Job Summary

Reporting to the Vice President of Information Technology, the Director of Information Security is responsible for directing information security strategies, planning, and policies, and developing and maintaining data security programs for the College.  The Director of Information Security helps ensure protection of institutional data and assets, leads cybersecurity risk management practices, and assesses vulnerability status to continuously monitor and enhance the College’s information security protocols.  The incumbent must have a strong understanding of data protection practices, related regulations, and security infrastructure, and will help ensure adherence to appropriate controls and regulatory compliance, as well as regularly conduct user training programs and awareness campaigns to promote a culture of information security and privacy aware environment.

Essential functions

Information Security Strategies and Compliance – 75%

• Develop and maintain a comprehensive information security and privacy standards and system security frameworks, and implement policies and processes to enhance controls and reduce risk across the College.
• Working with VP of IT, develop responses to and establish protocol for requests for information that include, but are not limited to, institutional audits, insurance renewals, and official agencies.
• Assess and evaluate compliance against information security policies and standards, proactively identifying non-conforming areas, assessing risk, enforcing set policies, and providing risk response strategies as appropriate to balance compliance and innovation. Recommend and implement compliance measures that mitigate risks and maximize access to education.
• Working closely with IT colleagues, help analyze and investigate known and emerging threats to determine risks, address risk response strategies, and recommend proactive cyber risk management programs that contribute to a secure and resilient infrastructure.
• Create and maintain business continuity plans, and other applicable recovery plans. Help organize contingency plans and coordinate scheduling of periodic tests.  Collaborate and coordinate the business continuity plans across College departments and maintain up-to-date plans.
• Help assess role-based access, including physical/facilities control systems and access levels through periodic reviews, in addition to technical and administrative control measures.
• Help assess equipment protection of College properties to ensure compliance to data protection and system security policies.
• Support IT colleagues in the evaluation of solutions, development of procedures, and testing of data protection measures.

Reporting and Outreach – 20%

• Advise IT management in future state problems, challenges, and industry trends and regulations in cyber security controls and data protection, and work collaboratively to enhance capabilities and processes.
• Monitor regulatory and legislative landscape, and recommend change requirements to maintain compliance. Stay current on industry trends around cyber risk and data protection practices.  Assist IT management with compliance regulations that include, but are not limited to, FERPA, PCI, GLBA, GDPR, and PIPL.
• Prepare reporting and/or dashboards as appropriate on security compliance, cyber risks, and incident management. Document research and analysis encompassing historical trend, current state, and predictive analysis.
• Create and deliver data security training programs to maximize protection for the College and to increase user awareness and knowledge about information security.
• Regularly conduct information security awareness campaigns and training for faculty, staff, and students that include best practices on data privacy and security principles

Non-essential functions – 5 %

• Lead or participate in committees as assigned
• Other duties as assigned

This position is currently defined as a hybrid position.

Qualifications

• Bachelor’s Degree in Information Security, Cybersecurity, Computer Science, Information Systems, or a related field
• Security Certification such as CISSP, CISM, CISA, and PCIP
• 7 years of information security experience in an enterprise setting
• Strong knowledge of data protection regulations such as FERPA, PCI, GLBA, GDPR, and PIPL
• Strong knowledge with security incident response practices
• Strong knowledge of data security of ERP systems, and security practices and advancement of related auxiliary systems
• Experience with compliance controls through control implementations and process design
• Knowledge of vulnerability scans and penetration tests, and intrusion detection methodologies
• Knowledge of firewalls, cryptography, identity and access management systems, directory services, SSO, and secure web and application development with strong understanding of security industry and best practices in network, application, database, and hardware platforms
• Knowledge of application security and database technologies used to store enterprise information, directory services, and information systems auditing
• Strong verbal and written communication skills in both business and technical subject areas with ability to effectively communicate complex information to diverse audiences
• Strong research and analytical skills with proven ability to anticipate, measure, and plan for emerging risks to meet anticipated needs
• Strong organizational and collaborative skills with ability to manage multiple projects, facilitate discussions, and recommend solutions
• Experience with complex project or program management
• Experience developing and conducting security campaigns and training programs
• Ability to work outside of normal business hours
• Ability to work independently as a self-starter
• A commitment to DEIAB and culture, and the ability to establish and maintain effective working relationships within ArtCenter’s diverse communities

Preferred Qualifications

• Experience in higher education
• Cyber incident response management experience
• Regulatory experience and/or background in compliance and controls
  
  
  

Every position at ArtCenter plays an important part in carrying out the values, goals, strategic vision, and mission of the College. This includes diversity, equity, inclusion, access, belonging (DEIAB) and culture.

Mandatory Duty to Report

All employees who know or have reason to know of allegations or acts that violate ArtCenter’s Title IX Policy prohibiting discrimination, harassment, retaliation, sexual harassment, sexual misconduct, sexual violence, dating violence, and stalking shall promptly inform the Director, Title IX Compliance and Programs, or designee or the Associate Dean of Students or designee. Faculty with a mandatory duty to report are required to disclose all information including the names of the parties, even where the person has requested their name remain confidential

Pursuant to the California Child Abuse and Neglect Reporting Act (CANRA), all employees who know of or have reason to suspect child abuse or neglect involving alleged victims under age 18 shall promptly inform local law enforcement or the county welfare department

Physical Demands and Working Environment

The conditions herein are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential job functions.

This is a full-time position. Normal business hours are Monday through Friday, 8:30 a.m. to 4:30 p.m. The position may require flexibility to work a staggered, remote or alternate schedule to meet the demands of the work, which could include weekends or evenings. The position is eligible for flexible scheduling and can be performed remotely, hybrid or may be required as a condition of employment.

Environment: Work is performed primarily in a standard office setting with frequent interruptions and distractions; extended periods of time viewing computer monitor; interactions with other individuals. Due to the nature of the work environment, there is regular exposure to fumes, chemicals, dust and noise.

Physical: The position is performed in an office setting. Employee is stationary most of the time but may move around the office environment for brief periods of time. Primary functions require sufficient physical ability and mobility to work in an office setting; to stand or sit for prolonged periods of time; to occasionally stoop, bend, kneel, crouch, reach, and twist; to lift, carry, push, and/or pull light to moderate amounts of weight (up to 10 pounds); to operate modern office equipment requiring repetitive hand movement and fine coordination including use of a computer keyboard; and to verbally communicate to exchange information. Regular and consistent attendance are required for most positions. Ability to travel between campuses.

Vision: Must be able to have the visual capacity to perform activities such as preparing and reading reports, viewing a computer terminal and other normal office work with or without correction.

Hearing: Must be able to communicate effectively in the course of normal office communication or exchange ideas with or without correction.

The above statements are intended to describe the general nature and level of work performed by the employee assigned to this job; they do not purport to describe all functions. Employees may be assigned other duties, and the essential functions may be changed from time to time as necessary.