Chief Information Security Officer- IT-Information Security

at University of Delaware in Newark, Delaware, United States

Chief Information Security Officer- IT-Information Security

College / VP Area:Vice President for IT

Work type: Staff

Location: Newark/Hybrid

Categories: Information Technology, Full Time

JOB TITLE : Chief Information Security Office

CONTEXT OF THE JOB :

The IT Information Security Office assesses risks to University information assets and works closely with a broad range of University constituencies to implement appropriate administrative, technical, and physical controls to comply with laws, regulations, funding agency requirements and security policies. The office develops, implements, and maintains a comprehensive information security program and establishes policies, procedures, training, and awareness initiatives designed to protect University information resources, limit liability, and prevent legal and regulatory violations. In addition, the office defines, promotes, and enforces policies and standards to manage risks throughout the digital identity lifecycle, including user identification and authentication, user privileges and account management, in accordance with laws, regulations and contractual obligations.

Information Technologies at the University of Delaware ( provides the IT infrastructure, central IT systems and applications, and IT services for University of Delaware teaching, learning, research, administrative, and outreach activities. The IT organization is comprised of these eight units: Information Security, Academic Technology Services, Client Services and Support, Enterprise Systems and Services, Network and Infrastructure Services, Research Cyber infrastructure, University Media Services, and Program Management Office.

Under limited direction from the Vice President for Information Technologies and the Chief Information Officer, the Chief Information Security Officer ( CISO ) is responsible for information security governance, including strategy and program administration, policy development, enforcement and compliance, risk assessment, incident response, and training and awareness programs. This position has overall responsibility for ensuring that appropriate policies, standards, procedures, and automated mechanisms, designed to appropriately protect the security of information and facilities are documented and followed across the Institutions (University of Delaware and University of Delaware Clinics). Sensitive or protected information may include information related to students, employees, faculty and patients, as well as information protected by state, federal, or industry policy ( FERPA , HIPAA , FISMA , PCI , etc.). This information may exist in either electronic or paper form. Physical security solutions like building access control system and security cameras are also supported through the CISO’s office. The position works closely with the General Counsel of both the University and Clinics.

MAJOR RESPONSIBILITIES :

Information Security Strategy

+ Guide and counsel the VP of IT, IT staff, and key members of the University leadership team; working closely with executive and academic leaders in defining objectives for information security.

+ Meet with and inform executive leadership and the Board of Trustees as needed.

+ Lead the information security planning process to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology. This Includes establishing annual and long-range security and compliance goals, defining security strategies, metrics, reporting mechanisms and program services, and creating maturity models and a roadmap for continual program improvements.

Information Security Program Administration

+ Provide leadership, direction, and guidance in assessing and evaluating University-wide information security risks.

+ Develop, implement, and maintain a written information security program that addresses people, processes, and technology.

+ Identify and implement management, operational and technical safeguards to manage risks associated with confidentiality, integrity, availability and compliance with laws, regulations, contractual or funding agency or other external requirements and University IT security policies for central IT-controlled systems.

+ Identify and compile metrics to continuously assess the efficacy of the risk management program and opportunities for improvement.

+ Provide data risk management consultation to IT leaders, data stewards (officials responsible for different types of institutional data-human resources, registrar, etc.), custodians, technical experts, deans and administrative leaders on a wide variety of complex information security issues.

+ Work with data stewards and custodians to establish appropriate data management protocols.

+ Lead the development, implementation and maintenance of information stewardship and security policies, standards and protocols that create and maintain a risk management framework for University information resources, data and systems.

+ Define University-wide data management roles and responsibilities for complying with applicable laws, regulations, contractual, funding agency and other external requirements.

+ Publish and promote information security policies to the University community.

+ Serve as the University compliance officer with respect to federal, state and/or local information security laws, regulations, contractual or funding agency or other external requirements.

+ Work with the campus-designated officers and Vice President & General Counsel on compliance issues as necessary (e.g., FERPA records access, ITAR export controls and HIPAA privacy).

+ Oversee monitoring and documentation of compliance assessment and enforcement of data stewardship and information security policies, protocols, and guidelines.

+ Assess impacts of new technologies on the risks to the University’s central IT information assets; establish risk management processes to review potential impacts of implementation of new technologies.

+ Guide the development of Identity and Access Management program goals and strategic roadmap.

+ Oversee the service team to implement best in class identity management life cycle process in accordance with University policies, laws and contractual obligations.

+ Work closely with the University office of Vice President & General Counsel to establish privacy and security requirements for vendors of commercial software and/or services; assess vendor privacy and security safeguards.

+ Negotiate contract language to place risk-appropriate privacy and security obligations on the application provider.

+ Establish and oversees protocols to identify, assess, publicize and/or coordinate responses to IT threats and vulnerabilities that affect the University.

+ Work closely with internal IT application developers to create information security quality-assurance processes that address information security throughout the software development life cycle.

+ Coordinate with appropriate process owners for central IT disaster recovery, including preparation, testing and maintenance of the disaster recovery plan.

+ Participate in the evaluation of commercial information security hardware and software offerings.

+ Work closely with the UD Police Department, Public Safety and Facilities group to provide application and user support for physical security related technical solutions.

+ Partner and consult with leaders across Grounds to define the risks that accompany new AI technology.

+ Assist the research community with a solutions-oriented approach.

+ Identify, prioritize, develop and leverage risk-based security metrics to provide visibility of security posture to different groups of audiences and leverage the data to make informed program decisions.

Incident Response

+ De