Chief Information Security Officer

University of Utah, United States

Updated: 13 days ago
Location: Salt Lake City, UTAH
Job Type: FullTime

Skip to Main Content

Toggle navigation
  • Home
  • Search Jobs
  • Job Alerts
  • Log In /Create Account
  • Help

Chief Information Security Officer
Bookmark this Posting | Print Preview | Apply for this Job
Announcement
Details


Open Date 03/26/2024
Requisition Number PRN38053B
Job Title Chief Information Security Officer
Working Title Chief Information Security Officer
Job Grade I
FLSA Code Executive
Patient Sensitive Job Code? No
Standard Hours per Week 40
Full Time or Part Time? Full Time
Shift Day
Work Schedule Summary
M – F
8 am to 5pm
VP Area President
Department 00332 - University Infor. Techn. UIT
Location Campus
City Salt Lake City, UT
Type of Recruitment External Posting
Pay Rate Range $207,036/yr. - $350,000/yr. DOE
Close Date
Open Until Filled Yes
Job Summary
This position reports to the CIO and has overall responsibility for ensuring that appropriate policies, standards, procedures and automated mechanisms, designed to appropriately protect the security of information are documented and followed across the Institutions (University of Utah and University of Utah Hospital and Clinics). Sensitive or protected information may include information related to patients, employees, students, and faculty, as well as information protected by state, federal, or industry policy (FERPA, HIPAA, FISMA, PCI, etc.). This information may exist in either electronic or paper form.
The Chief Information Security Officer (CISO) has management responsibility over the Information Security Office, including the hiring, evaluating, training, performance management, salary administration, mentorship, development and retention of staff.
The position works closely with the General Counsel of both the University and Hospital and Clinics, those areas within Information Technology with responsibility for system and network security, access control, physical security, application development and/or application product selection and procurement, as well as all relevant academic and administrative Schools and Departments throughout the Institutions.
This position also interfaces with other Utah higher education institutions, as well as other private and governmental agencies.
The CISO will work with relevant government and regulatory agencies to interpret regulations related to the protection of information owned or trusted to the control of one of the University of Utah institutions.
The CISO will provide advice and counsel related to the development of policies, procedures and electronic safeguards designed to meet the needs of government regulations. The CISO must help the Institutions identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement safeguard programs, and regularly monitor and test those programs. The CISO will work with appropriate senior leadership to determine methods for dealing with infractions of policies associated with privacy and security, and will identify individuals or groups where inappropriate behavior exists. The CISO will be responsible for development of procedures related to internal reaction to a security event.
Additionally, the CISO will take a leadership role in coordinating activities related to a security event and will act as a focal point for the distribution of security information including alerts, notices of significant intrusions, etc. They will also develop and conduct regularly scheduled security and privacy awareness programs.
Responsibilities
• Development of security and privacy policies (in conjunction with IT governance and other policy development groups) that embody industry best practices. Areas of oversight include, but are not limited to, EMR system, ERP system, data warehouses, information systems, email, identity and access management, software evaluation, cloud storage and systems, infrastructure for accessing systems, security systems used to monitor activities, and business systems.
• Perform management functions associated with leadership of the Information Security Office, including the hiring, evaluating, training, performance management, salary administration, mentorship, development and retention of staff in a complex multi-billion dollar organization.
• Coordinate responses to security events or violations of the confidentiality of information. This includes coordination of activities related to containment, forensics, management notification, interaction with Marketing and Communications and General Counsel, etc.
• Review and oversee critical notification processes for security incidents. Ensure that processes to identify and appropriately announce security incidents as well as internal procedures outlining responses to security related problems appropriately reflect widely practiced processes found at other national research universities as well as other major academic medical centers and adhere to all regulatory requirements.
• Coordinate planning activities related to responses to security events. Planning activities are to include cross departmental and cross campus procedures, as well as coordination with outside law enforcement or partner agencies.
• Work with regulatory bodies and the Legal offices to interpret regulations, laws, grant stipulations, etc. and develop policies, processes and standards that ensure compliance with these regulations.
• Develop a formal process to review, on a quarterly basis, procedures, incidents, and responses associated with the security of information and report to senior management all relevant materials. Also facilitate a metrics and reporting framework for measuring the efficiency and effectiveness of the security program.
• Participate in the evaluation of vendors, and weigh in on activities and capabilities that relate to business continuity, disaster recovery, and enterprise architecture.
• Prepare and present training activities, materials, and awareness programs that encourage proper security practices and prepare the organization for security events.
• Validate that activities and controls related to the prevention of security incidents are in place and being followed and improved. This includes a review of physical access controls where secure information is contained, review of software programs and operating systems to ensure that updates and patches are being applied, review of security procedures to ensure compliance, review of adherence to policies and standards governing the use and management of systems, involvement in testing of disaster recovery and business continuity plans and validation of results, etc.
• Ensure that risk assessments are conducted as they relate to the appropriate protection of electronic resources. In conjunction with other departments within the Institutions, conduct regular risk assessments.
• Ensure that appropriate controls related to the access of secure information are documented and are being followed (this may include access control lists, passwords or other access controls, authentication and authorization mechanisms, etc.).
• Evaluate gaps in security and identify solutions to mitigate risk, including business process, technical controls, or policy improvements.
