Associate Director, Information Security Governance, Risk, Compliance

Job Level
Mid-level position
Job Category
Associate / Assistant Director
Sector
  • Information Technology
Job Status
Areas of Responsibility
  • Security

As a part of its ongoing efforts to mature its information security program, the University of Utah’s Information Security Office is hiring an Associate Director of Governance, Risk, and Compliance (GRC). This role is responsible for the development, implementation, and ongoing maintenance of information security program governance, risk management, and regulatory compliance activities, as well as facilitating the communication and discussions with key University stakeholders regarding the University’s comprehensive information security program as it pertains to theseGRCactivities. This includes ownership of information security program documentation development, and information security awareness and training efforts.

Located in Salt Lake City, in the foothills of the Wasatch Mountains, the University of Utah is the flagship institution of the State of Utah’s system of higher education and a member of thePAC-12 Conference. Salt Lake City combines the amenities of a major metropolitan area of more than one million people with the friendliness and ease of living of a small, Western city. Seven major ski resorts are within an hour’s drive from campus, and opportunities to pursue activities from biking to hiking to fishing abound. Salt Lake is also home to the Utah Symphony and Opera, the Utah Ballet, several professional sports teams, and a wide range of other cultural and recreational activities.

University Information Technology, the central IT service provider for campus, reports to the Chief Information Officer and is responsible for many of the University of Utah’s most critical common IT resources including the campus network; the Campus Information Services (CIS) portal; UMail, telephone, and online collaboration services; high performance and research computing; information security; teaching and learning technologies; software licensing; and a host of other systems and applications. For more information aboutUITvisit http://www.it.utah.edu.

Responsibilities

Essential Functions

  • Working with the appropriate key University stakeholders to protect the confidentiality, integrity, and availability of the University’s electronic data

  • Manage the development and implementation of institution-wide security Policies, Rules, Procedures, and Guidelines

  • Lead efforts in industry-regarded best practice standards and regulatory compliance withISO27001/27002,FISMA,PCIDSS,HIPAA,FERPA, etc.

  • Review risks, threats, vulnerabilities and oversee the development of corrective action plans in partnership with executive management, the office of general council, IT personnel, and other relevant groups.

  • Maintain ongoing diligence, updating and adapting to changing risks, to proactively guard against evolving and emerging threats.

  • Communication of the University’s security stance and risk tolerance, including compliance issues, risks, and incidents to key stakeholders to enable those key stakeholders to make informed decisions about risk and risk management

  • Consult on other types of security (e.g., security architecture, secure development liecycle, physical security issues) as needed.

  • Collaborate with appropriate IT teams, the Compliance Office, and the Office of General Counsel to mature the University’s information security incident response plan and practicing execution of the plan

  • Develop and conduct information security training and awareness activities

  • Standard responsibilities

  • Complies with all University policies and procedures.

  • Performs in accordance with system-wide competencies/behaviors.

  • Performs other duties as assigned.

This job description is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.

Work Environment and Level of Frequency typically required

Nearly Continuously: Office environment.

Physical Requirements and Level of Frequency that may be required

Nearly Continuously: Sitting, hearing, listening, talking.

Often: Repetitive hand motion (such as typing), walking.

Seldom: Bending, reaching overhead.

Minimum Qualifications

Bachelor’s degree in related computer science area, or equivalency required; plus six years of progressively more responsible management experience; and demonstrated leadership, human relations and effective communication skills also required.

DEPARTMENTSPECIFICQUALIFICATIONS:

  • Must be knowledgeable aboutISO/IEC27000 series standards, the fullFISMAprocess,HIPAA,PCIrequirements, and other regulatory compliance requirements and have experience working in these environments

  • Prior policy development and enforcement experience in a regulated environment

  • Prior experience with information security risk management program development and implementation

  • Ability to relate business requirements and risks to policy and technology implementation

  • Knowledge of risk assessment and remediation procedures.

Applicants must demonstrate the potential ability to perform the essential functions of the job as outlined in the position description.

Preferences

  • 8-10 years of experience in information security governance, risk, and compliance program management.

  • An advanced degree or equivalent professional certifications

  • Strong management, problem-solving, organizational and communication skills (oral and written).

  • Proven ability to manage projects and implementations across multiple entities

  • Strong collaborative approach and ability to effectively interface with technical staff, IT managers, executive management, faculty, physicians, office of general counsel, and other key stakeholders as appropriate

Type Benefited Staff

Special Instructions Summary

Additional Information

The University of Utah is an Affirmative Action/Equal Opportunity employer and is committed to diversity in its workforce. In compliance with applicable federal and state laws, University of Utah policy of equal employment opportunity prohibits discrimination on the basis of race or ethnicity, religion, color, national origin, sex, age, sexual orientation, gender identity/expression, veteran’s status, status as a qualified person with a disability, or genetic information. Individuals from historically underrepresented groups, such as minorities, women, qualified persons with disabilities, and protected veterans are strongly encouraged to apply. Veterans’ preference is extended to qualified applicants, upon request and consistent with University policy and Utah state law.

To inquire about this posting, email: employment@utah.edu or call 801-581-2300. Reasonable accommodations in the application process will be provided to qualified individuals with disabilities. To request an accommodation or for further information about University AA/EO policies, please contact the Office of Equal Opportunity and Affirmative Action, 201 S. Presidents Cr., Rm 135, (801) 581-8365 (V/  TDD  ), email: oeo@umail.utah.edu .

The University is a participating employer with Utah Retirement Systems (“URS”). To be eligible for retirement contributions, you must be hired into a benefit-eligible position. Certain new hires are automatically assigned to the  URS  retirement plan and other employees with prior  URS  service, may elect to enroll in the  URS  within 30 days of hire. Regardless of whether they are hired into a benefit-eligible position or not, individuals who previously retired and are receiving monthly retirement benefits from  URS  must notify the Benefits Department upon hire. Please contact Utah Retirement Systems at (801)366-7770 or (800)695-4877 or the University’s Benefits Department at (801)581-7447 for information.

This position may require the successful completion of a criminal background check and/or drug screen.