Chief Information Security Officer- IT-Information Security

MAJOR RESPONSIBILITIES:

Information Security Strategy

• Guide and counsel the VP of IT, IT staff, and key members of the University leadership team; working closely with executive and academic leaders in defining objectives for information security.
• Meet with and inform executive leadership and the Board of Trustees as needed.
• Lead the information security planning process to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology. This Includes establishing annual and long-range security and compliance goals, defining security strategies, metrics, reporting mechanisms and program services, and creating maturity models and a roadmap for continual program improvements.

Information Security Program Administration

• Provide leadership, direction, and guidance in assessing and evaluating University-wide information security risks.
• Develop, implement, and maintain a written information security program that addresses people, processes, and technology.
• Identify and implement management, operational and technical safeguards to manage risks associated with confidentiality, integrity, availability and compliance with laws, regulations, contractual or funding agency or other external requirements and University IT security policies for central IT-controlled systems.
• Identify and compile metrics to continuously assess the efficacy of the risk management program and opportunities for improvement.
• Provide data risk management consultation to IT leaders, data stewards (officials responsible for different types of institutional data—human resources, registrar, etc.), custodians, technical experts, deans and administrative leaders on a wide variety of complex information security issues.
• Work with data stewards and custodians to establish appropriate data management protocols.
• Lead the development, implementation and maintenance of information stewardship and security policies, standards and protocols that create and maintain a risk management framework for University information resources, data and systems.
• Define University-wide data management roles and responsibilities for complying with applicable laws, regulations, contractual, funding agency and other external requirements.
• Publish and promote information security policies to the University community.
• Serve as the University compliance officer with respect to federal, state and/or local information security laws, regulations, contractual or funding agency or other external requirements.
• Work with the campus-designated officers and Vice President & General Counsel on compliance issues as necessary (e.g., FERPA records access, ITAR export controls and HIPAA privacy).
• Oversee monitoring and documentation of compliance assessment and enforcement of data stewardship and information security policies, protocols, and guidelines.
• Assess impacts of new technologies on the risks to the University’s central IT information assets; establish risk management processes to review potential impacts of implementation of new technologies.
• Guide the development of Identity and Access Management program goals and strategic roadmap.
• Oversee the service team to implement best in class identity management life cycle process in accordance with University policies, laws and contractual obligations.
• Work closely with the University office of Vice President & General Counsel to establish privacy and security requirements for vendors of commercial software and/or services; assess vendor privacy and security safeguards.
• Negotiate contract language to place risk-appropriate privacy and security obligations on the application provider.
• Establish and oversees protocols to identify, assess, publicize and/or coordinate responses to IT threats and vulnerabilities that affect the University.
• Work closely with internal IT application developers to create information security quality-assurance processes that address information security throughout the software development life cycle.
• Coordinate with appropriate process owners for central IT disaster recovery, including preparation, testing and maintenance of the disaster recovery plan.
• Participate in the evaluation of commercial information security hardware and software offerings.
• Work closely with the UD Police Department, Public Safety and Facilities group to provide application and user support for physical security related technical solutions.
• Partner and consult with leaders across Grounds to define the risks that accompany new AI technology.
• Identify, prioritize, develop and leverage risk-based security metrics to provide visibility of security posture to different groups of audiences and leverage the data to make informed program decisions.

Incident Response

• Develop and implement information security incident response and reporting plans and protocols to address University information security incidents and respond to alleged policy violations or complaints from external parties.
• Investigate reported policy infractions and identify remediation steps needed and/or recommend disciplinary sanctions.
• Keep abreast of security incidents and oversee protocols for assessing likelihood of data breaches.
• Convene and or participate as a key member of security incident response teams as needed to plan and conduct appropriate institutional responses to information security breaches.
• Serve as the official campus contact point for information security, privacy, and copyright infringement incidents.

Information Security Training and Awareness Programs

• Provide leadership as a standing member of the Information Security Awareness Program Steering Committee, creating education and awareness programs and advising campus constituencies at all levels on security issues, best practices, and vulnerabilities.
• Pursue student security initiatives to address student information privacy and security awareness needs.
• Develop and deliver ad-hoc security awareness presentations.

Information Assurance Liaison

• Work with Internal Auditing, external auditors, and consultants as appropriate on security audits compliance checks and control assessment engagements.
• Establish a cooperative working relationship with law enforcement—including campus police or public safety and local, state, and federal officials—for reporting incidents and conducting investigations.
• Act as the official point of contact for representing UD on Information Security and/or privacy matters.

Knowledge Maintenance and Professional Development

• Stay abreast of information privacy and security issues, legislation and regulations affecting higher education at the institutional, state, and national level.
• Participate in national policy and practice discussions and communicate to campus about those topics.
• Collaborate with other colleges and universities to share information or resources, as necessary, to improve the overall security of the higher education sector.
• Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.

Unit Administration

• Direct the administration and activities of the IT Technical Security and IT Security Policy and Compliance groups. Set department goals and objectives, reassess and redefine priorities as appropriate to meet IT unit and University goals.
• Directly or indirectly supervise department staff including staff for Information Security, Campus and Public Safety, UD Police Department and CHS Clinic Staff; evaluate performance and provide guidance and feedback, assess need for technical and professional growth, and recommend development opportunities.

QUALIFICATIONS:

• Master’s degree and seven years’ experience in information security, information technology or related area, or equivalent combination of education, certification, and experience.
• Certification as a Certified Information Security Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM) or equivalent is preferred.
• A minimum of five years of experience with technology policy and security administration.
• Preferred experience working in a higher education or a research environment.
• Demonstrated experience with evolving, state-of-the-art information security technologies and approaches.
• Knowledge of computer forensic investigation methodology and investigation tools.
• Experience with information system auditing including security reviews, control selection, and evaluation of systems using a risk-based approach.
• Experience in developing and administering a risk-based information security program.
• Extensive working knowledge of and experience in the policy and regulatory environment of information security, especially in higher education is desirable.
• Knowledge of, and experience with information security management, risk assessment, and regulatory compliance.
• Knowledge of, and experience with one or more of the industries accepted controls framework (FISMA, ISO, NIST, etc).
• Knowledge of federal and state privacy and security laws and regulations including FERPA, HIPAA, GLBA, PCI, and PCI-DSS.
• Possess integrity and high standards of professional conduct.
• Demonstrated strong interpersonal and communications skills and the ability to achieve goals through influence, collaboration, and cooperation.
• Demonstrated ability to communicate technical concepts and solutions to both technical and non-technical audiences.
• Proven ability to build relationships with and influence external and internal partners and stakeholders of all levels.
• Demonstrates an understanding and consideration of the differing needs and concerns of individuals with varying identities, cultures, and backgrounds.
• Committed to fostering a workplace culture of belonging, where diversity is celebrated, and equity is a core value