University of Colorado Denver l Anschutz Medical Campus
Office of Information Technology
Job Title: Director of IT Security and Compliance and Information Security
Position #002307 – Requisition #19609
* Applications are accepted electronically ONLY at www.cu.edu/cu-careers
The University of Colorado Denver | Anschutz Medical Campus is a public research university serving more than 18,000 students. We award nearly 4,000 degrees each year, including more graduate and professional degrees than any other Colorado institution. With our solid academic reputation, award-winning faculty and renowned researchers, we offer more than 140 highly rated degree programs through 13 schools and colleges. The university receives over $400 million in research awards each year. In addition to the wide array of health-related programs and facilities offered at CU Anschutz in Aurora, Colo. a significant number of undergraduate and graduate degree programs are taught at CU Denver, our comprehensive campus in the heart of downtown Denver—one of America’s most vibrant urban centers. CU Denver is located steps from the Denver Center for Performing Arts and the LoDo District affording our students, faculty and staff access to a broad array of academic, professional, community, recreational and cultural outlets.
The Office of Information Technology (OIT) works to advance the University mission by providing innovative technology solutions and services to the CU Denver and Anschutz Medical Campuses, their constituents and partners.Click here to find out more about the Office of Information Technology (https://youtu.be/K0_WJy6RdFU) .Through our six core values – Service, Professionalism, Leadership, Innovation, Community, and Excellence (SPLICE) – we make a difference. Click here to find out more about OIT’s Culture. (https://www1.ucdenver.edu/offices/office-of-information-technology/our-culture)
OIT is seeking a strong leader as the Director of IT Security and Compliance and Information Security Officer (ISO) to serve as a key role in IT security and compliance leadership, working closely with senior administration, academic leaders, and the campus community.
The Director of IT Security and Compliance and Information Security Officer (ISO) position requires a strong, knowledgeable leader to provide vision, strategy, and broad-based planning for IT security, compliance and operations. The ISO reports to the CIO, is a member of the Office of Information Technology (OIT) leadership team and is an advocate for the university’s total information security and compliance needs; being responsible for the development and delivery of a comprehensive information security and compliance strategy to optimize the security and IT compliance posture of the university. The ISO, in close collaboration with the OIT Program Director for Security Operations, leads the development and implementation of a security program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk. This position is also responsible for driving the regulatory compliance activities as they relate to Information Security.
Compliance is a key priority of OIT and the Director of IT Security and Compliance is the primary individual for ensuring compliance with applicable federal, state, and local compliance rules and regulations. Further, this position leads the security operations team in ensuring that IT Security infrastructure and devices are designed and chosen to maximize the security posture of the University while ensuring ongoing business operations. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders across the University and CU System to set the best balance between security and compliance strategies and other priorities at the campus and system level.
Jobs in this career family develop, maintain, and support computer systems, software and networks. Functions include enterprise operations, distributed computing, academic computing, research computing, computer hardware and software management, computer networking, telecommunications, systems development, database administration, server administration, website management, programming, desktop support, and help desk operations.
Directors are responsible for the ongoing leadership and oversight of a department, including the development of strategies and processes which contribute to the University and/or campus mission and accountability for services provided. Directors are responsible and accountable for the analysis of fiscal and human resources required to achieve department objectives including hiring, compensation, termination, and performance management of subordinate employees.
Examples of Work Performed
University and Program Leadership
Responsible for the strategic leadership of the University’s IT Security and Compliance program.
Responsible for the strategic leadership of the University’s security operations team.
Responsible for the strategic leadership of the University’s risk and compliance team
Lead information security planning processes to establish an inclusive and comprehensive information security and compliance program for the entire institution in support of academic, research, and administrative information technology.
Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.
Stay abreast of information security issues and regulatory changes affecting higher education at the state and national level. Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.
Provide a strong leadership philosophy for the IT Security and Compliance Division to create a strong bridge between organizations, build respect for the contributions of all and bring groups together to share information and resources and create better decisions, policies and practices for the campus.
Mentor the IT Security and Compliance Division team members and implement professional development plans for all members of the team.
Policy, Compliance, Governance and Audit
Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the university's data and information technology systems.
Work closely with system-level security and compliance governance to ensure campus-level issues and needs are addressed.
Drive governance efforts to define an accountability framework providing oversight to ensure that risks are adequately mitigated. Ensure that security strategies are aligned with organizational objectives and consistent with regulations.
Work closely with IT leaders, technical experts, deans and administrative leaders across campus on a wide variety of security and compliance issues that require an in-depth understanding of the IT environment in their units, as well as the research landscape and federal regulations that pertain to their unit’s administrative, academic and research areas.
Lead the development and implementation of effective university policies, standards and procedures to help secure the university’s data and IT systems.
Work with Internal Audit, the CU Office of Information Security and outside consultants, as appropriate, on required security and compliance assessments and audits.
Coordinate and track all information technology and security related audits including scope of audits, units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses.
Work with university leadership and the Office of Regulatory Compliance to build cohesive security and compliance programs for the university, to effectively address state and federal statutory and regulatory requirements, including HIPAA, FERPA, PCI and FISMA.
