InfoSec Risk Performance Manager

The University of Southern California (USC) Department of Information Technology Services (ITS) is seeking an

• Serves as a subject matter expert on organizational strategy for the university’s overall information security risk posture and appetite. Develops, operates, and manages comprehensive strategies and programs prioritizing and mitigating business risk. Creates and maintains agreed-upon risk appetite and key risk indicators in line with frameworks.
• Manages processes to ensure risk implications are understood, accepted appropriately, and tracked and reported throughout their lifecycle. Defines and manages KPIs to assure effectiveness and compliance across information security processes and process owners. Partners with others to ensure reporting is provided to manage risk through established governance.
• Ensures performance of information security controls through assessment, remediation and escalation. Manages overall validation of adherence to policies and standards through control evaluation. Ensures alignment to regulatory, statutory, and industry requirements, as well as university policies and data classification. Independently recommends programmatic directions for cyber security risk investigations and analyses.
• Engages and partners with local/enterprise entities preparing for and participating in internal/external compliance audits (e.g., FERPA, HIPAA). Defines and partners with relevant stakeholders for annual risk assessment plans. Obtains needed signoffs, and reports key performance indicators (KPIs), associated budget and resource impacts.
• Maintains currency with changes in laws, regulations, and technologies which may affect operations. Ensures senior management and staff are informed of any changes and updates in a timely manner. Maintains continuity of any required or desirable certifications, if applicable.
• Promotes an environment that fosters inclusive relationships and creates unbiased opportunities for contributions through ideas, words, and actions that uphold principles of the Code of Ethics. Establishes and maintains appropriate network of professional contacts. Participates in professional organizations (e.g., attends meetings, seminars, and conferences). Reads pertinent publications.
• Performs other related duties as assigned or requested. The university reserves the right to add or change duties at any time.

• Bachelor's degree or combined experience/education as substitute for minimum education
• 5 years’ experience in information security or risk management.
• Demonstrated understanding of information security across all security domains and the relationship between threats, vulnerabilities, and information value in the context of risk management.
• Experience with legal and regulatory requirements and industry security frameworks. Demonstrated understanding of processes, internal control risk management, information security controls, and how they interact together. Experience performing information security risk assessments and risk analysis.
• Demonstrated strong understanding of regulatory requirements (e.g., GLBA, PCI, FERPA, HIPAA).
• Ability to communicate and present security risk concisely and effectively in relation to enterprise risk based on the appropriate level of management and stakeholder groups.
• Demonstrated leadership and problem-solving skills.
• Ability to work closely with business leaders in a high pressure, fast paced, highly collaborative environment with multiple deadlines and competing priorities.
• Ability to understand data analytics and dashboarding.

• Bachelor’s degree in information security, information science, computer science, or related field.
• 7 or more years’ experience in information security or risk management.
• Extensive experience in information security, risk governance, and risk management within large enterprises or complex entities.
• Demonstrated data analytics and risk processing skills.