FirstBank Jobs

Chief Information Security Officer- IT-Information Security

Job no: 501015

College / VP Area:Vice President for IT

Work type: Staff

Location: Newark/Hybrid

Categories: Information Technology, Full Time

JOB TITLE: Chief Information Security Office

CONTEXT OF THE JOB:

The IT Information Security Office assesses risks to University information assets and works closely with a broad range of University constituencies to implement appropriate administrative, technical, and physical controls to comply with laws, regulations, funding agency requirements and security policies. The office develops, implements, and maintains a comprehensive information security program and establishes policies, procedures, training, and awareness initiatives designed to protect University information resources, limit liability, and prevent legal and regulatory violations. In addition, the office defines, promotes, and enforces policies and standards to manage risks throughout the digital identity lifecycle, including user identification and authentication, user privileges and account management, in accordance with laws, regulations and contractual obligations.

Information Technologies at the University of Delaware (www.it.udel.edu) provides the IT infrastructure, central IT systems and applications, and IT services for University of Delaware teaching, learning, research, administrative, and outreach activities. The IT organization is comprised of these eight units: Information Security, Academic Technology Services, Client Services and Support, Enterprise Systems and Services, Network and Infrastructure Services, Research Cyber infrastructure, University Media Services, and Program Management Office.

Under limited direction from the Vice President for Information Technologies and the Chief Information Officer, the Chief Information Security Officer (CISO) is responsible for information security governance, including strategy and program administration, policy development, enforcement and compliance, risk assessment, incident response, and training and awareness programs. This position has overall responsibility for ensuring that appropriate policies, standards, procedures, and automated mechanisms, designed to appropriately protect the security of information and facilities are documented and followed across the Institutions (University of Delaware and University of Delaware Clinics). Sensitive or protected information may include information related to students, employees, faculty and patients, as well as information protected by state, federal, or industry policy (FERPA, HIPAA, FISMA, PCI, etc.). This information may exist in either electronic or paper form. Physical security solutions like building access control system and security cameras are also supported through the CISO’s office. The position works closely with the General Counsel of both the University and Clinics.

MAJOR RESPONSIBILITIES:

Information Security Strategy

• Guide and counsel the VP of IT, IT staff, and key members of the University leadership team; working closely with executive and academic leaders in defining objectives for information security.

• Meet with and inform executive leadership and the Board of Trustees as needed.

• Lead the information security planning process to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology. This Includes establishing annual and long-range security and compliance goals, defining security strategies, metrics, reporting mechanisms and program services, and creating maturity models and a roadmap for continual program improvements.

Information Security Program Administration

• Provide leadership, direction, and guidance in assessing and evaluating University-wide information security risks.

• Develop, implement, and maintain a written information security program that addresses people, processes, and technology.

• Identify and implement management, operational and technical safeguards to manage risks associated with confidentiality, integrity, availability and compliance with laws, regulations, contractual or funding agency or other external requirements and University IT security policies for central IT-controlled systems.

• Identify and compile metrics to continuously assess the efficacy of the risk management program and opportunities for improvement.

• Provide data risk management consultation to IT leaders, data stewards (officials responsible for different types of institutional data—human resources, registrar, etc.), custodians, technical experts, deans and administrative leaders on a wide variety of complex information security issues.

• Work with data stewards and custodians to establish appropriate data management protocols.

• Lead the development, implementation and maintenance of information stewardship and security policies, standards and protocols that create and maintain a risk management framework for University information resources, data and systems.

• Define University-wide data management roles and responsibilities for complying with applicable laws, regulations, contractual, funding agency and other external requirements.

• Publish and promote information security policies to the University community.

• Serve as the University compliance officer with respect to federal, state and/or local information security laws, regulations, contractual or funding agency or other external requirements.

• Work with the campus-designated officers and Vice President & General Counsel on compliance issues as necessary (e.g., FERPA records access, ITAR export controls and HIPAA privacy).

• Oversee monitoring and documentation of compliance assessment and enforcement of data stewardship and information security policies, protocols, and guidelines.

• Assess impacts of new technologies on the risks to the University’s central IT information assets; establish risk management processes to review potential impacts of implementation of new technologies.

• Guide the development of Identity and Access Management program goals and strategic roadmap.

• Oversee the service team to implement best in class identity management life cycle process in accordance with University policies, laws and contractual obligations.

• Work closely with the University office of Vice President & General Counsel to establish privacy and security requirements for vendors of commercial software and/or services; assess vendor privacy and security safeguards.

• Negotiate contract language to place risk-appropriate privacy and security obligations on the application provider.

• Establish and oversees protocols to identify, assess, publicize and/or coordinate responses to IT threats and vulnerabilities that affect the University.

• Work closely with internal IT application developers to create information security quality-assurance processes that address information security throughout the software development life cycle.

• Coordinate with appropriate process owners for central IT disaster recovery, including preparation, testing and maintenance of the disaster recovery plan.

• Participate in the evaluation of commercial information security hardware and software offerings.

• Work closely with the UD Police Department, Public Safety and Facilities group to provide application and user support for physical security related technical solutions.

• Partner and consult with leaders across Grounds to define the risks that accompany new AI technology.

