Security and Compliance Engineer
Posting Date October 20, 2016
Position Title Security and Compliance Engineer
Vacancy # V-1224
Department Enterprise Technology Services
Program Information Technology
Division Information Technology
STATEMENT OF PURPOSE:
Reporting to the Director of Information Security and Identity Management (ISIM) for the Information Technology Division, the Engineer for Security and Compliance has primary responsibility for developing and implementing systems and data security policies for all centrally-managed IT services and for working with administrative and academic areas to ensure that the University is in compliance with all relevant state, federal, and industry information security practices and regulations. Works closely with the Director of ISIM to develop and maintain policies for information security including data classification and handling, systems and data access, acceptable use, network access, user account lifecycle management and authentication, incidenthandling, and breach response protocols. Acts as a channel of communication to receive and direct compliance issues to appropriate resources within the organization for investigation and appropriate resolution.
In the event of a security or data breach, the Engineer for Security and Compliance will coordinate the incident-response, containment, and remediation efforts for campus clients and servers. Assists in the development of policies and procedures to guide systems engineers, application administrators, programmers, IT managers, and end users in maintaining the security and integrity of clients, servers, applications, and associated data. Provides expert advice to the Directors of ISIM, Systems and Infrastructure Operations (SIO), Networking and Telecommunications (NTG) and the Associate Vice President of Enterprise Technology Services on matters related to systems, network, application, and data security. Performs analytical and technical work in planning, designing, and implementing secure systems and client/server environments. Acts as the primary point of contact for ensuring Enterprise Resource Planning (ERP) applications comply with established University security policies and procedures and all applicable state, federal and industry regulations and best practices.
MAJOR DUTIES AND RESPONSIBILITIES
- Works with the AVP of Enterprise Technology Services and the Director of ISIM to assist in the development, implementation, auditing and enforcement of security and data handling policies to help ensure the safety of University information that is created, edited, stored, or transmitted electronically.
- Suggests changes and enhancements to server and network configurations and data handling and storage procedures to improve security and reduce the risk of sensitive University data assets being mishandled, exposed, and/or exploited. This includes potential violations of State, Federal, and industry regulations and polices such as FERPA, FISMA, HIPAA, HITECH, Sarbanes-Oxley, Gramm Leach Bliley, CALEA, PCI-DSS and Red Flags.
- Responds to reported application security violations received from users and operating units of the enterprise. Investigates validity of those reports and makes recommendations for remediation.
- Researches latest security threats and assists systems engineers, network administrators, and applications programmers with the maintenance and upgrade of hardware, operating systems software and applications on centrally supported devices to insure the compatibility, effectiveness, integrity, and security of all services.
- Works with the Human Resources Department and others as appropriate to develop an effective compliance training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
- Monitors all centrally managed development, test, and production servers for proper security configuration and analyzes system and network logs to identify potential security vulnerabilities or exploits.
- Acts as the primary point of contact for ensuring Enterprise Resource Planning (ERP) applications comply with established University security policies and procedures.
- Assists and advises ERP developers and administrators with the configuration, testing, and implementation of application security roles and permissions. Identifies potential areas where existing ERP application security policies and procedures require change, or where new ones need to be developed in response to evolving business requirements.
- Acts as a liaison to coordinate with external security vendor(s) performing computer forensic analysis services
- for security and/or investigative purposes as requested by University Counsel, University Police, or authorized third parties. Abides by all applicable legal statutes, policies, and procedures to maintain the chain of custody for any materials or data that may be used in a court of law.
- Performs pro-active security scans and/or reviews of University systems, networks and applications for vulnerabilities and reviews scan results with appropriate parties to suggest and/or assist with remedial action.
- Consults with the Director of ISIM to perform and/or assist the technical support staff in the installation and set up of computing systems and network devices according to baseline security measures and appropriate operation and functionality practices.
- Develops programs and command procedures to enhance the functionality and manageability of supported systems. Maintains accurate system logs to track all patch levels and security policy changes.
- Keeps apprised and advises in the use of new authentication and authorization technology such as digital signatures, one-time passwords, 2-factor authentication, and biometrics.