Develop a strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors (e.g. PCI, HIPAA, and FISMA).
In close collaboration with the Program Director of Security Operations, define and implement security strategies and technologies to ensure the security of University data and resources.
Helps protect the confidentiality, integrity and availability of university data by ensuring that SecOps systems, architecture and processes reflect industry best practices.
Security by Design: supports OIT project management, architecture review and change management processes through the integration of security and compliance requirements, standards and best practices.
Make recommendations to senior IT leadership on what strategies and technologies to implement and what strategies and technologies to avoid.
Ensure that the Security Operations Team is working to successfully implement infrastructure and devices that are highly available and reliable resulting in the successful operation of the University’s business, academic, research, and clinical enterprise.
Outreach, Education and Training
Create and maintain a security and compliance awareness program and advise operating units at all levels on security issues and best practices.
Work with campus groups such as LAN Admins, the Office of Regulatory Compliance, application developers, sys admins, and other technical and non-technical groups to build awareness and a sense of common purpose around security.
Risk Management and Incident Response
Working with the Program Director of Security Operations:
Develop, implement, document and administer a security incident response process and team.
Ensure the successful operation of the University’s security infrastructure and devices while balancing the security and business needs of the University.
Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene the Incident Response Team as needed, or requested, in addressing and investigating security incidences that arise.
Develop, implement and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk.
Coordinate the development of information security policies, standards, and procedures. Work with key IT Offices, data custodians, and governance groups in the development of such polices. Ensure the university policies support compliance with external requirements. Oversee the dissemination of policies, standards and procedures to the university community.
Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and policies.
Examine impacts of new technologies on the university’s overall information security posture. Establish processes to review implementation of new technologies to ensure security and compliance.
Coordinate the development and delivery of education and training programs on information security and privacy matters for employees, other authorized users, and students.
Salary and Benefits:
The salary range for this position has been established at $120,000 - $140,000 and is commensurate with skills and experience.
The University of Colorado offers a full benefits package. Information on University benefits programs, including eligibility, is located at https://www.cu.edu/employee-services.
The University of Colorado Denver | Anschutz Medical Campus is dedicated to ensuring a safe and secure environment for our faculty, staff, students and visitors. To assist in achieving that goal, we conduct background investigations for all prospective employees.
The University of Colorado Denver | Anschutz Medical Campus is committed to recruiting and supporting a diverse student body, faculty and administrative staff. The university strives to promote a culture of inclusiveness, respect, communication and understanding. We encourage applications from women, ethnic minorities, persons with disabilities and all veterans. The University of Colorado is committed to diversity and equality in education and employment.
Conditions of Employment:
Must be willing and able to travel between campuses (Denver Campus and Anschutz Medical Campus)
PLEASE NOTE: Candidates will be responsible for travel expenses related to the interview process and any relocation expenses, if applicable.
Parking expenses for employees are not covered by the university. To review parking options please visit the link below and select your appropriate campus: Facilities Management Permit Parking (http://www.ucdenver.edu/about/departments/FacilitiesManagement/ParkingMaps/Parking/Pages/PermitParking.aspx)
A minimum of 5 years total experience with information security and compliance
3-5 years’ experience in a leadership role
3-5 years’ experience in regulatory compliance
Bachelor’s degree in Security Information Systems or closely related field
Substitution : A combination of related work experience in the areas listed above may be substituted on a year-for-year basis for the bachelor’s degree.
Knowledge, Skills, and Abilities
Excellent leadership and management abilities with strong written and oral communication skills.
Working knowledge of a broad range of information technology services and systems.
Knowledge of security best practices and how to apply them in a complex, distributed environment.
Ability to work collaboratively with diverse groups of people and a broad range of constituencies.
Broad understanding of networking concepts in support of security operations.
Demonstrated ability to implement general security concepts and methods such as vulnerability and risk management, incident response, policy creation, and enterprise security strategies
Deep experience with information security regulatory and compliance management.
Experience developing and administering information security standards, guidelines and best practices.
Demonstrated working knowledge with documented training and/or certification in IT Security and Compliance, including HIPAA and PCI.
Ability to manage multiple projects or priorities with complex contracts and relationships.
Demonstrated ability to foster participation of others and to work effectively and collaboratively with faculty, senior administrators, and staff.
Demonstrated experience advancing diversity and the creation of inclusive work environments.
Demonstrated ability to lead a security operations team.
Deep understanding of the operation of security devices such as firewalls, Intrusion Prevention/Detection
Job: Information Technology
Primary Location: Denver
Job Category Information Technology
Department U0001 -- DENVER & ANSCHUTZ MED CAMPUS
Posting Date Nov 20, 2020
Unposting Date Ongoing
Posting Contact Name OIT Human Resources
Posting Contact Email ucd-oit.HumanResources@ucdenver.edu
Posting Number 00002307
Req ID: 19609
The University of Colorado does not discriminate on the basis of race, color, national origin, sex, age, pregnancy, disability, creed, religion, sexual orientation, gender identity, gender expression, veteran status, political affiliation, or political philosophy. All qualified individuals are encouraged to apply.