Job Standard for IT Information Security Officer
How to use this Job Standard:
- Click “View in Google Docs/Download” and download to Word.
- The Job Overview, Level Scope, Minimum Qualifications and Essential Job Functions are specific to this job’s competencies and cannot be edited.
- For the Job Posting you may;
- update/change the purpose to add in department specific information,
- add key responsibilities to the 35% of the time, specific to your department needs,
- add a preferred qualifications section
- post the position using the business title
The statements on this job standard are intended to describe the general nature of the role and level of work being performed. They are not intended to represent an exhaustive list of all responsibilities, duties and skills required of the employee.
IT Information Security Officer Overview
- Person Group: Professional
- Job Code: 75270
- Pay Grade: P14
- FLSA Status: Exempt
- Career Level: Director
- Family: Information Technology
- Function: IT Administration
IT Information Security Officer will be responsible for overseeing information security, cybersecurity and IT risk management programs based on industry-accepted information security and risk management frameworks. This individual will be an integral part of the Information Technology organization reporting directly to the CIO to help improve and communicate the maturity levels of information security, state of cybersecurity and IT risk practices across the University.
Oversees through subordinate Managers a large, complex organization with multiple functional disciplines/occupations or manages a program, regardless of size, that has critical impact upon the campus. Significant responsibility for formulating and administering policies and programs, manages significant human, financial and physical resources and functions with a very high degree of autonomy. Frequently influences business decisions made by senior leadership. Oversees through subordinate Managers the accountability and stewardship of campus resources and the development of systems and procedures to protect organizational assets. Negotiates and influences others to understand and accept new concepts, practices and approaches.
Bachelor’s degree or equivalent in Computer Information Systems, Management Information Systems or Computer Science and a minimum of 8 years work experience in the same type of work and 5 years supervisory experience. Prefer Master’s Degree or Equivalent.
Knowledge, Skills and Abilities
- Experience in risk, compliance and information security policy development.
- Knowledge and understanding of higher education, governmental agency or corporate/industry information security, governance, risk and compliance practices and standards.
- Knowledge of laws and regulations including but not limited to: Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) Act and Sarbanes-Oxley.
- Experience with development of educational programs in the area of security awareness.
- Excellent organizational and communication skills (both oral and written).
- Strong interpersonal skills and the ability to effectively communicate with a wide range of individuals and constituencies in a diverse community.
- Experience managing budget and managing a team of information technology professionals.
- Proven problem solver with ability to provide in-depth analysis of complex problems, manage risk and provide timely and accurate decisions.
- Knowledge of IT processes and controls and strong understanding of risk and control frameworks such as (CoBIT, ISO, NIST, ITIL, PCI).
- General knowledge of information security regulatory requirements and standards such as ISO 27001/2, SANS top 20 and NIST 800-53.
- Possess Certified Information Systems Security Professional (CISSP) or other information systems security certifications
- Ability to ensure standards and parameters for any systems on the University network are correct and as close to flawless as reasonably can be expected.
60 % of the Time IT Information Security Officer will:
- Coordinates the continuous development, implementation and updating of security and privacy policies, standards, guidelines, baselines, processes and procedures in compliance with local, state and federal regulations and standards for University information systems.
- Develop and manage the frameworks, processes, tools and consultancy necessary for IT to properly manage risk and to make risk-based decisions related to IT activities.
- Proactive identification and mitigation of IT risks as well as responding to observations identified by third party auditors or examiners while assisting in the development of periodic reports and dashboards presenting the level of controls compliance and current IT risk posture.
- Assist IT managers and staff with the audits and facilitate management response and remediation efforts. Ensure overall IT compliance with regulatory requirements through proactive planning and communication, ownership and relationships.
- Broaden and deepen knowledge of the business and environment of
IT with respect to the delivery of projects, strategic initiatives and systems
portfolio to effectively assist IT managers and staff with risk and compliance
- Identify acceptable levels of residual risk and assist with action plans, policy and procedural changes for risk mitigation. Provide strategic recommendations to key IT projects to help improve project results, quality of deliverables, risk optimization, security processes and compliance with regulations.
- Manage permanent, temporary and student employees on the IT GRC team. Hire and recommend termination of employees, as necessary. Create formal evaluations and provide informal evaluations of IT GRC employees. Coach, mentor, train and develop IT GRC employees.
- Manage IT GRC Budget. Forecast and develop budget requirements and expenditures.
- Facilitate information systems security management education and training in regulatory and industry standards for all University employees.
- Receives allegations of security incidents and conducts complex investigations; prepares written findings, recommendations and follow up evaluation; and analyzes patterns and trends.
- Coordinates University information security incident response and reporting for events or exploited vulnerabilities including unauthorized system or network access, denial of service, inappropriate data access, data corruption, and/or collection of private or confidential information.
- Acts as ombudsman for disputes, requests for exceptions and complaints regarding University wide information systems security policies, practices and related issues.
- Works as a liaison with local, state and federal authorities requiring information and reports on security incidents to include campus police, FBI or other law enforcement agencies.
35% of Time IT Information Security Officer:
- Can be determined by department needs
5% of Time IT Information Security Officer:
- Perform other duties as assigned
Work Environment and Physical Demands
General Office – Exerting up to 10 pounds of force occasionally (Occasionally: activity or condition exists up to 1/3 of the time) and/or a negligible amount of force frequently (Frequently: activity or condition exists from 1/3 to 2/3 of the time) to lift, carry, push, pull or otherwise move objects, including the human body. General office work involves sitting most of the time, but may involve walking or standing for brief periods of time.
May be required to travel with overnight stays.
Additional training/education or equivalent experience, as well as business need, are required for movement into higher level jobs.
Incumbent must perform the essential duties and responsibilities with or without reasonable accommodation. The above statements are intended to describe the general nature and level of work. Final employment offers are contingent upon a Final Candidate’s successful completion of a Background Verification and a determination by the University that the information derived from the Background Verification does not disqualify the individual. In addition, a Financial History Check and Motor Vehicle Record (MVR) Check may be required.