- Consults with the Director of ISIM on identified security incidents or policy matters.
- Maintains integrity and appropriate confidentiality in all institutional and program operations.
- Contributes to the preparation of studies and reports containing findings and recommendations for the implementation of systems, security and application software.
- Establishes and maintains effective communication and cooperative working relationships with the Institutions administrators, faculty and staff, government, and private sector agencies/vendors.
- May be asked to communicate with members of the campus community to insure transfer of operational, procedural, and policy information.
- Works with the project managers and internal clients to verify any business requirements that may generate the need for changes in the Information Technology infrastructure.
- Maintains system and network logs as necessary to identify potential security threats or attacks/probes on campus systems.
- Evaluates and recommends security hardware and/or software to meet the objectives of the institution.
- Represents the University at conferences, seminars or meetings and serves on ad hoc and standing committees as required.
- Performs other functions consistent with the job title as necessary and as directed by the Director of Systems and Security.
- The above statements reflect the general details considered necessary to describe the principal functions of the job as identified, and shall not be considered as a detailed description of all work requirements that may be inherent in the position.
Qualifications & Requirements
- Graduation from an accredited university/college with a Bachelor's Degree in Computer Science or related field is strongly desirable. A pplicants without a degree but who have extensive experience in the related field will also be considered.
- Industry certification(s) in information security, compliance, security analysis, or other fields of expertise that are directly related to the duties and responsibilities of the position are also strongly desirable.
Three years of professional experience in systems administration, security administration, or security forensics and/or analysis, preferably in an institution of higher education or other field that is directly related to the functions of the position.
Knowledge, Skills, and Abilities
- Familiarity with State, Federal, and industry regulations and policies such as FERPA, FISMA, HIPAA, HITECH, Sarbanes-Oxley, Gramm Leach Bliley, CALEA, PCI-DSS, and Red Flags.
- Extensive knowledge of vulnerabilities in Linux/Unix, Windows, and MacOS operating systems, and how to minimize those vulnerabilities through proper security configuration and/or additional software.
- Knowledge of Internet standard protocols such as TCP/IP, UDP, DNS, IMAP/POP, HTTP, and LDAP.
- Extensive knowledge of security and encryption protocols such as PGP, SSL, TLS, MD5, SAML, Kerberos, CAS, and OpenAuth.
- Knowledge and experience supporting and/or recommending best practice security posture of common Enterprise Resource Planning applications such as PeopleSoft and Banner including authentication, access, and role-based authorization.
- Knowledge of identity management concepts, tools, and practices including directory services and federated identity services such as Shibboleth.
- Experience with systems and network security and monitoring tools such as nmap, Tripwire Enterprise, syslog, Icinga, web application scanners, bit9, anti-virus and Nessus.
- Knowledge of hardware including laptops, desktops, servers, and mobile platforms such as iOS and Android cellular phones and tablets.
- Ability to maintain a best practices approach to systems installation, maintenance, and security in a production environment.
- Ability to acquire considerable knowledge of the higher education Systems and the function of institutions of higher learning.
- Ability to prepare clear and detailed correspondence.
- Ability to establish cooperative working relationships with university staff and users and to coordinate the implementation and ongoing enhancements to security programs, policies, and procedures with other institutional offices or organizations.
Commensurate with Experience
Anticipated Start Date December 2016
Send cover letter and resume to
(include vacancy # if above)
Apply By Review begins immediately and continues until position is filled
Organizational Marketing Statement:
Building on a distinguished 105-year history, Montclair State University is proud to be a leading institution of higher education in New Jersey. The university's six colleges and schools serve more than 19,000 undergraduate and graduate students in 300 majors, minors, concentrations and certificate programs. Situated on a beautiful, 250-acre suburban campus just 14 miles from New York City, Montclair State combines the instructional and research resources of a large public university in a dynamic, sophisticated, and diverse academic environment.
Montclair State University is an Equal Opportunity/Affirmative Action institution with a strong commitment to diversity. Additional information can be found on the MSU website at www.montclair.edu.
AN EQUAL OPPORTUNITY/AFFIRMATIVE ACTION INSTITUTION