The Office of Audit and Compliance (OAC) serves as a proactive partner and trusted advisor to University management and departments to assess and support the mitigation of risks that may have a significant impact on the achievement of the University’s objectives. The goal of the OAC is to promote a culture of risk and compliance awareness at the institution through the services it provides. OAC seeks an experienced candidate with high professional and ethical standards who will provide quality Information Security and IT Operations assurance and advisory services to the University. Reporting to the Associate Director, IT Audit (Associate Director), the IT Audit Manager – Information Security (Audit Manager) will be responsible for independently planning, executing, developing, and communicating value added results of information security and IT operations assurance and advisory engagements to senior management. The Audit Manager will assist the Associate Director in procuring service providers for co-sourced audit projects and supervising their performance and deliverables to clients. As a member of the University’s Information Technology Audit team, the Audit Manager will conduct key strategy and planning activities related to the annual risk assessment and IT audit plan for the University. In addition, the Audit Manager should have a desire for continued career growth and a passion for learning new and emerging technologies to enable collaboration with the Associate Director in pursuit of continued innovation of the University’s IT audit function. Responsibilities
The key responsibilities of this position will be to:
Execute Information Assurance and Advisory ProjectsPerform information security and IT operations audits and/or advisory services across a broad range of systems and technologies including but not limited to: information security, vulnerability management, application controls, network infrastructure, databases, operating systems, IT general controls, pre and post system implementation, dev ops, cloud software and platforms, disaster recovery, and incident response.Design detailed audit work programs (in many cases customized for the environment), conduct interviews, document and analyze processes and apply critical thinking to evaluate risks and controls and assess the results of audit testing. Create detailed workpapers that substantiate audit findings.Evaluate audit findings, determine root causes, and extrapolate relevant institutional themes to develop relevant and achievable recommendations based on leading practice, the risk profile of the client and institution. Prepare professional audit reports summarizing observations, recommendations, and management responses. Ensure that projects have value-added results and are completed timely.Critically apply insights and knowledge of IT and information security to enable clients to solve complex institutional problems while effectively managing risks.Partner with OAC senior auditors on financial and operational projects with IT requirements and control evaluation, as needed.Follow IIA and other relevant standards in conducting assurance and advisory projects.
Plan, supervise, procure services, and communicate Plan and execute all aspects of risk-based audit and advisory projects by partnering with client department management to define the scope and objectives, project resource requirements, identify needs for specialized skills, timing and budgets.Lead the development of, in partnership with Associate Director, Request for Proposals (RFPs) for the acquisition of specialized skills in a co-sourced engagement model.Manage the execution of professional services teams on co-sourced projects and deliver value added outcomes.Develop and manage relationships with key campus client stakeholders of varying levels of seniority and information security knowledge in the organization to enable the effective identification of risk and delivery of assurance and consulting services.Prepare and present audit and advisory project reports that communicate complex information security and IT operations concepts to a diverse group of institutional constituents including Deans and Vice Presidents, summarizing observations, recommendations, and management responses.
Provide Strategy and Leadership Support Partner with the Associate Director to continue to mature the University’s Information Technology audit function through innovation and the implementation of new technologies, elevated testing approaches, assessment techniques, and agile engagement delivery.Collaborate with the Associate Director to execute the annual risk-assessment strategy and draft the IT audit work plan for the University.Conduct annual risk assessment interviews with senior executives and other managers throughout the University; identify and incorporate risk data from multiple internal and external sources to assess risk and analyze results.Identify, evaluate, and operate value added technology tools for OAC operations and internal audit projects.Proactively identify and build relationships with colleagues from other Universities to share information on industry risks and leading practices.Assist with Trustee and Senior Management presentations as required.Demonstrate foresight, superior judgment and the ability to develop creative solutions using a risk-based approach in the performance and management of all tasks.Support the progressive development of senior auditor IT audit knowledge, skills, and abilities by identifying key learning opportunities and developing value added training materials.Keep current with developments in relevant technologies and IT audit methodologies; independently develop and propose to the Associate Director an annual risk aligned training plan.Perform special projects and represent OAC on University committees, as required. Qualifications
Essential Qualifications: Knowledge, Skills, and Abilities Required:
High ethical standards representative of Princeton University’s commitment to excellence.Knowledge of one or more information security frameworks including the NIST Cyber Security Framework, NIST 800-171, CMMC, HITRUST, ISO 27000 series, and the CIS Controls.Self-motivation, initiative, and broad thinking.Current CISSP, CISA, CISM, CRISC, or other relevant certification, or a commitment to pursue.BA/BS or an advanced degree in information systems, business, or a related field.
- 6+ years of experience in, IT audit, Information Security Operations, IT management, information security analysis, IT operations, and/or systems assurance.
- Demonstrated ability to analyze technology systems and processes with strong attention to detail, apply critical thinking skills, and use sound business judgment in the application of auditing principles, University policies, and business practices.
- Excellent project management skills and demonstrated ability to achieve audit objectives on multiple, complex, concurrent projects.
- Experience managing multiple project stakeholders (internal and external) in concurrently running engagements.
- Strong analytical, problem solving, time management, and interpersonal
- Excellent communication skills, including proven ability to prepare and present clear and concise reports to stakeholders and articulate complex and/or technical issues.
- Superior judgment, diplomacy, and discretion in handling sensitive information.
- Demonstrated technical skills and experience in some of the following:TCP/IP based network architecture and corresponding security design and enabling technologies such as next generation firewalls, IPS/IDS, routers, and switches.Microsoft Windows, Mac OS, and Linux operating systems, Active Directory, LDAP, Office365/Exchange, Microsoft SQL Server, Oracle Database systems, VMWare, Citrix, and SharePoint.Configuration management and automation technologies such as Ansible Tower or Puppet.Third party cloud offerings such as Amazon Web Services and Microsoft Azure and software as a service vendor assessments and ongoing monitoring (e.g., System and Organization Control reports).Vulnerability assessment and/or penetration testing tools and concepts
Information system testing techniques including the use of automated assessment tools.
8+ years of quantifiable experience in IT and/or information security operations, effective client management, and service deliveryAdvanced degree in information systems, business, or a related field.Knowledge of University operations and/or experience in higher education, especially focused on unique risks associated with academic departments and research.Experience selecting and implementing a data analytics software platform.
- Experience managing projects co-sourced with professional services firms.
- Knowledge of Large-scale ERP systems such as PeopleSoft, internal and external penetration testing tools and techniques, web application scanning/testing, social engineering, secure software development methodologies and enabling technology tools.Familiarity with Internet of Things (IoT) devices, industrial control systems (ICS) and supervisory control and data acquisition (SCADA).
This role is Princeton-based and does not require travel Princeton University is an Equal Opportunity/Affirmative Action Employer
and all qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity or expression, national origin, disability status, protected veteran status, or any other characteristic protected by law. EEO IS THE LAW