• Work with other groups and offices within the Institutions to assess the level of risk associated with the maintenance of paper records, management of information contained in non-electronic form, use of electronic signatures, use of identifying information (patient identifier, Social Security Number, etc.), use of identification cards including smart card technology. Assist with the development of policies and processes designed to protect information and reduce the risk of exposing this information.
• Assess the Institutions compliance with policies and report the results of these assessments to executive management.
• Develop guidelines for disciplinary actions that would apply to persons/groups found to be violation of policies
• Build collaborative internal relationships with research, clinical and administrative groups as well as external relationships with regulatory bodies, other hospitals, universities, especially other academic medical centers as well as local and national security groups (i.e. SAN, CERT, etc.).
• This job description is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.
This job description is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.
Minimum Qualifications
Requires a bachelor’s degree in a related area or equivalency (one year of education can be substituted for two years of related work experience) with at least 10 years of progressively more responsible management experience; and no less than 4 of those years in IS related capacity and demonstrated leadership, human relations and effective communications skills required. Master’s degree related area preferred.
Applicants must demonstrate the potential ability to perform the essential functions of the job as outlined in the position description.
Preferences
Preference will be given to applicants with the following qualifications:
Four-year degree in a related technical, audit, law or security field, in combination with a minimum of 10 years of experience in a business environment (health care or higher education preferred) with a track record of progressive responsibilities and at least five years in a management capacity. A combination of work experience and specialized technical training may be substituted for college degree.
Candidate should have a minimum of four years of experience in an IS related capacity that includes a general understanding of application programming and design, data base design, networking components (switching, routing, wireless technologies, etc.), security components (firewalls, intrusion detection engines, etc.), computer operations, and operating system maintenance.
It is essential that the individual have an understanding of privacy and security regulations as they apply to FERPA, HIPAA, FISMA, and PCI-DDS.
Ideal candidates also should have:
• At least one industry accepted certification, such as CISSP, CISM, or CISA.
• A general understanding of the research environment, the need for using production data for research purposes, regulations related to government grants, and some familiarity with government agency reviews and audits related to grants.
• The ability to assess the effects and requirements of government regulations and the ability to interpret that information for business leaders.
• Excellent written and oral communications skills, including high-level presentation abilities.
• The ability to mediate contentious situations and develop consensus across the academic and health systems.
• A demonstrated history building bridges across organizational boundaries and the ability to communicate with technical as well as non-technical persons in management across a large, complex organization. They will be a transparent leader with high integrity, capable of building strong, trusting relationships.
• The candidate must have deep knowledge and experience with security and regulatory compliance as well as external audits, and a proven record of creating and implementing a successful multi-year information security program in a complex environment.
Type Benefited Staff
Special Instructions Summary
Additional Information
The University is a participating employer with Utah Retirement Systems (“URS”). Eligible new hires with prior URS service, may elect to enroll in URS if they make the election before they become eligible for retirement (usually the first day of work). Contact Human Resources at (801) 581-7447 for information. Individuals who previously retired and are receiving monthly retirement benefits from URS are subject to URS’ post-retirement rules and restrictions. Please contact Utah Retirement Systems at (801) 366-7770 or (800) 695-4877 or University Human Resource Management at (801) 581-7447 if you have questions regarding the post-retirement rules.
This position may require the successful completion of a criminal background check and/or drug screen.
The University of Utah values candidates who have experience working in settings with students and patients from all backgrounds and possess a strong commitment to improving access to higher education and quality healthcare for historically underrepresented students and patients.
All qualified individuals are strongly encouraged to apply. Veterans’ preference is extended to qualified applicants, upon request and consistent with University policy and Utah state law. Upon request, reasonable accommodations in the application process will be provided to individuals with disabilities.
The University of Utah is an Affirmative Action/Equal Opportunity employer and does not discriminate based upon race, ethnicity, color, religion, national origin, age, disability, sex, sexual orientation, gender, gender identity, gender expression, pregnancy, pregnancy-related conditions, genetic information, or protected veteran’s status. The University does not discriminate on the basis of sex in the education program or activity that it operates, as required by Title IX and 34 CFR part 106. The requirement not to discriminate in education programs or activities extends to admission and employment. Inquiries about the application of Title IX and its regulations may be referred to the Title IX Coordinator, to the Department of Education, Office for Civil Rights, or both.
To request a reasonable accommodation for a disability or if you or someone you know has experienced discrimination or sexual misconduct including sexual harassment, you may contact the Director/Title IX Coordinator in the Office of Equal Opportunity and Affirmative Action (OEO/AA). More information, including the Director/Title IX Coordinator’s office address, electronic mail address, and telephone number can be located at: https://www.utah.edu/nondiscrimination/
Online reports may be submitted at oeo.utah.edu
https://safety.utah.edu/safetyreport This report includes statistics about criminal offenses, hate crimes, arrests and referrals for disciplinary action, and Violence Against Women Act offenses. They also provide information about safety and security-related services offered by the University of Utah. A paper copy can be obtained by request at the Department of Public Safety located at 1658 East 500 South.

