Information Technologist IV/S
Governance, Risk, and Compliance LeadPosition Summary
Michigan State University seeks a dynamic information technologist to lead the IT Security Governance, Risk, and Compliance (GRC) program. This is an exceptional opportunity to join a vibrant public research university and perform information security analysis across a $2 billion enterprise. The lead will help protect MSU systems and data through constant monitoring and analysis of cyber threats.
This position will specialize in leading the information security risk management process within the University. The primary responsibilities of the position are to assess adequacy of application/data security controls, business continuity/disaster recovery controls, evaluate threats and vulnerabilities and calculate the level of current and residual risk and communicate these risks to business units and management.
The lead must have the ability to convey complicated technology and security concepts to management and ideally has technical knowledge and/or experience in security, networking, systems administration, database administration, architecture or another technical domain. Alternatively, proficiency in a risk management framework and conducting risk assessments in a regulated environment is desired.
The MSU Information Security GRC Lead needs excellent verbal and written communication skills with the ability to understand business requirements. To succeed in this position, they must be able to develop risk management strategies that align with business goals and operations and protect the confidentiality, integrity and availability of information systems and our data.
Unit Specific Education/Experience/Skills
This position will require a highly qualified individual who has strong problem solving and technical skills; is a strong critical thinker who is detail oriented; can analyze and process large data sets. This individual should be able to be responsive and biased towards speed and execution; can work under pressure across multiple roles and hierarchies, is highly collaborative but can also work independently, and is innovative.
Knowledge equivalent to that which normally would be acquired by completing a four-year college degree program in Computer Science, Information Systems, Business or a related information technology field, with coursework in an information technology specialization related to the area of employment.
• More than eight years of demonstrated experience in identifying, assessing, measuring and monitoring information technology risk by performing independent hands-on risk assessments or a related role requiring analysis, prioritization, and problem solving.
• Experience in developing and/or implementing an overall risk management strategy for new or existing services with key business stakeholders.
• Knowledge of information security standards and frameworks (e.g., ISO 17799/27002, NIST 800-53, COBIT 5, etc.), rules and regulations related to information security and data confidentiality (e.g., FERPA, HIPAA, PCI-DSS, FISMA, etc.).
• Experience with identifying risks between IT infrastructure, services, and business practices.
• Significant knowledge and experience in two or more core security areas (Identity and Access Control, Application Security, Business Continuity and Disaster Recovery, Encryption, Governance and Risk Management, Legal Regulations and Compliance, Security Operations, Security Architecture and Design, or Network Security).
• Knowledge of project management and in the use of project management tools.Desired Qualifications
• Experience in reviewing software designs (vendor purchased or custom engineered) for compliance with local, state and federal information security laws and compliance requirements, business continuity and disaster recovery requirements and recommending appropriate language as necessary.
• Experience in information technology security policy development, security awareness education, application vulnerability assessments, risk analysis and compliance testing.
• Experience in identifying and communicating recommended security and business continuity controls and control deficiencies for business units.
• Experience documenting and monitoring the implementation of controls for technology and business project plans.
• Excellent interpersonal/communication skills (both verbal and written).
• Ability to understand, discuss, and explain technical issues with diverse audiences.
• Demonstrated pursuit of excellence and mastery in the field of Information Assurance, such as publication in industry trade journals, active participation in trade associations, or speaking at conferences.
• Dedication to advancing the field of Information Assurance through community service such as volunteer work for philanthropic or nonprofit organizations.
• Applicant must have at least one the following certifications: Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), or Certified Information Systems Security Professional (CISSP).
• Broad knowledge of best practices and trends in the field of Information Security and Risk Management.Required Application Materials
Cover Letter, Resume + Proof of certification(s)Work Hours
STANDARD 8-5(Bidding Eligibility ends 7/11/17 at 11:55 PM)