Director for Information Security Risk & Assurance
Position Number: 00061664
Primary Function of Organization Unit: The Security & Compliance Unit (S&C) within the Office of Information Technology (OIT) oversees the security of the University's systems and data in a manner that is consistent with industry best practices and the University's compliance obligations. S&C develops (and ensures compliance with) information security policies/regulations/procedures, oversees implementation of strategic information security initiatives, provides operational security services, provides campus-wide software license management, coordinates IT resilience efforts and provides portfolio/project management guidance for OIT. The Information Security Risk and Assurance (ISRA) team within the Office of Information Technology (OIT) Security & Compliance unit is a central point for managing university IT security risk and compliance activities. The team assists with IT security strategic planning and security service development and is primarily responsible for solutions architecture, risk management and compliance program development, specific compliance programs relating to HIPAA, FERPA, PCI DSS, NIST 800-series, ISO 27001/2, security awareness, policy and standards development, etc.
Essential Job Duties: The Director of Information Security Risk and Assurance (ISRA) reports to the Chief Information Security Officer/Director of Security & Compliance (S&C) in the Office of Information Technology (OIT). The Director assures the university's compliance with federal law, state government statutes, university system standards and NC State internal policies, regulations, procedures and contractual obligations in the area of information security and privacy. Appropriate frameworks, policies, regulations, guidelines, procedures and assurance processes are developed for security, privacy, and protection of the university's information assets including research data. Primary responsibilities include: 1) Work closely with the CISO to develop appropriate security strategies to align university security defenses with the evolving threat landscape and changing business requirements. This includes continuous development of the university cyber security strategic plan and road map. 2) Conduct appropriate gap analyses and develop appropriate procedures, regulations, standards and rules to ensure compliance. Examples are listed below: - NC State Data Sensitivity Framework UNC System Security Framework/Baseline based on ISO 27001/2:2013 - NC State University Information Security Manual - NIST Cybersecurity Framework and Special Publications series 800 (e.g., 800-53, 800-171) - FISMA (Federal Information Security Management Act of 2002) - Higher Education Opportunity Act (HEOA) and Digital Millennium Copyright Act (DMCA) peer-to-peer file sharing provisions; this position serves as the University Copyright agent - Payment Card Industry Data Security Standards (PCI DSS) - HIPAA (Health Insurance Portability and Accountability Act of 1996); this position serves as the University HIPAA security officer - GLBA (The Gramm-Leach-Bliley Act of 1999); this position serves as the GLBA Data Security Leader - European GDPR (General Data Protection Regulation) - Applicable State and Federal Laws/Regulations 3) In conjunction with the Information Security Services (ISS) team within S&C, perform information security assessments, IT risk assessments, application security reviews, sensitive data security reviews, 3rd party vendor security assessments, information security audit coordination, and information security vendor contract reviews. 4) Partners with university stakeholders to encourage the application of security controls throughout applications and processes development lifecycle. 5) Establish, lead, serve on or advise the University's committees that address information security, privacy and compliance issues. Provide leadership on committees that are responsible for establishing and communicating University-wide information security strategy, governance, policies and standards. 6) Initiate, facilitate, and promote activities to create information security awareness for the campus community. Establish standards for user education and awareness and help facilitate the Campus Security Liaison Program that consists of a representative from each college/division. This will be done jointly with the S&C ISS team and staff from OIT Outreach, Communications & Consulting (OCC). 7) Analyze and assist in developing the university Identity and Access Management (IAM) security requirements to provide services to members of the campus community based upon the privileges associated with their roles. 8) Provide leadership in the continued development and implementation of the Secure University Research Environment (SURE) both short-term and long-term to ensure compliance with security requirements such as NIST 800-171 to protect and secure the university's sensitive research data (e.g., CUI). 9) Develop, implement and maintain a campus-wide IT risk management program that identifies, analyzes, evaluates and prioritizes risks to the university's IT infrastructure and information assets. This includes a risk treatment process with scoring of the likelihood of vulnerabilities and threats against the assets to determine the level of risk tolerance. 10) Work closely with the S&C ISS team as well as other OIT and campus IT staff regarding the technical implementation of the frameworks, university policies/regulations/procedures/rules, programs and processes. The Director will be heavily involved with strategic planning, budget planning and the implementation of an overall Information Security Program.
