Virtual Chief Information Security Officer

Location : Richland, WA 99352 (onsite )

Duration : 12 months contract

Project Description

The selected Virtual Chief Information Security Officer (vCISO) will provide strategic cybersecurity leadership and hands-on support to our agency s IT leadership over a four-month engagement. The vCISO will assess our current cybersecurity posture, identify gaps, and develop policies, procedures, and governance frameworks to enhance our security resilience. Key responsibilities include formulating a disaster recovery and business continuity plan, security policies, procedures and administration guidelines, security gaps analysis assessment, data protection and recovery plan, vendor risk management plan and an IT governance model to ensure effective response and mitigation strategies for cybersecurity threats. Additionally, the vCISO will assist in developing a multi-year cybersecurity roadmap, ensuring compliance with relevant regulatory frameworks such as NIST and CIS Controls. The consultant will also provide executive-level cybersecurity consultation to guide decision-making and risk mitigation strategies. The scope of work for this project includes, but not limited to, the following:

A. Cybersecurity Assessment Report A detailed evaluation of our current security posture, identifying gaps and risks, with prioritized recommendations for improvement.

B. IT Security Policies and Procedures Development and formalization of key security policies, including data protection, access control, incident response, and endpoint security guidelines.

C. Disaster Recovery & Business Continuity Plan A structured plan outlining strategies for system recovery, continuity of operations, and resilience against cyber incidents.

D. Security Gaps Analysis Assessment Conduct a comprehensive evaluation of the City s cybersecurity environment to identify vulnerabilities and areas of non-compliance. This assessment will benchmark

current practices against frameworks like NIST, covering network security, access controls, incident response, and data protection. A detailed report will outline security gaps, risks, and prioritized remediation

recommendations.

E. Security Governance Model A framework defining roles, responsibilities, and decision-making processes for managing cybersecurity within the agency.

F. Incident Response Framework and Plan A documented protocol for detecting, responding to, and mitigating cyber incidents, including escalation procedures and communication plans.

G. Data Protection & Contingency Data Recovery Plan Development of a comprehensive data protection strategy, including backup and recovery plans using solutions such as Veeam or equivalent technologies.

H. This plan will cover backup frequency, storage options, data restoration procedures, and contingency planning for data recovery.

I. Vendor Risk Management & Vetting Plan Develop a comprehensive Vendor Risk Management and Vetting Plan. This plan will establish procedures for assessing, approving, and continuously monitoring third-

party providers and vendors, including existing enterprise software and future integrations. The plan will ensure vendors meet security and compliance requirements, with defined criteria for risk evaluation,

ongoing assessments, and remediation measures.

J. Multi-Year Cybersecurity Strategy & Roadmap for the City A long-term strategic roadmap with phased implementation steps to strengthen cybersecurity resilience over time.

K. Executive Cybersecurity Consultation & Training during the project period Periodic briefings and training sessions for IT leadership on risk management, compliance, and best practices in cybersecurity.

L. The vCISO will work closely with the City s IT leadership with regular updates and meetings (weekly or bi-weekly preferred) to ensure that all deliverables align with the agency s operational needs and

regulatory requirements, providing both immediate security enhancements and a sustainable long-term strategy.