Summary Description: The Assistant Vice President and Chief Information Security Officer (CISO) is an exempt professional position. The CISO reports to the Associate Vice President for Administration. The incumbent is an officer of the administration as set forth in Regent Policy 3-J. The CISO provides leadership for the university’s information technology security program through strong working relationships and collaboration across the university. The CISO is responsible for information security policy development and maintenance; design of security policy education, training, and awareness activities; monitoring compliance with university IT security policy and applicable law; and coordinating investigation and reporting of security incidents. The CISO works in close partnership with the university’s Chief Privacy Officer to ensure alignment between information security and privacy policies, training, and practices across the system. The CISO also works closely with other individuals and groups, such as campus IT security principals and IT directors, a university-wide Security Advisory Group, and System Administration. The CISO reports and advises regarding information security issues to the President’s Executive Team, including the campus Chancellors. The CISO directs the personnel and operations of the Office of Information Security. Minimum Qualifications • Bachelor’s degree from an accredited institution of higher education, or equivalent professional experience; • Demonstrates current security knowledge through continuing professional or post-graduate education in information technology security; • Demonstrated experience in successful professional-level achievements that relied upon collaborative working relationships and joint decision-making. • Five years professional experience designing, implementing, and/or auditing enterprise or institutional information technology security, or five years professional experience managing an information technology operations or service unit; • 3 years professional experience working with information privacy and security laws (such as HIPAA, Gramm-Leach-Bliley, PCIDSS, FERPA, Federal Information Processing Standards (FIPS), and data breach reporting laws), generally accepted information security principles, and accepted industry practice; • Demonstrated professional experience in preparing and presenting information (including technical IT subjects) effectively, clearly, and concisely, in written and spoken form to a wide-range of internal and external constituencies, including non-technical executives, officers, product or service vendors, and middle-managers; • Multiple years professional experience developing and maintaining effective professional relationships with internal and external constituencies; • Multiple years professional experience developing, managing, or evaluating information technology security infrastructures (such as network devices, firewalls, VPNs, desktop and server configuration, technology physical security, and other security devices and services); • Two or more years practical experience developing, reviewing, approving, administering, or implementing security policies; Note: All professional experience qualifications may be temporally coextensive, such that sequential professional experience is not required to meet minimum qualification requirements, or individual preferred qualifications. |
