Chief Information Security Officer - The University of Chicago - Chicago, IL

Please make sure to read the job posting in its entirety as it reflects both the University roles and responsibilities, followed by the specific description. Department 2010012 BSD - BSDIS About the Unit The University of Chicago Biological Sciences Division (BSD), contains all elements of academic medicine. Basic and translational research, education, and patient care come together in a single campus. Their mission is to create new knowledge of living systems, train the next generation of leaders in biology and medicine, and advance the forefront of health through innovative patient care. The Biological Science Division is divided into 10 basic science and 13 clinical departments that provide academic homes for nearly 900 full-time faculty. The Office of the CRIO and departmental IT groups provide advanced, secure technologies and services to enable clinical, translational, and basic science research. The security of IT systems and information assets is dependent on the individuals managing as well as the individuals utilizing such resources. The BSD Information Security Office is committed to supporting the principles of academic freedom and the free exchange of ideas; the BSD’s information security initiatives are intended to support those principles while still maintaining an appropriate level of security. The Information Security Office provides information security services and expert security guidance to BSD leadership and all members of the BSD research and academic enterprise. This includes 6000 Endpoints\Mobile Devices, 700 Servers, (HPC) High Performance Computing and various informatics research platforms. The department efficiently ensures confidentiality, integrity, and availability of its information assets and data, in accordance with organizational security policies and applicable state and federal laws. In the 2020 edition of Best Colleges and National Universities, The University of Chicago rank as #6. Situated in Hyde Park, it offers a rich campus life within a big city setting. In addition, the University has postgraduate offerings that include the highly ranked Booth School of Business, Law School, Pritzker School of Medicine and Harris School of Public Policy Studies. Job Family Information Technology Responsible for the design, implementation, and maintenance of new and existing applications, systems architecture, and network infrastructure. Ensures operation and security of all servers and networks. Configures, installs, maintains and upgrades applications and hardware for the organization's infrastructure and for end-user devices. Career Track and Job Level Information Security Develops, implements, and maintains information security and identity management policies, procedures, and systems. Deploys security defense and identity management technologies, manages existing infrastructure and responds to cyber security incidents. Identifies and evaluates risks to the organization. Develops and conducts security penetration testing and security awareness outreach. M3: Provides leadership to managers and professional staff. Is accountable for the performance and results of multiple related teams. Develops departmental plans, including business, operational and/or organizational priorities. Decisions are guided by resource availability and functional objectives. Role Impact People Manager Responsibilities The job may manage multiple related teams of managers and/or professional staff responsible for developing, implementing, and maintaining information security and identity management policies, procedures, and systems. Manages the deployment of security defense and identity management technologies, the management of existing infrastructure, and the response to cyber security incidents. Determines risks to the organization by directing security testing. 1) Manages managers and professional staff. Establishes performance goals, allocates resources and assesses policies for direct subordinates., 2) Executes functional business plans and helps determine functional strategy. Develops strategy for new technologies that address current and future needs., 3) Advises the development and delivery of data network and infrastructure options to the University that supports teaching, research, and administration. Directs the design, development, operation, extension, and maintenance of central IT infrastructure., 4) Ensures that networks are high performing and meet the needs of faculty, staff, students and researchers., 5) Performs other related work as needed. Unit-specific Responsibilities 1) Aligning with the University Information Security Office, execute a risk-based information security program for the BSD, including items such as: access management, device security, incident response, policies, training, risk management, security architecture, vulnerability management, PCI/HIPPA compliance, support data governance, data stewardship, and technical architecture review programs. 2) Guide and counsel the Assistant Dean BSD Information Technology Services and organizational leaders on information security and its role in enabling mission activities and managing IT Security risk, in both strategic and tactical contexts. 3) Review hardware, software, and services being considered for purchase or implementation by BSDIS and other campus departments to assess security issues (strengths/risks) and assure proper information security features are incorporated to support university business needs; provide security requirements to be included in RFPs for software and services. 4) Review Data Use Agreements and Procurement Contracts for the BSD to ensure security measures are appropriately identified and managed. 5) Establish annual and long-range security and compliance goals. Define security strategies, metrics, reporting mechanisms and program services. Create maturity models and a roadmap for continual program improvements. 6) Engage with external communities and activities to maintain good perspective on information security practices at peer organizations and the threat environment, and to promote and increase inter-organizational ability to address common problems. 7) Oversee the management and administration of all security systems and their corresponding software, including firewalls, VPNs, intrusion detection, cryptography, content filters, and anti-malware systems. 8) Determine baseline security configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM). 9) Manage teams that research security alerts and anomalies and develop plans for remediation. Regularly develop advance hunt techniques for the identification of threat actors across the internal network. Create penetration testing plans, execute and remediate findings. 10) Assume responsibility for digital forensics and eDiscovery tools, as well as perform data gathering to support internal and external litigation. Summarize and report results. 11) Ensure Information Security Programs are in compliance with the Family Education Rights and Privacy Act (FERPA), HIPAA and FISMA. 12) Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. 13) Lead efforts to assess, evaluate and make recommendations regarding the adequacy of security controls for the BSD’s information and technology systems, and establish a process that guarantees rigorous and appropriate vetting and risk assessment. 14) Coordinate and track all information technology and security related examinations, audits and compliance assessments including scope, units involved, timelines, and outcomes. Work to keep focus in scope, maintain excellent relationships with these entities and provide a consistent perspective that continually puts the BSD in its best light. 15) Develop a strategy for dealing with increasing number of examinations, audits, compliance checks and external assessment processes. 16) Liaise with auditors, regulators and other examiner groups. 17) Partner with leaders of research activities, serve on leadership committees and be a resource to others to offer solutions that proactively minimize security risk, liability, or concerns utilizing a broad and inclusive view to help the organizational activities be successful. 18) Pursue security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program. 19) Promote and develop BSD awareness programs, e.g., identity theft pamphlets, phishing awareness, and more. 20) Maintain strong working relationships with leadership and their teams to align information security practices across the campus’ IT infrastructure and services offices. 21) Proactive community involvement, with other industry and university groups, for added threat intelligence. 22) Motivate and lead a high performing ISO team, utilizing effective talent management practices to attract and retain team members. Ensure growth in cybersecurity skills within the team. 23) Manage cybersecurity personnel dedicated to research programs with advance data security requirements such as FISMA. 24) Manage relationships with third parties (vendors, suppliers, contractors, partners, etc.), external stakeholders (DHS, FBI) and others. 25) Maintain awareness of security threats, breaches and incidents in the industry and beyond, to proactively assess emerging threats to the BSD’s constituency, data and its environment. 26) Oversee the Change Management Program ensuring that all changes are in compliance with Security and Regulatory standards and appropriately identify risk and impact to the organization. 27) Provide strategic direction for the Identity & Access Management program and establish standards for delivery of enterprise-wide identity and access for employees and vendors to the organization’s systems and applications. 28) Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene a security incident response team as needed, or requested, in addressing and investigating security incidences that arise. 29) Convene Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions. 30) Conduct a continuous assessment of current IT security practices and systems and identify areas for improvement. Unit-preferred Competencies 1) Innovator - entrepreneurial in thinking, planning, and execution. Showcases proven analytical and problem-solving ability, particularly as it pertains to security platforms and tools, non-disruptive implementation, risk assessment, compliance, analytics and reporting. 2) Communicator - Communicates consistently and transparently…early and often. Seeks to understand the needs, feelings and capabilities of others. Is tactful, honest, and treats others with respect. 3) Catalyst for Change - Adapts, evolves and transforms through thoughtful experimentation and continuous learning. Seeks out opportunities to differentiate BSD and offer the highest level of value. 4) Collaborator - Works with teams to deliver on BSD’s vision and shared goals. Finds common ground with a wide range of stakeholders. Seeks the mutually beneficial solution for all constituencies. 5) Results Driven - Leads by setting challenging goals and aligning team members to them. Owns and delivers results. Tracks and validates accomplishments using appropriate metrics. 6) Talent Developer - Motivates and guides others to reach personal and organizational goals. Coaches, mentors and challenges in a way that inspires people to reach their full potential. Education, Experience, and Certifications Minimum requirements include a college or university degree in related field. Minimum requirements include knowledge and skills developed through 7+ years of work experience in a related job discipline. Preferred Qualifications Education 1) Bachelor’s Degree in Information Technology, Information Systems Security, Cybersecurity, or related field.
Certifications 1) Certified Information Security Manager (CISM), 2) Certified Information Systems Security Professional (CISSP), 3) Certified Ethical Hack (CEH), or 4) Certified Cloud Security Professional (CCSP), 5) Certified in Risk and Information Systems Control (CRISC) Experience 1) Seven to ten years in a leadership role of combined IT and security work experience, with a broad exposure to infrastructure/network, cloud, endpoint and multiplatform environments. 2) Deep experience in all dimensions of Information Security and in leading within large, complex environments. 3) Proficiency in creating security and architectural strategy spanning enterprise organizations including web-scale environments, applications, and systems such as: ecommerce, online marketing, online advertising, digital media, content management systems, content publishing systems, etc. 4) Overall knowledge of application and operating system hardening, vulnerability assessments, security audits, intrusion detection, data-leak protection, firewalls, networking, VPN. 5) Understanding of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies. 6) Well versed in the implementation of security controls and understands key business and technological processes, implementing effective risk mitigation strategies to protect the confidentiality, integrity, and availability of information assets. 7) Direct experience or strong working experience managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology. 8) Skilled in information security risk management, including but not limited to risk and gap analysis, risk evaluation and ranking, mitigation strategy recommendation, and reporting on the risk profile, and residual risk. 9) Must be an intelligent, articulate, consensus building, and persuasive leader who can serve as an effective member of the senior management team and communicate information security-related concepts to a broad range of technical and non-technical team members at all levels of the organization. FLSA Status Exempt Pay Frequency Monthly Pay Grade Depends on Qualifications Scheduled Weekly Hours 40 Benefits Eligible Yes Drug Test Required No Health Screen Required No Motor Vehicle Record Inquiry Required No Posting Date 2019-12-24-08:00 Remove from Posting On or Before 2020-06-24-07:00

Apply for this job  or Save to My Jobs

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.