Director of Information Security - 501195

SUMMARY:

The Director of Information Security (The Director) has the authority and responsibility to strategically and tactically lead and manage the University’s information security and security risk programs. The Director will develop, review, and implement information security and privacy policies, procedures, and guidelines for the University's information technology (IT) environments. The Director will identify key areas of risk, recommend and implement appropriate security controls and monitoring systems. The Director will be the primary Information Services point of contact for internal and external law enforcement personnel when they are investigating a related case.

**Cover Letter and Resume are required to be fully considered for this opening**

RESPONSIBILITIES

Information Security Leadership

• Partner with University executive, academic and business units to help them meet security and compliance requirements.
• Establish and lead an Information Security Committee to develop strategic information security requirements and to implement appropriate preventative and remedial measures to minimize risk.
• Develop, implement and maintain information security policies, procedures, and guidelines for the university's computing and networking environments. Annually review to assess efficacy and make updates.
• Independently perform risk assessments and work closely with internal and external auditors to preempt, mitigate, and swiftly respond to audit findings to remediate.
• Maintain and improve the University’s Cybersecurity Incident Response Program to include policy, procedure, analysis and documentation of incidents as well as conduct periodic incident response training and exercises.
• Manage information security projects and initiatives for the University by collaborating and communicating in an inclusive manner with key stakeholders and subject-matter experts.
• Recommend and manage security budgets, projects and systems to ensure adequate resourcing of university information security programs
• Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.

Information Security Awareness and Training

• Develop and implement a University-wide information security awareness education and training program for all faculty, staff, and students.
• Design and deliver security workshops and training.

Information Security Administration

• Manage the University’s enterprise endpoint protection platform.
• Manage the University’s vulnerability management program.
• Manage intrusion detection and response function to include determines rules and alerts.
• Manage and maintain site security certificates.
• Coordinate the handling and resolution of security breaches, systems intrusions, and abuse.
• Respond to requests for information from legal and or law enforcement in a timely, accurate, and confidential manner.
• Work with the CIO and outside security consulting firms to periodically conduct external assessments of the University’s information security posture.
• Routinely monitor and audit compliance with all information security procedures and policies to ensure consistency of internal controls across departments.
• Participate in requests for proposals (RFP) and vendor meetings to evaluate information security needs of new applications and software-as-a-service offerings.
• Update the technical portion of the annual Payment Card Industry-Data Security Standard (PCI-DSS) assessment for the University.
• Assess relevant IT purchases to ensure they support security and compliance requirements.
• Remain current of IT security industry topics and trends including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.

QUALIFICATIONS:

• Thorough knowledge of information security principles and best practices.
• Working knowledge of key regulations practices including HIPAA, FERPA, GLBA, GDPR, and PCI.
• Thorough knowledge of networking and distributed computing, routing, n-tier software, web application architectures, and networked file systems.
• Thorough knowledge of TCP/IP protocols, firewalls, VLANS, intrusion detection, wired and wireless network infrastructure and monitoring.
• Working knowledge of on-premise, cloud, and mobile computing environments, including Microsoft Windows, Apple Macintosh, Linux, scripting languages, and security best practices.
• Thorough knowledge and demonstrated ability to perform risk assessments, risk impact analysis, mitigations and contingencies as applied to information security.
• Experience with and demonstrated ability to perform vulnerability assessments and utilize antivirus tools and platforms, web application firewall, and SIEM tools.
• Excellent oral and written communication, facilitation, collaboration, and consultation skills.
• A keen understanding of human based attack surface areas such as social engineering the risks they represent.
• Ability to influence university members not limited to faculty, staff, university senior leadership, academic leaders, and deans.
• Demonstrated ability to work collaboratively and to complete tasks and projects working with others across the University at all levels.
• Ability to use discretion when handling confidential information.
• Ability to create and implement plans that translate strategic requirements into actionable steps.
• Demonstrated analytical and problem-solving abilities.
• Ability to effectively prioritize and execute tasks in a rapidly changing environment.
• Ability to present ideas in both business-friendly and IT-friendly language.
• Highly self-motivated and directed.
• Keen attention to detail.

EDUCATION & EXPERIENCE:

• Bachelor’s degree in Information Security, Information Systems, or Computer Science or relevant experience.
• Certified Information Systems Security Professional (CISSP) or other equivalent certifications preferred.
• 5+ years information security experience.
• 1+ years networking experience.
• 1+ years Windows and/or Linux server administration experience.
• 1+ years of project management experience preferred.

WORK HOURS:

• Full-time, exempt position
• Monday – Friday, 8:30 a.m. - 5:00 p.m.; 7.75 hrs./day; 38.75 hrs./week
• Must be available to work on an as needed basis during critical times
• Flexibility to work 3 days on campus and 2 days remote

SALARY STRUCTURE:
Pay Grade 11 (Hiring range $98,709.00 to $135,722.00 annually)

ABOUT UR:

At the University of Richmond, we’re creative, inclusive, and determined. We’re Spiders, and our mission is to create positive change in the UR community and beyond. Located minutes from downtown Richmond, Virginia, the University of Richmond (www.richmond.edu) blends the intimacy of a small college with exceptional academic, research, and cultural opportunities usually found only at large institutions. There’s only one place like Richmond.

UR is committed to developing a diverse faculty, staff and student body, and to modeling an inclusive campus community which values the expression of differences in ways that promote excellence in teaching, learning, personal development and institutional success. In keeping with this commitment, our academic community welcomes candidates from diverse backgrounds and candidates who support diversity. EOE