most current state of business processes and technologies
Experience developing policies, procedures, standards or manuals
Experience documenting and improving business processes
Ability to give and receive tough messages
Ability to collaborate, influence, and partner with business units
Ability to lead an organization in trouble shooting and problem solving
Ability to select, organize, lead, participate in and facilitate a team to produce results
Experience managing both full-time employees as well as contract staff understanding co-employment implications and risks
Experience creating division/department vision, strategy, goals and objectives
Ability to coach and evaluate the performance of others
Experience with internal or external auditors
Preferred:
MA degree in Information Technology or 5-10 years of leadership experience in a managerial/supervisory role.
Leading teams with accountability for processes, tools and teams in the core area of governance, risk and compliance (GRC) OR in cyber security.
Experience in setting and executing strategies and establishing enterprise-wide programs in GRC or cyber security.
5-10 years of leadership experience in a managerial/supervisory role.
5-10 years of leadership experience in a managerial/supervisory role. Leading teams with responsibilities for one or more of the following functions: Identity and Access Management , Information Technology, Governance, Risk & Compliance (GRC), Cyber Security
Ability and desire to build relationships and interact with a wide range of stakeholders and staff to maintain and enhance PJM’s customer service reputation
Experience with PJM operations, markets, and planning functions
Experience with evolving industry regulatory and technical issues as they apply to the PJM system and the role of PJM as an ISO/RTO