Director of Information Security - 501195
The Director of Information Security (The Director) has the authority and responsibility to strategically and tactically lead and manage the University's information security and security risk programs. The Director will develop, review, and implement information security and privacy policies, procedures, and guidelines for the University's information technology (IT) environments. The Director will identify key areas of risk, recommend and implement appropriate security controls and monitoring systems. The Director will be the primary Information Services point of contact for internal and external law enforcement personnel when they are investigating a related case.
Information Security Leadership
- Work with University executive, academic and business managers to partner the IT organization with business units to help them meet security and compliance requirements.
- Establish and lead an Information Security Committee to develop strategic information security requirements and to implement appropriate preventative and remedial measures to minimize risk.
- Develop, implement and maintain information security policies, procedures, and guidelines for the university's computing and networking environments. Annually review to assess compliance and recommend updates.
- Independently perform risk assessments and work closely with internal and external auditors to preempt, mitigate, and swiftly respond to any audit findings that require action.
- Develop, implement and manage the University's Security Incident Response Program to include policy, procedure, analysis and documentation of incidents as well as periodic incident management testing.
- Lead information security projects and initiatives for the University by collaborating and communicating in an inclusive manner with key stakeholders and subject-matter experts.
- Recommend and manage security budgets, projects and systems to ensure adequate resourcing of university information security programs
- Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.
- Create and oversee implementations of strategies for risk mitigation.
Information Security Awareness and Training
- Develop and implement a University-wide information security awareness and training program for stakeholders and all faculty and staff.
- Design and deliver security workshops and curriculum.
Information Security Administration
- Manage the University's enterprise server and desktop antivirus platform.
- Manage the University's vulnerability management solution. Work with system owners and departments to mitigate any possible vulnerabilities.
- Utilize state of the art systems and processes to protect University systems and data from unauthorized access and abuse.
- Provide oversight and ownership for intrusion detection and response as well as creation and maintenance of security certificates.
- Coordinate the handling and resolution of security breaches, systems intrusions, and abuse.
- Respond to requests for information from legal and or law enforcement in a timely, accurate and confidential manner.
- Work with the Chief Information Officer (CIO) and outside security consulting firms to periodically conduct external assessments of the University's information security profile.
- Routinely monitor and audit compliance with all information security procedures and policies to ensure consistency of internal controls across departments.
- Participate in requests for proposals (RFP) and vendor meetings to vet information security needs of new applications and software-as-a-service offerings.
- Lead and document the annual Payment Card Industry-Data Security Standard (PCI-DSS) assessment for the University.
- Assess relevant IT purchases to ensure they support security and compliance requirements.
- Maintain up-to-date knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.
- Thorough knowledge of information security principles and best practices.
- Working knowledge of key regulations practices including HIPAA, FERPA, GLBA and PCI.
- Thorough knowledge of networking and distributed computing, routing, n-tier software, web application architectures, and networked file systems.
- Thorough knowledge of TCP/IP protocols, firewalls, VLANS, intrusion detection, wired and wireless network infrastructure and monitoring.
- Working knowledge of on-premise, cloud, and mobile computing environments, including Microsoft Windows, Apple Macintosh, Linux, scripting languages, and security best practices.
- Thorough knowledge and demonstrated ability to perform risk assessments, risk impact analysis, mitigations and contingencies as applied to information security.
- Experience with and demonstrated ability to perform vulnerability assessments and utilize antivirus tools and platforms, web application firewall, and SIEM tools.
- Excellent oral and written communication, facilitation, collaboration, and consultation skills.
- A keen understanding of human based attack surface areas such as social engineering and spear phishing and the risks they represent.
- Ability to influence university members not limited to faculty, staff, university senior leadership, academic leaders, and deans.
- Demonstrated ability to work collaboratively and to complete tasks and projects working with others throughout the University.
- Ability to use discretion when handling confidential information.
- Ability to create and implement plans that translate strategic requirements into actionable steps.
- Demonstrated analytical and problem-solving abilities.
- Ability to effectively prioritize and execute tasks in a rapidly changing environment.
- Ability to present ideas in both business-friendly and IT-friendly language.
- Highly self-motivated and directed.
- Keen attention to detail.
EDUCATION & EXPERIENCE:
- Bachelor's degree in Computer Science or related field.
- Certified Information Systems Security Professional (CISSP) or other equivalent certifications preferred.
- 5+ years information security experience.
- 3+ years networking experience.
- 3+ years Windows and/or Linux server administration experience.
- 1+ years of project management experience preferred.
- Full-time, exempt position
- Monday - Friday, 8:30 a.m. - 5:00 p.m.; 7.75 hrs./day; 38.75 hrs./week
- Must be avaialble to work on an as needed basis during critical times
Pay Grade 11
To see more detailed salary information please review the University of Richmond's Compensation Structure.
Located minutes from downtown Richmond, Virginia, the University of Richmond (www.richmond.edu) blends the intimacy of a small college with exceptional academic, research, and cultural opportunities usually found only at large institutions. Richmond offers a unique combination of undergraduate and graduate programs. Our School of Arts & Sciences anchors Richmond as a nationally ranked liberal arts university. A ranked business school, the nation's first school of leadership studies, a highly respected law school, a nationally recognized international education program and the community-focused School of Professional and Continuing Studies build on that strong foundation and make this university something unique.
UR is committed to developing a diverse faculty, staff and student body, and to modeling an inclusive campus community which values the expression of differences in ways that promote excellence in teaching, learning, personal development and institutional success. In keeping with this commitment, our academic community welcomes candidates from diverse backgrounds and candidates who support diversity. EOE