IT Security Analyst IT-Network & Systems Services

Deadline: February 17, 2014 IT Security Analyst, IT Network & Systems Services Context of the Job: The Network and Systems Services (NSS) Infrastructure group is responsible for the operation, maintenance, support, and growth of networking, telecommunications, and the central computing systems. The University's central computing systems include enterprise class client/server, data storage and retrieval systems, web, learning management, and e-mail servers. The volume and variety (servers, routers, firewalls, switches, and networked UPSes) of central systems, the data center environmental systems, and departmental systems backed up by IT, adds to the complexity of the work of this group. Staff in the NSS Infrastructure unit provide services that support the entire University. Other groups in the IT unit rely heavily upon NSS for services and technical support. NSS is one of several groups within the larger organization of Information Technologies (IT). The technology work of this group is critical to the achievement of the IT organization's and University's strategic plans and goals. This group also provides the technological foundation that supports the institutional mission. The IT Security Policy & Compliance Office assesses risks to University information assets and works closely with a broad range of University constituencies to implement appropriate administrative, technical, and physical controls to comply with laws, regulations, funding agency requirements and security policies. The office develops, implements, and maintains a comprehensive information security program and establishes policies, procedures, training, and awareness initiatives designed to protect University information resources, limit liability, and prevent legal and regulatory violations. The IT Security Analyst works closely with the Associate Director of IT Security Policy & Compliance and partners with the IT NSS Technical Security group and key central IT staff who have specific security and disaster recovery responsibilities and collaborates with departmental IT staff regarding security policy, procedures, and compliance issues. The IT Security Analyst reports to the Associate Director of IT Security Policy & Compliance within the NSS Infrastructure unit. Major Responsibilities: Information Security Program Administration ·Assists in the development and implementation of an “information security program” that addresses people, process, and technology and contains administrative, technical, and physical safeguards. Compiles metrics for measuring success of the information security program and produces reports for management and leadership teams as needed. Policy ·Assists in the development, implementation, and maintenance of information security policies, standards and protocols to safeguard University information resources, data and systems, and to comply with applicable laws, regulations, contractual, funding agency and other external requirements. Works with key IT staff, data custodians and governance groups in the development of such policies. Compliance and Enforcement · Monitors and documents assessment and compliance efforts including enforcement of University information security policies, protocols and guidelines. Assists in enforcing policies when non-conformance is detected. · Provides reports to IT leadership on a periodic basis or when requested. · Collaborates with staff in Technical Security group and security staff in MIS and Web Development regarding quality controls, security testing, and audit reviews of central IT systems and applications. · Works with Internal Auditing, external auditors and consultants as appropriate on security audit compliance checks and control assessment engagements. Coordinates compliance review and monitoring activities including periodic reviews of all departments. Risk assessment and Safeguard Recommendations (or Incident Prevention Recommendations) · Identifies, assesses and evaluates information security risks and vulnerabilities and identifies ways to reduce risks. Characterizes systems, assesses risks and recommends administrative, technical and physical safeguards to lower risks associated with confidentiality, integrity, availability and compliance with laws, regulations, contractual or funding agency or other external requirements. · Provides technical advice and consultation to various campus constituencies on a wide variety of security issues that require an in-depth understanding of the IT environment in their units, as well as the compliance requirements that pertain to their unit’s information. Consults with Technical Security Group when needed. · Works with “data stewards” (officials responsible for different types of institutional data—human resources, registrar, etc.) to establish appropriate safeguards. · Participates in the policy, implementation and exception-based operational aspects of the identity management life cycle, including user identification and authentication, user privileges and account management. · Periodically reviews efficacy of security services and tools used to address and mitigate security risks and assess and enforce compliance. Coordinates updates as needed. Incident response · Administers routine information security incident response and reporting plans and protocols to address University information security incidents, respond to alleged policy violations, or complaints from external parties. · Investigates reported policy infractions and identifies remediation steps needed. · Participates as an incident response team member during significant information security incidents. · Serves as the alternate campus contact point to the Associate Director, IT Security and Compliance for information security, privacy and copyright infringement incidents, including relationships with law enforcement entities. Information Security Training and Awareness Programs · Participates as a standing member of the Information Security Awareness Program Steering Committee. · Assists in the development of information security and privacy awareness programs and training initiatives to educate campus clients about policies, procedures, information risks, and federal and state standards. · Advises campus constituencies at all levels on security issues, best practices, and vulnerabilities and builds a sense of common purpose around security. · Advises staff in key offices regarding specific information security training initiatives (i.e. HR for new employees) · Pursues student security initiatives to address student information privacy and security awareness needs. · Develops and delivers ad-hoc security awareness presentations. IT Disaster Recovery · Assists in the preparation, testing and maintenance of the Information Technologies business continuity and disaster recovery plan. Knowledge Maintenance and Professional Development · Stays abreast of information privacy and security issues, legislation and regulations affecting higher education at the state and national level. · Engages in professional development to maintain continual growth in professional skills and knowledge essential to the position. · Participates in the evaluation and implementation of applicable hardware and software in Information Technology security. General ·Participates in campus teams, committees, and forums. · Performs miscellaneous job-related duties as assigned. Qualifications: ·Bachelor’s degree and three years’ experience in information security, information technology or related area, or equivalent combination of education, certification, and experience. Degree in an information technology field preferred. · Prior experience in a risk-based information security program preferred. · Knowledge and experience with information security management, risk assessment, and regulatory compliance. · Working knowledge of and experience in the policy and regulatory environment of information security. · Experience with information security policy and program development and administration is desirable. · Knowledge of NIST, CERT, SANS, OWASP. · Familiarity with federal and state privacy and security laws and regulations including FERPA, HIPAA, GLBA, PCI, and DSS. · Knowledge of security technologies such as firewalls, vulnerability scanners, and data loss prevention. · One or more security certifications highly desirable (CISSP, GIAC, SANS, etc). · Project management desired. · Effective written and oral communications skills. · Ability to think critically and problem solve. · Ability to work collaboratively with a broad range of campus constituencies and diverse groups. How To Apply When applying please submit a one-page cover letter and your resume as one document. Also, please remember to provide names, addresses and telephone number of at least three references in the online application. Equal Employment Opportunity Employment offers will be conditioned upon successful completion of a criminal background check. A conviction will not necessarily exclude you from employment. The University of Delaware is an Equal Opportunity Employer which encourages applications from Minority Group Members, Women, Individuals with Disabilities and Veterans. The University's Notice of Non-Discrimination can be found at