Minimum Education/Experience: Graduation from an accredited four-year college or university with a major in information technology, computer science, a closely related field, or equivalent years of experience. A minimum of five years of full-time experience in information security management. A minimum of 7 years of information security or related information technology skills (risk management, information auditor, etc.)
Department Required Skills: Demonstrated experience overseeing the establishment, implementation, and adherence to policies and standards that guide and support an information security strategy. In-depth knowledge of information security principles, information auditing principles and information security policy and compliance. Experience implementing security controls in one or more of the following areas: - Network administration - System administration - Software development - Information Security administration A solid understanding of technical IT security controls relating to the university network, servers, workstations, and other end user devices. Strong knowledge and an awareness of the key attributes of applicable federal regulations, state laws, and other external requirements and their impact on information security, privacy and compliance such as the following: - FERPA - Family Education Rights and Privacy Act - GLBA - Gramm-Leach-Bliley Act - HIPAA - Health Insurance Portability and Accountability Act of 1996 - ISO/IEC 27000 series - International Organization for Standardization & International Electrotechnical Commission - NIST FIPS PUB 800-53 - National Institute of Standards & Technology - PCI/DSS - Payment Card Industry Data Security Standard - FTC (Federal Trade Commission) Red Flags Rule - SSAE16 (Statement on Auditing Standards No. 70) and SOC 1 & 2 (Service Organization Controls) - HEOA - Higher Education Opportunity Act - DMCA - Digital Millennium Copyright Act - North Carolina Identity Theft Protection Act of 2005 North Carolina General Statute § 75-60 - North Carolina General Statutes, Chapter 126: State Personnel System NC Personnel Act. - North Carolina General Statutes, Chapter 132: Public Records Includes NC Social security numbers and other personal identifying information (North Carolina General Statutes, Chapter 132-1.10). Proven leadership, communication, presentation and problem solving skills. A solid understanding of privacy practices and their relationship to business, security, and compliance requirements. Familiarity with single-signon concepts and identity/access management methodology. Ability to interpret various hardware, software, procedural, and policy manuals and other technical and complex documentation. Experience conducting security assessments, particularly of cloud service vendors. Proven ability to enhance and/or implement an enterprise-wide information security education and awareness program. Demonstrated interpersonal skills, cultural awareness, and organizational prowess required to work effectively in a University setting
Preferred Experience, Skills, Training/Education: An understanding of physical security practices for buildings and work spaces where employees and others handle sensitive and valuable information in any form (spoken, printed, electronic). A broad understanding of all IT service functions, such as technical security, network engineering, application development, server administration, database administration, user account administration, identity and access management, end-point device management and academic support. Professional Security Certification from at least one of the currently acceptable information security, privacy, audit, such as: - Certified Information Systems Security Professional (CISSP) - Systems Security Certified Practitioner (SSCP) - Certified Information Security Manager (CISM) - Certified Information Privacy Professional (CIPP); - SANS Global Information Assurance Certifications
Necessary Licenses and Certifications: N/A
AA/EOE: NC State University is an equal opportunity and affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, gender identity, age, sexual orientation, genetic information, status as an individual with a disability, or status as a protected veteran.
Individuals with disabilities requiring disability-related accommodations in the application and interview process, please call 919-515-3148. Final candidates are subject to criminal & sex offender background checks. Some vacancies also require credit or motor vehicle checks. If highest degree is from an institution outside of the U.S., final candidates are required to have their degree verified at "www.wes.org":http//wes.org. Degree must be obtained prior to start date.
NC State University participates in E-Verify. Federal law requires all employers to verify the identity and employment eligibility of all persons hired to work in the United States.