Director, Information Security Office

DIRECTOR, INFORMATION SECURITY OFFICERowan University's Information Resources & Technology (IRT) - Information Security Office (ISO) seeks an information security expert with experience designing and implementing a robust, enterprise wide security strategy and practice that will help Rowan University build strong and secure connections both across the University and with external partners in order to operate more effectively and securely. IRT is responsible for the University’s information technology and applications, information security, data integrity, systems-related compliance, and reporting. Along with the University, IRT has grown extensively in recent years, and we are continuing to mature our Information Security program for the University across both on-premise and cloud-based services.Reporting to the Chief Information Officer (CIO), the Director of Information Security is responsible for maintaining and improving a university-wide information security and risk management program to ensure that information assets are adequately protected. The director should be a pragmatic leader with vision, a consensus builder, and an integrator of people and processes within an open, university environment with diverse security needs. This position is a stepping stone to the CISO position. The director will oversee and guide a standards-based information security risk assessment program to ensure that it meets compliance and regulatory requirements, and aligns with and supports the risk posture of the University. The director must have solid skills in business management and an in-depth working knowledge of information security best practices. The director will actively work with IRT and the University Community to implement practices that meet defined policies and standards for information security, and will also lead a variety of IT-related risk management activities to support identification and implementation of appropriate risk mitigation controls. The director must be able to effectively communicate complex information security topics in plain language to a broad audience, including the Board of Trustees and senior University leadership, as well as work with the CIO's office to develop and coordinate University-wide information security communication campaignsThe director will interact with all university process owners to ensure compliance with the organization's information security policies related to the availability, integrity and confidentiality of student, employee, patient, research, and business information. A key element of this role will be working with the CIO and senior university leadership to determine acceptable levels of risk for the organization. The director should be highly knowledgeable about business and educational environments and be able to ensure that information systems are maintained in a fully functional, secure mode.JOB DUTIES:

• Support the continuing evolution of the existing comprehensive campus-wide information security and IT risk management programs to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the University.
• Lead and empower a dynamic team that oversees information security monitoring, vendor risk management, risk assessments and standards, and incident management.
• Facilitate information security governance through implementation of a hierarchical governance program, including chairing the university’s Information Technology Security Board and participating and providing security input in steering committees.
• Develop, publish and maintain up-to-date security policies, standards and guidelines; and oversee training and dissemination of security policies and practices.
• Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
• Build a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection.
• Develop and enhance an information security management framework based on one of the currently accepted standards such as ISO 27001 ISM.
• Ensure that security programs are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
• Collaborate closely with teams and individuals in other units performing operational security activities.
• Work with the CIO to respond to risk and audit findings, including reporting and oversight of corrective action plans to address these findings.
• Manage security incidents and events to protect IT assets, including intellectual property, regulated data, and the University's reputation.
• Perform related duties and fulfill responsibilities as assigned.

• Bachelor's degree required.
• Minimum of five (5) years of experience in a combination of information security, risk management, and security related IT positions.
• Minimum of three (3) years of leadership and supervisory experience.
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences.
• A critical thinker with strong problem­ solving skills.
• Knowledge and understanding of relevant legal and regulatory requirements including, but not limited to FERPA, GLBA, and HIPAA.
• Excellent analytical skills, ability to meet objectives and lead multiple projects under strict timelines and work well in a demanding, dynamic environment.
• Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials are required.
• Knowledge of common information security management frameworks, such as ISO 27001, COBIT and NIST.

• Master's degree in a security field
• Prior leadership role and experience in a higher education setting.
• Experience conducting post-incident lessons learned activities.
• Experience with Information Technology Infrastructure Library (ITIL) and Information Technology Service Management (ITSM) support models and associated best practices.
• Experience designing, documenting, deploying and testing Business Continuity and Disaster Recovery