Lead Advisor, Privacy and Information Security Risk

Staff - Non Union

Job Category
M&P - AAPS

Job Profile
AAPS Salaried - Information Systems and Technology, Level D

Job Title
Lead Advisor, Privacy and Information Security Risk

Department
Privacy and Information Security | Safety & Risk Services | VP Finance and Operations

Compensation Range
$8,063.17 - $12,575.08 CAD Monthly

The Compensation Range is the span between the minimum and maximum base salary for a position. The midpoint of the range is approximately halfway between the minimum and the maximum and represents an employee that possesses full job knowledge, qualifications and experience for the position. In the normal course, employees will be hired, transferred or promoted between the minimum and midpoint of the salary range for a job.

Posting End Date
May 14, 2024

Note: Applications will be accepted until 11:59 PM on the day prior to the Posting End Date above.

Job End Date

**This position is expected to be filled by promotion/reassignment and is included here to inform you of its vacancy at the University.

At UBC, we believe that attracting and sustaining a diverse workforce is key to the successful pursuit of excellence in research, innovation, and learning for all faculty, staff and students. Our commitment to employment equity helps achieve inclusion and fairness, brings rich diversity to UBC as a workplace, and creates the necessary conditions for a rewarding career. 

Job Summary

This position is a management position within the Privacy & Information Security Management (PrISM) Safety & Risk Service (SRS) team. UBC’s PrISM program is an ongoing initiative to reduce the risk of a major privacy or information security breach at UBC through security governance, technology advancement, training, awareness and communications, risk management and compliance support, system identification and classification.

This is an exciting opportunity to work with a dynamic, risk focused team that collaborates across UBC including with management and staff in other units, such as the Cybersecurity team, University Counsel, Enterprise Risk and Assurance, the Office of the CIO and UBC IT teams.

The Safety & Risk Services team is a key component of the PrISM program, delivering Privacy Impact Assessments (PIA) including information security reviews, campus wide training and risk advisory services to UBC. The team’s focus is to maintain public trust in UBC, protect personal information of the UBC community and keep UBC confidential information secure, whilst enabling technology-supported business initiatives to succeed.

This role combines operational project assurance responsibilities with risk assessment content and tools development to enable the success of the PrISM Safety & Risk Services team. Key responsibilities include:

• For large, complex and high-risk projects, conduct or oversee Privacy Impact Assessments and Security Threat Risk Assessments, utilizing assessment frameworks and tools.

• Provide highly specialized privacy and information security technical expertise and mentoring to project teams, and PIA Risk Advisors to ensure reasonable privacy and information security measures are in place through every phase of the project’s life cycle including project planning, requirements definition, procurement, implementation and operationalization of new technology services.

• Work with the CISO office, UBC IT, Procurement and project teams to embed privacy and information security activities, including privacy and security requirements, architectures, testing and risk assessments, in project lifecycles.

• Lead special projects relating to privacy and information security risk assessment e.g. investigations into emerging risk areas, writing briefing notes for the PrISM Executive Leadership Committee, responding to special requests for process and technology review.

Organizational Status

The Lead Advisor, Privacy and Information Security Risk will support the Privacy and Information Security Management (PrISM) program at UBC as part of the SRS team. The incumbent will collaborate and work closely with management and staff in other units, including Office of the University Counsel, the Office of the CIO, Enterprise Data Governance, UBC IT and Faculty IT teams.

Work Performed

• For large, complex and high-risk projects, conduct or oversee Privacy Impact Assessments and Security Threat Risk Assessments, utilizing assessment frameworks and tools.

• Provide highly specialized privacy and information security technical expertise and mentoring to project teams, and PIA Risk Advisors to ensure reasonable privacy and information security measures are in place through every phase of the project’s life cycle including project planning, requirements definition, procurement, implementation and operationalization of new technology services.

• Engage broadly (through training, workshops and relationship building) within assigned projects to raise awareness of privacy and information security risk and mitigations.

• Provide updates and formal reports to the relevant committee and stakeholders, including the PrISM Executive Team and program/project governance bodies as required.

• Work with the CISO office, UBC IT, Procurement and project teams to embed privacy and information security activities, including privacy and security requirements, architectures, testing and risk assessments, in project lifecycles.

• Lead special projects relating to privacy and information security risk assessment e.g. investigations into emerging risk areas e.g. Internet of Things, writing briefing notes for the PrISM Executive Leadership Committee, responding to special requests for process and technology review.

