GENERAL SUMMARY OF POSITION: 

Under the direction of the Information Security Officer, the Senior Data Protection Specialist will ensure that security programs, processes and controls are in-place and effective to ensure compliance with numerous Data Protection requirements. The role is responsible for identifying and assessing security risks associated with Data Protection control development, architecture, implementation and operationalization of UMMS networks, systems and applications. Specific attention to UMMS research Data Protection regulatory and security control preparedness and response is expected.

ESSENTIAL FUNCTIONS:

• Compose reports and other documents to provide decision support on information security risks associated with Data Protection for Sr. Mgt., project managers, system owners, Researchers, and business stakeholders
• Conduct internal and third-party risk assessments focused on Data Protection Requirements and make risk-based recommendations towards achieving compliance
• Contribute to the enhancement/refinement of the Information Security Risks & Controls library
• Manage and perform cybersecurity assessments on emerging/ongoing research and business initiatives, third-party services by assessing the impact and likelihood of risk events
• Assess the impact of potential adverse events, recommend effective controls and mitigations
• Evaluate third-party products/services by reviewing responses to standardized questionnaires (SIG), evidencing their internal controls
• Utilize and maintain systems and procedures to effectively assess the information risk
• Help our business partners understand information security risks, standards, and best practices
• Support the continuous improvement of Information Security Policies, Standards, Processes, and Procedures
• Play a key role in the development of GDPR and general Data Protection training
• Develop IT Procedures/guidance for GDPR compliance (system inventory, data retention/destruction)
• Document GDPR actions/workflows impacting Information Security
• Develop enhancements to breach notification processes with a focus on in-scope Data Protection laws (GDPR, CCPA, HIPAA)
• Develop recertification processes that support relevant Data Protection regulations
• Support ongoing Data Protection Risk Analysis/Assessment initiatives
• Develop, communicate, and implement information security programs that address people, process and technology risks
• Provide expert guidance to UMMS in respect to achieving and maintaining privacy compliance with CCPA, GDPR, HIPAA and other regulations as applicable
• Report regularly to the Privacy Officer and Chief Information Security Officer as well as present quarterly updates to the Privacy Officer and Executive Leadership
• Work with Security Architects, Security Analysts, Security Administrators and other IT and business departments to design effective and efficient procedures and controls to meet privacy compliance requirements.
• Research industry trends for compliance and control implementations to ensure National General maintains reasonable and appropriate privacy compliance controls acceptable within our industry
• Provide expert guidance and assist in the design of the controls assessment program as it relates to privacy controls
• Review audit findings and risk and gap analysis reports for accuracy and effectiveness for elements related to privacy compliance
• Assist in recommending remediation activity for privacy compliance activities found deficient and evaluates remediation effectiveness upon completion
• Monitor changes in the regulatory and privacy landscape and reports on the impact of those changes to the Director/Privacy Officer and CISO
• Serve as staff support to the University's Information Security/Privacy Council
• Participate in annual University audit and other data security/privacy reviews as needed
• Develop and manage University-wide risk management, assessment, and remediation programs that meets University requirements and federal and state regulations
• Coordinate the University’s security compliance management and response initiatives
• Develop and manage information security policies and standards based on industry best practices and compliance requirements
• Develop and enhance risk management processes and play a lead role in publishing and communicating policies that provide clear direction and guidance
• Develop and manage a security information response process which will standardize and streamline how requests for university information security control information is captured and disseminated
• Facilitate internal and third-party information security risk assessments and work closely with functional groups or departments to prioritize and remediate findings
• Drive the implementation of a framework to support Governance, Risk and Compliance (“GRC”) objectives. Realize significant, measurable gains in GRC practice maturity
• Act as a risk and compliance thought leader within the University, provide end-to-end expert guidance on how to manage relevant security risks, influence priorities and decisions across the organization
• Communicate strategic vision and agenda to key stakeholders to ensure proper alignment and support, provide insightful advice and skillful execution
• Provide end-to-end expert leadership on how to effectively achieve and sustain compliance with regulatory, industry and contractual obligations, as well as information security policies and practices
• Ensure that contracts provide adequate protection in the areas of legal/regulatory compliance and information security
• Direct security risk assessments and manage testing of information security controls
• Represent UMMS in internal / external audits involving information security controls. Assist stakeholders in providing audit responses and remediating security control findings
• Work closely with attorney’s, regulators and third-parties while representing the University’s security position;
• Drive continuous improvement in information security risk and compliance based on expert knowledge in domain areas, industry best practices, business objectives and risk tolerances
• Lead initiatives to regularly assess the adequacy and effectiveness of information security controls, security policies, direct remediation activities, compliance as related to process and workflows, and initiate actions to ensure that compliance and security gaps are successfully addressed
• Partner with IT and program management teams to define and implement a secure SDLC framework
• Perform other duties as required

REQUIRED QUALIFICATIONS:

• Detailed knowledge of federal, state and international laws and regulations concerning privacy and information security
• Requires a Bachelor’s in Information Systems, Information Security, Compliance or Audit related degree program
• 7+ years of experience in an information security / privacy / compliance / risk management, thought leadership role
• Experience in cybersecurity risk analysis and related security products/systems (i.e., RSA Archer, MetricStream, ServiceNow GRC)
• Demonstrable knowledge of information security standards, data security practices and procedures, network security, application security, and database security
• Understanding the impact of various data protection and integrity controls, operating systems and network security controls, authentication controls, and security protocols
• This role requires an effective relationship builder with an understanding of cyber risk, Data Protection regulations (HIPAA, GDPR, CCPA, etc.) and the ability to articulate response and remediation requirements in business terms.
• Requires strong analytical, interpersonal and communication skills
• Requires demonstrable knowledge of security principles to a diverse range of risk scenarios to coordinate acceptable solutions between business needs, technology operations, and information security best practices
• Comfortable working independently and collaboratively to achieve business outcomes
• Strong written and spoken English with excellent communication, reasoning, and presentation skills
• A GDPR Practitioner or similar qualification for other privacy-related requirements
• The ability to liaise with senior stakeholders and conduct meetings at this level
• Demonstrated ability to translate information security/privacy compliance requirements and University business needs into enterprise-wide data security/privacy standards and policy.
• Working knowledge of information security/privacy standards and best practices (e.g., NIST, SANS).
• Must possess a high degree of integrity relative to computer security and the confidentiality of information.
• Bachelor’s degree in an Information Technology, Information Security, Compliance discipline or equivalent experience
• Experience in the successful development and implementation of enterprise-wide information security programs which reduce risk
• Experience in implementing a risk management program which defines risk assessment and remediation requirements, in conducting information security risk assessments which map to ISO/IEC 27000, NIST, BITs, etc., and in defining and implementing SDLC security requirements
• Experience in developing effective information security policies and standards, and in protecting PHI in compliance with HIPAA, HITECH, FISMA, etc.
• Ability to collaborate with IT, executive management, and business stakeholders towards achieving business and security objectives
• Excellent oral and written communication skills

PREFERRED QUALIFICATIONS:

• Information security management qualifications such as CISSP, CISM or CISA
• Hold at least one Data Protection and/or Privacy certification such as CIPP, CIPT, ISEB preferred
• Experience in a higher education environment
• Demonstrative knowledge of information security standards such as ISO/IEC 27000, NIST, FISMA, PCI, etc.
• Experience managing systems and networks towards ensuring Data Protection compliance 

#LI-LG1