Serve as primary advisor to the Chief Information Officer (CIO) and ITS Senior Directors on security-related practices and policies that will mitigate information security-related risks to the University’s information systems, applications, databases, and networks. Serve as the University Data Protection Officer in order to address European Union GDPR (General Data Protection Regulation) requirements. Report to the CIO and work directly with both ITS and non-ITS departments to coordinate security efforts and resources in order to maximize information security and data protection. This position supervises professional, technical and support staff as assigned.
Essential Duties & Responsibilities:
Revise and re-develop, implement and maintain a University-wide information security and data protection plan based on EDUCAUSE Higher Education Information Security Council (HEISC) standards for best practices for data privacy protection, such as EU GDPR requirements.
Prepare, document, maintain and disseminate information security policies and procedures.
Revise the University Information Security Incident Response Policy to reflect the new response requirements dictated by EU GDPR requirements.
Prepare and coordinate implementation of university-wide information security training.
Implement procedures and processes to improve USD’s response to EU GDPR’s seven fundamental requirements of (1) consent, (2) breach notification, (3) right to access, (4) right to be forgotten, (5) data portability, (6) privacy by design, and (7) data protection.
Lead and collaborate on periodic Information Security Audits with the CIO and ITS Sr. Directors.
In coordination with the Information Technology Services leadership team, prepare plans to protect University information technology assets against data breaches.
Oversee, manage, and prepare information on IT Security and IT compliance matters specific to GLBA (Gramm-Leach-Bliley) act, FERPA, HIPPA, European Union GDPR, PCI-DSS, etc.
Serve in the role of University Data Protection Officer specific to data standards and compliance requirements.
Create plans and IT security processes to align with emerging data privacy requirements (such as GDPR) as applied to US Universities.
Participate in EDUCAUSE Higher Education Information Security Council (HEISC) and Internet 2 security group conferences and webinars.
Oversee forensics and prepare responses to breaches in the confidentiality, integrity or availability of institutional data.
Use and improve existing ITS monitoring and alert/SIEM systems (e.g. Oracle Advanced Security, Solar Winds, Checkpoint SmartEvent, etc.)
Work with IT security vendors/providers to oversee annual penetration and vulnerability testing.
Improve or re-develop an internal scanning process using USD’s NESSUS vulnerability scanner.
Identify vulnerabilities, threats and incidents within the university’s information technology infrastructure, and work with the responsible team in the Information Technology Department to resolve these issues with cost-effective solutions.
Ensure through policies and procedures the appropriate use of the university’s information technology resources.
Provide CIO and University committees with updates/presentations on the state of USD information security.
Bachelor’s Degree required, preferably in MIS, computer science, electrical engineering, Cyber-security or a related field.
Minimum of 5 years of IT systems, networking, or security experience in progressively responsible roles.
Experience designing technical solutions that improved IT security posture.
Experience architecting security solutions for organizations with large networks; with special preference for University/Research networks of 10,000 or more users.
Experience with security technology including, but not limited to: Enterprise ERP systems, Oracle database technology, Identity Management systems, VPN, firewall, endpoint and antivirus security, and wireless and wired network security.
Enterprise system-level or applications security experience and knowledge, including understanding of threats and countermeasures.
A strong understanding of enterprise systems and network administration, including best practices for perimeter and infrastructure security and messaging security.
Excellent communication skills, with the ability to communicate technical information to non-technical people.