Join the Pack! A community with nearly 8,000 faculty and staff, and 30,000 students. NC State is one of the largest employers in North Carolina, offering a large range of career opportunities. Visit us at www.ncsu.edu/hr/job_applicants/reasons.
Department: 511001 - Security & Compliance
Location: Raleigh, North Carolina
Essential Job Duties:
The Director of Information Security Risk and Assurance (ISRA) reports to the Chief Information Security Officer/Director of Security & Compliance (S&C) in the Office of Information Technology (OIT). The Director assures the university's compliance with federal law, state government statutes, university system standards and NC State internal policies, regulations, procedures and contractual obligations in the area of information security and privacy. Appropriate frameworks, policies, regulations, guidelines, procedures and assurance processes are developed for security, privacy, and protection of the university's information assets including research data. Primary responsibilities include: 1) Work closely with the CISO to develop appropriate security strategies to align university security defenses with the evolving threat landscape and changing business requirements. This includes continuous development of the university cyber security strategic plan and road map. 2) Conduct appropriate gap analyses and develop appropriate procedures, regulations, standards and rules to ensure compliance. Examples are listed below: – NC State Data Sensitivity Framework UNC System Security Framework/Baseline based on ISO 27001/2:2013 – NC State University Information Security Manual – NIST Cybersecurity Framework and Special Publications series 800 (e.g., 800-53, 800-171) – FISMA (Federal Information Security Management Act of 2002) – Higher Education Opportunity Act (HEOA) and Digital Millennium Copyright Act (DMCA) peer-to-peer file sharing provisions; this position serves as the University Copyright agent – Payment Card Industry Data Security Standards (PCIDSS) – HIPAA (Health Insurance Portability and Accountability Act of 1996); this position serves as the University HIPAA security officer – GLBA (The Gramm-Leach-Bliley Act of 1999); this position serves as the GLBA Data Security Leader – European GDPR (General Data Protection Regulation) – Applicable State and Federal Laws/Regulations 3) In conjunction with the Information Security Services (ISS) team within S&C, perform information security assessments, IT risk assessments, application security reviews, sensitive data security reviews, 3rd party vendor security assessments, information security audit coordination, and information security vendor contract reviews. 4) Partners with university stakeholders to encourage the application of security controls throughout applications and processes development lifecycle. 5) Establish, lead, serve on or advise the University's committees that address information security, privacy and compliance issues. Provide leadership on committees that are responsible for establishing and communicating University-wide information security strategy, governance, policies and standards. 6) Initiate, facilitate, and promote activities to create information security awareness for the campus community. Establish standards for user education and awareness and help facilitate the Campus Security Liaison Program that consists of a representative from each college/division. This will be done jointly with the S&C ISS team and staff from OIT Outreach, Communications & Consulting (OCC). 7) Analyze and assist in developing the university Identity and Access Management (IAM) security requirements to provide services to members of the campus community based upon the privileges associated with their roles. 8) Provide leadership in the continued development and implementation of the Secure University Research Environment (SURE) both short-term and long-term to ensure compliance with security requirements such as NIST 800-171 to protect and secure the university's sensitive research data (e.g., CUI). 9) Develop, implement and maintain a campus-wide IT risk management program that identifies, analyzes, evaluates and prioritizes risks to the university's IT infrastructure and information assets. This includes a risk treatment process with scoring of the likelihood of vulnerabilities and threats against the assets to determine the level of risk tolerance. 10) Work closely with the S&C ISS team as well as other OIT and campus IT staff regarding the technical implementation of the frameworks, university policies/regulations/procedures/rules, programs and processes. The Director will be heavily involved with strategic planning, budget planning and the implementation of an overall Information Security Program.
Coordinate HIPAA compliance with University Privacy Officer, the Office of General Counsel and the covered health care components as defined in the University's regulation 01.25.09.
Collaborate with the Office of General Counsel regarding IT Records Retention Guidelines, managing/maintaining litigation hold and eDiscovery requests as well as other related issues.
Collaborate with University leadership and IT governance committees/subcommittees, Office of Internal Audit, Office of the General Counsel, Office of State Auditor, and external agencies on information security, privacy and compliance issues.
Provide resource support for information security services staff and execute other duties as assigned.
Require post-baccalaureate credentials or a bachelor's degree plus alternative or equivalent professional training and experience may be substituted for the advanced degree on an exceptional basis.
Demonstrated experience overseeing the establishment, implementation, and adherence to policies and standards that guide and support an information security strategy.