Posting Specific Questions

Required fields are indicated with an asterisk (*).

  • * Do you have a related Bachelor's degree or equivalency? (2 years related work experience may be substituted for 1 year of education)
    • Yes
    • No
  • * How many years of progressively more responsible management experience do you have?
    • Less than 4 years
    • 4 years or more, but less than 6 years
    • 6 years or more, but less than 10 years
    • 10 years or more, but less than 15 years
    • 15 years or more
  • * How many years of management experience in an Information Systems related capacity do you have?
    • Less than 2 years
    • 2 years or more, but less than 4 years
    • 4 years or more, but less than 6 years
    • 6 years or more, but less than 10 years
    • 10 years or more
  • * What interests you about this position?

    (Open Ended Question)

  • * What is your professional career goal?

    (Open Ended Question)

  • * Which IT Security related certifications do you currently hold?

    (Open Ended Question)


    • Applicant Documents
    Required Documents
  • Resume
  • Cover Letter
  • List of References
    • Optional Documents
  • Appropriate discharge document (such as a DD-214 – Member Copy 4) – Veteran Only – Call 801.581.2169
  • Addendum to the University of Utah - Veteran Only - Call 801.581.2169 after submission

    • University Human Resource Management
    250 East 200 South, Suite 125 Salt Lake City, UT 84111
    Contact us: (801) 581-2169 By Email: [email protected]

     


    To ensure the security of your data, you will be logged out due to inactivity in 3 minutes at
    .
    Any data not saved will be lost.
    Click 'OK' to keep your session active.

    Similar Positions