• Assist the research community with a solutions-oriented approach.

• Identify, prioritize, develop and leverage risk-based security metrics to provide visibility of security posture to different groups of audiences and leverage the data to make informed program decisions.

Incident Response

• Develop and implement information security incident response and reporting plans and protocols to address University information security incidents and respond to alleged policy violations or complaints from external parties.

• Investigate reported policy infractions and identify remediation steps needed and/or recommend disciplinary sanctions.

• Keep abreast of security incidents and oversee protocols for assessing likelihood of data breaches.

• Convene and or participate as a key member of security incident response teams as needed to plan and conduct appropriate institutional responses to information security breaches.

• Serve as the official campus contact point for information security, privacy, and copyright infringement incidents.

Information Security Training and Awareness Programs

• Provide leadership as a standing member of the Information Security Awareness Program Steering Committee, creating education and awareness programs and advising campus constituencies at all levels on security issues, best practices, and vulnerabilities.

• Pursue student security initiatives to address student information privacy and security awareness needs.

• Develop and deliver ad-hoc security awareness presentations.

Information Assurance Liaison

• Work with Internal Auditing, external auditors, and consultants as appropriate on security audits compliance checks and control assessment engagements.

• Establish a cooperative working relationship with law enforcement—including campus police or public safety and local, state, and federal officials—for reporting incidents and conducting investigations.

• Act as the official point of contact for representing UD on Information Security and/or privacy matters.

Knowledge Maintenance and Professional Development

• Stay abreast of information privacy and security issues, legislation and regulations affecting higher education at the institutional, state, and national level.

• Participate in national policy and practice discussions and communicate to campus about those topics.

• Collaborate with other colleges and universities to share information or resources, as necessary, to improve the overall security of the higher education sector.

• Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.

Unit Administration

• Direct the administration and activities of the IT Technical Security and IT Security Policy and Compliance groups. Set department goals and objectives, reassess and redefine priorities as appropriate to meet IT unit and University goals.

• Directly or indirectly supervise department staff including staff for Information Security, Campus and Public Safety, UD Police Department and CHS Clinic Staff; evaluate performance and provide guidance and feedback, assess need for technical and professional growth, and recommend development opportunities.

General

• Prepare and present technical and non-technical data and information to UD stakeholders.

• Manage programs, services, processes, and budgets of IT security teams that report to the CISO.

• Work closely with other teams of the Information Technologies Division to develop procedures, standards, processes, and communication paths to forward security work and the work of the broader division.

• Participate in the development of and engage in IT governance.

• Serve as a leader and member of institutional committees and professional groups.

• Perform other job-related duties as required.

QUALIFICATIONS:

• Master’s degree and seven years’ experience in information security, information technology or related area, or equivalent combination of education, certification, and experience.

• Certification as a Certified Information Security Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM) or equivalent.

• A minimum of five years of experience with technology policy and security administration.

• Demonstrated experience with evolving, state-of-the-art information security technologies and approaches.

• Knowledge of computer forensic investigation methodology and investigation tools.

• Experience with information system auditing including security reviews, control selection, and evaluation of systems using a risk-based approach.

• Experience in developing and administering a risk-based information security program.

• Extensive working knowledge of and experience in the policy andregulatory environment of information security, especially in higher education is desirable.

• Knowledge of, and experience with information security management, risk assessment, and regulatory compliance.

• Knowledge of, and experience with one or more of the industries accepted controls framework (FISMA, ISO, NIST, etc).

• Knowledge of federal and state privacy and security laws and regulations including FERPA, HIPAA, GLBA, PCI, and PCI-DSS.

• Possess integrity and high standards of professional conduct.

• Demonstrated strong interpersonal and communications skills and the ability to achieve goals through influence, collaboration, and cooperation.

• Experience and skill in developing and administering policy and procedure in a complex environment

• Demonstrated ability to communicate technical concepts and solutions to both technical and non-technical audiences.

• Demonstrated ability to work with senior university staff and senior technical personnel.

• Proven ability to build strong and diverse teams.

• Proven ability to build relationships with and influence external and internal partners and stakeholders of all levels.

• Ability to work collaboratively with a broad range of campus constituencies and diverse groups

• Preferred experience working in a higher education or a research environment.

• Demonstrates an understanding and consideration of the differing needs and concerns of individuals with varying identities, cultures, and backgrounds.

• Committed to fostering a workplace culture of belonging, where diversity is celebrated, and equity is a core value

Notice of Non-Discrimination, Equal Opportunity and Affirmative Action

The University of Delaware does not discriminate against any person on the basis of race, color, national origin, sex, gender identity or expression, sexual orientation, genetic information, marital status, disability, religion, age, veteran status or any other characteristic protected by applicable law in its employment, educational programs and activities, admissions policies, and scholarship and loan programs as required by Title IX of the Educational Amendments of 1972, the Americans with Disabilities Act of 1990, Section 504 of the Rehabilitation Act of 1973, Title VII of the Civil Rights Act of 1964, and other applicable statutes and University policies. The University of Delaware also prohibits unlawful harassment including sexual harassment and sexual violence.

Applications close: