Description: The information security and data privacy specialist is responsible for building and maintaining Juilliard’s information security and data privacy programs.
Lead the school’s efforts to formalize and structure the following information security programs and initiatives, inclusive of all necessary cyber security tools, software, polices, procedures, and operations.
Identity and Access Management
Data Protection and Privacy
Threat and Vulnerability Management
Secure Software Development
Security Policy and Standards Development
Security Awareness Training
Work to build a shared ownership of information security across the institution and will work with the school’s administrative and academic teams to align the school’s practices for transmitting, storing, and processing confidential information with data privacy best practices, and in compliance with relevant statutory and regulatory requirements (e.g., PCI, HIPAA, FERPA, GDPR).
Establish a formal and structured portfolio of information security programs
Establish and maintain information security policies, processes, and standards in collaboration with the Juilliard community
Define security tool and platform configurations, including but not limited to password policies, Active Directory Group Policies (GPO), Office 365, Okta, Open DNS, anti-virus / endpoint protection software, network security, patch and vulnerability management, log monitoring and correlation, and data leak prevention (DLP) software.
Educate and communicate to key stakeholders of new threats, industry trends, and applicable laws related to security through reports, presentations and relevant metrics
Assess Juilliard operations and implement controls relative to Juilliard’s data privacy and regulatory requirements with respect to FERPA, HIPAA, PCI, and GDPR.
Maintain a working knowledge of laws, regulations, and industry standards, where compliance requires specific data or information security policies, practices, reporting, or audits. These include and are not limited to - HIPAA, FERPA, PCI, GDPR, etc.
Identify software/tools/vendors that can impact the school’s ability to manage information security risks
Conduct, review, and report on ongoing vulnerability assessments of IT systems and coordinate periodic information security assessments
Review and assess information security risks, recommend controls, oversee their implementation and management in collaboration with IT and other staff
As a member of the IT leadership team, participate in strategic planning and development of goals and objectives, specifically for information security and also infusing it into all other goals
Facilitate the communication of policies, practices, and awareness to the Juilliard community
Manage and coordinate incident response procedures to track and address information, system and network security incidents, and alleged policy violations
Coordinate with the General Counsel to ensure that information technology practices and policies are compliant with applicable standards and laws
Participate in the higher education information security community for awareness of best practices and emerging threats
Bachelor’s degree or the equivalent in education and experience; degree in a technology related field preferred
Must have seven years of relevant experience in information security, with domain expertise in at least one of the previously noted information security programs
Experience working in higher education
Previous technology experience in cloud and mobile first environments
Ability to work independently and as a member of a team, establish priorities, and work collaboratively as a member of a diverse community
Collaborative, constructive, and proactive approach to work
Exceptional oral, written, and interpersonal communication skills
Excellent project management skills and ability to balance multiple priorities
Attention to detail in both completion of work and documenting work products
Knowledge of information security and data breach standards, regulations, and laws including PCI, FERPA, HIPAA, and NIST 800 series
Experience presenting complex security concepts to a variety of audiences or groups (e.g. end-user training, recommendations to IT leader peers, executive-level briefings)
Knowledge of network and authentication protocols, encryption types, event management (SEIM), and information security technologies
CISSP or similar certification(s)
Experience in managing cloud-based platforms and vendors
The ability and interest in documenting processes and procedures