• Define interfaces between the PIA process and CISO architectural review services to embed a common methodology, ensure coverage and improve client experience.

• Work with subject matter experts to develop and continually refine privacy and information security risk assessment methods, processes and tools for high-risk/frequent utilization cloud services e.g. infrastructure and platform as-a-service, object- based storage or orchestration service in collaboration with the information security standards working group, architects and other subject matter experts

• Support the continued alignment of UBC information security policy and standards with standards, e.g. ISO, NIST. Ensure methods reflect current information security frameworks, techniques and tools.

• Develop relevant content to inform PrISM SRS clients and risk advisors on acceptable use of UBC tools

• Select and follow project management methods, procedures, and quality objectives, and tracks metrics for assessing progress on privacy and security risk assessments throughout assigned projects

• Assesses variances from the assessment project plans, budgets and schedules, develops and implements changes as necessary to ensure that the project remains within specified scope and is within time, cost, and quality objectives, and keeps management aware of the situation.

• Conducts formal reviews with project sponsors at project completion to confirm acceptance and satisfaction.

• Develop & deliver internal training and embed risk assessment tools into project risk assessment processes

• Manages liaison relationship with clients to ensure technology solutions comply with applicable privacy legislation and regulations, UBC policy and information security standards, whilst enabling business initiatives.

• Providing expert advice on information security risks to the University community, as deemed necessary.

• Acquires and maintains a working knowledge of the University's technical and business environment.

• Builds and maintains strong and productive working relationships with team members, stakeholders, UBC IT, and other vendors / consultants.

• Maintains appropriate professional designations and up-to-date knowledge of current information security frameworks, methods, techniques and tools.

• Performs other related duties as required.

Consequence of Error/Judgment

UBC is a complex organization that collects and uses information to support its mandate. An information breach (especially relating to personal or other high-risk information) could have a significant financial and reputational impact on the University.

The Lead Advisor, Privacy and Information Security Risk plays a critical role in the identification of key privacy and information security risks, and providing appropriate recommendations to reduce these risks to an acceptable level.

Sound judgment must be exercised. Lack of good judgment and / or inability to adopt sound risk management techniques may result in the failure to detect significant privacy and information security related exposures to the University's confidential information.

Supervision Received

The Lead Advisor, Privacy and Information Security Risk reports directly and works under the general direction of the Senior Manager, Privacy and Information Security Risk. The incumbent must be able to work independently as well as contribute actively and collaborate openly as a team member.

Supervision Given

Plans, directs, and supervises work of project team members, such as other consultants and staff assigned to the project.

Minimum Qualifications

Undergraduate degree in a relevant discipline. In-depth knowledge of applications and the business requirements supporting them. Minimum of five years of related experience, or the equivalent combination of education and experience.
- Willingness to respect diverse perspectives, including perspectives in conflict with one’s own

- Demonstrates a commitment to enhancing one’s own awareness, knowledge, and skills related to equity, diversity, and inclusion

Preferred Qualifications

• Professional designation in information security, control and governance (e.g. CISA, CISSP, CISM, CIPP, CRISC, CGEIT, CPA, PMP) are desirable.

• Experience in carrying out Privacy Impact Assessments relating to complex integrated enterprise solutions in a higher education and/or public sector environment

• Experience of working with, designing and implementing risk based information security assessment tools.

• Experience in information security frameworks such as COBIT and ISO 27002.

• Self-motivated with a strong commitment to providing high quality services, together with a thorough understanding and awareness of information security best practices and the ability to translate them into meaningful and value added University-wide and local solutions.

• Demonstrates knowledge of Freedom of Information and Protection of Privacy Act (FIPPA), particularly as it relates to implementing 'reasonable security arrangements' over PI under the University's control or in its custody.

• High level of interpersonal skills used to lead, enthuse, motivate, influence, and educate others at all levels to drive change across the University.

• Ability to effectively facilitate multi-disciplinary groups to achieve appropriate outcome

• Knowledge of project management, quality assurance, change management disciplines and best practices, and development methodologies

• Knowledge and ability to effectively use Communication and Collaboration Technologies

• Understands key trends and players in the IT industry and higher-education sector

• Excellent organizational, planning, and prioritization skills. Able to multi-task and deliver multiple assignments in a fast-paced and changing environment

• Demonstrates the willingness, ability, and enthusiasm to learn new processes, methodologies or technologies

• Demonstrated ability to communicate with diverse audiences (management, senior leadership, technical) using a variety of delivery mechanisms (written, oral, presentations etc.)