In-depth knowledge of information security principles, information auditing principles and information security policy and compliance.
Experience implementing security controls in one or more of the following areas: – Network administration – System administration – Software development – Information Security administration
A solid understanding of technical IT security controls relating to the university network, servers, workstations, and other end user devices.
Strong knowledge and an awareness of the key attributes of applicable federal regulations, state laws, and other external requirements and their impact on information security, privacy and compliance such as the following: – FERPA – Family Education Rights and Privacy Act – GLBA – Gramm-Leach-Bliley Act – HIPAA – Health Insurance Portability and Accountability Act of 1996 – ISO/IEC 27000 series – International Organization for Standardization & International Electrotechnical Commission – NISTFIPSPUB 800-53 – National Institute of Standards & Technology – PCI/DSS – Payment Card Industry Data Security Standard – FTC (Federal Trade Commission) Red Flags Rule – SSAE16 (Statement on Auditing Standards No. 70) and SOC 1 & 2 (Service Organization Controls) – HEOA – Higher Education Opportunity Act – DMCA – Digital Millennium Copyright Act – North Carolina Identity Theft Protection Act of 2005 North Carolina General Statute § 75-60 – North Carolina General Statutes, Chapter 126: State Personnel System NC Personnel Act. – North Carolina General Statutes, Chapter 132: Public Records Includes NC Social security numbers and other personal identifying information (North Carolina General Statutes, Chapter 132-1.10).
Proven leadership, communication, presentation and problem solving skills.
A solid understanding of privacy practices and their relationship to business, security, and compliance requirements.
Familiarity with single-signon concepts and identity/access management methodology.
Ability to interpret various hardware, software, procedural, and policy manuals and other technical and complex documentation.
Experience conducting security assessments, particularly of cloud service vendors.
Proven ability to enhance and/or implement an enterprise-wide information security education and awareness program.
Demonstrated interpersonal skills, cultural awareness, and organizational prowess required to work effectively in a University setting
An understanding of physical security practices for buildings and work spaces where employees and others handle sensitive and valuable information in any form (spoken, printed, electronic).
A broad understanding of all IT service functions, such as technical security, network engineering, application development, server administration, database administration, user account administration, identity and access management, end-point device management and academic support.
Professional Security Certification from at least one of the currently acceptable information security, privacy, audit, such as: - Certified Information Systems Security Professional (CISSP) - Systems Security Certified Practitioner (SSCP) - Certified Information Security Manager (CISM) - Certified Information Privacy Professional (CIPP); - SANS Global Information Assurance Certifications
Required license or certification:
Position Number: 00061664
NC State University is an equal opportunity and affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, gender identity, age, sexual orientation, genetic information, status as an individual with a disability, or status as a protected veteran.
Individuals with disabilities requiring disability-related accommodations in the application and interview process, please call 919-515-3148. Final candidates are subject to criminal & sex offender background checks. Some vacancies also require credit or motor vehicle checks. If highest degree is from an institution outside of the U.S., final candidates are required to have their degree verified at www.wes.org. Degree must be obtained prior to start date.
NC State University participates in E-Verify. Federal law requires all employers to verify the identity and employment eligibility of all persons hired to work in the United States.
NC State University was founded with a purpose: to create economic, societal, and intellectual prosperity for the people of North Carolina and the country. We began as a land-grant institution teaching the agricultural and mechanical arts. Today, we’re a preeminent research enterprise that excels in science, technology, engineering, math, design, the humanities and social sciences, textiles, and v...eterinary medicine.NC State students, faculty, and staff take challenges in hand and work with industry, government, and nonprofit partners to solve them. Our 9,000 faculty and staff are world leaders in their fields, bridging the divides between academic disciplines and training high-caliber students to meet tomorrow’s challenges. Together, they forge powerful partnerships with government, industry, nonprofits, and academia to change our world for the better.NC State is leading efforts to curb nuclear proliferation, develop a smart electric grid, create self-powered health monitors, help farmers confront climate change, and build a new American manufacturing sector. Our award-winning Centennial Campus is home to more than 70 public and private partners — as well as the innovative Hunt Library, which Time magazine has dubbed “the library of the future.”More than 125 years after its creation, NC State continues to make its founding purpose a reality. Every day, our career-ready graduates and world-leading faculty make the fruits of learning and discovery available to people across the state, throughout the nation and around the world.
Back to top
The mission of the University Risk Management and Insurance Association is to advance the discipline of risk management
in higher education.