The Director of Information Security (The Director) has the authority and responsibility to strategically and tactically lead and manage the University’s information security and security risk programs. The Director will develop, review, and implement information security and privacy policies, procedures, and guidelines for the University's information technology (IT) environments. The Director will identify key areas of risk, recommend and implement appropriate security controls and monitoring systems. The Director will be the primary Information Services point of contact for internal and external law enforcement personnel when they are investigating a related case.
Information Security Leadership
- Work with University executive, academic and business managers to partner the IT organization with business units to help them meet security and compliance requirements.
- Establish and lead an Information Security Committee to develop strategic information security requirements and to implement appropriate preventative and remedial measures to minimize risk.
- Develop, implement and maintain information security policies, procedures, and guidelines for the university's computing and networking environments. Annually review to assess compliance and recommend updates.
- Independently perform risk assessments and work closely with internal and external auditors to preempt, mitigate, and swiftly respond to any audit findings that require action.
- Develop, implement and manage the University’s Security Incident Response Program to include policy, procedure, analysis and documentation of incidents as well as periodic incident management testing.
- Lead information security projects and initiatives for the University by collaborating and communicating in an inclusive manner with key stakeholders and subject-matter experts.
- Recommend and manage security budgets, projects and systems to ensure adequate resourcing of university information security programs
- Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.
- Create and oversee implementations of strategies for risk mitigation.
Information Security Awareness and Training
- Develop and implement a University-wide information security awareness and training program for stakeholders and all faculty and staff.
- Design and deliver security workshops and curriculum.
Information Security Administration
- Manage the University’s enterprise server and desktop antivirus platform.
- Manage the University’s vulnerability management solution. Work with system owners and departments to mitigate any possible vulnerabilities.
- Utilize state of the art systems and processes to protect University systems and data from unauthorized access and abuse.
- Provide oversight and ownership for intrusion detection and response as well as creation and maintenance of security certificates.
- Coordinate the handling and resolution of security breaches, systems intrusions, and abuse.
- Respond to requests for information from legal and or law enforcement in a timely, accurate and confidential manner.
- Work with the Chief Information Officer (CIO) and outside security consulting firms to periodically conduct external assessments of the University’s information security profile.
- Routinely monitor and audit compliance with all information security procedures and policies to ensure consistency of internal controls across departments.
- Participate in requests for proposals (RFP) and vendor meetings to vet information security needs of new applications and software-as-a-service offerings.
- Lead and document the annual Payment Card Industry-Data Security Standard (PCI-DSS) assessment for the University.
- Assess relevant IT purchases to ensure they support security and compliance requirements.
- Maintain up-to-date knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.