To apply for this position please submit a Cover Letter and Resume.
Responsible for the development, delivery and practical application of a comprehensive information security and privacy program for the Office of the Commissioner of Higher Education (OCHE), Utah Higher Education Assistance Authority (UHEAA), and the Utah Educational Savings Plan (UESP). The scope of this program is office-wide, and includes information in electronic, print and other formats. The purposes of the program include:
• Assurance that information created, acquired or maintained by the Utah System of Higher Education (USHE) and its authorized users is used in accordance with its intended purpose.
• To protect OCHE, UHEAA and UESP information and its infrastructure from external or internal threats.
• And to assure compliance with statutory and regulatory requirements regarding information access, security and privacy.
The position includes daily activities such as analyzing network traffic, documenting security events, training users and adhering to best practices of the information security industry.
Position Duties, Responsibilities and Competencies
Coordinate the development of information security policies, standards and procedures. Work with IT management, data custodians and governance groups in the development of such policies. Ensure that policies support compliance with external requirements. Oversee the dissemination of policies, standards and procedures to the agency. Manage selection team for external auditors and/or consultants to assist the agency with compliance with FISMA, SAS-70 accreditation, etc.
Perform network vulnerabilities scans and remediate issues found. Monitor network traffic, responding and documenting security events. Oversee all logging of security related information. Primary oversight over security related system, (IE. IPS, DLP, Syslogs, File Integrity Monitoring, etc).
Education and Training
Coordinate the development and delivery of an education and training program on information security and privacy matters for employees and other authorized users.
Compliance and Enforcement
Serve as the compliance officer with regard to agency, state and federal information security policies and regulations (For example, FISMA, Sarbanes Oxley, USA Patriot Act, FERPA, etc.). Prepare and submit required reports to external agencies.
Develop and implement an Incident Reporting and Response System to address security incidents (breaches), respond to alleged policy violations or complaints from external parties. Serve as the official contact point for information security and privacy incidents, including relationships with law enforcement entities.
Risk Assessment and Incident Prevention
Develop and implement an ongoing risk assessment program targeting information security and privacy matters; recommend methods for vulnerability detection and remediation, and oversee vulnerability testing.
Vendor Security Management
Develop and implement a Vendor Security Management Policy for UHEAA and UESP. Evaluate new and existing vendors relative to information security, connectivity, continuity and availability. Make recommendations to the UHEAA board relative to engagements with vendors.
Architect a secure network perimeter using routers & firewalls. Advise the implementation and configuration of security applications & devices. Consult with upper management on strategies for addressing network security. Enforce baseline security practices on all network devices and servers.
Assist with third party information security reviews. Perform security audits periodically to confirm compliance with policies and procedures. Conduct security audits as requested by business units.
Responsible for the physical security, protection services and privacy of the agency.
Serve as the contact point for external auditors, agencies, survey request, etc. on security/privacy matters.
Keep abreast of latest security and privacy legislation, regulations, advisories, alerts and vulnerabilities pertaining to OCHE, UHEAA and/or UESP and their mission(s).
Emergency Preparedness and Business Continuity
Take part in recovery planning and business continuity planning.
The emphasis of this position is on policy development, program administration and compliance/incident response activities. While technical knowledge of information technology and security issues is highly desirable, technical expertise and resources will be available from the Information Technology department to support the information security and privacy program. This position will be personally responsible for the tactical implementation of operational security, in addition to strategic development of the information security and compliance program.
Bachelors degree required.
Cisco(CCNA, CCNP, CCSP) background or Security Certifications (CISSP, GIAC, CCSP, Security+) required.
Minimum seven years experience in information security, information technology or related field. Experience in developing and administering an information security program required. Working knowledge of and experience in the policy regulatory environment of information security, especially in a financial institution is required. Excellent project management, written and oral communication skills desired. Ability to work collaboratively with a broad range of constituencies is essential. A demonstrated ability to work with diverse groups of people is desired.
The Information Security, Compliance and Risk officer works closely with the Director of Computer Services and must have a strong working knowledge of information technology. Candidate must have Microsoft operating system hardening experience. Corporate firewall, vulnerability and penetration testing experience a must.