Information Security Officer (Administrator III) - Information Technology Services

Position Summary

Under the general direction of the AVP and Chief Information Officer (CIO) and coordinating with the other Directors / Managers in Information Technology Services (ITS), the Director of Information Security and Information Security Officer (ISO) will coordinate and lead the Information Security Team at SF State.

• The incumbent will act as the SF State’s information security and privacy representative with respect to inquiries from customers, partners, and the public regarding SF State’s information security and privacy strategy;
• act as liaison to law enforcement agencies while pursuing the sources of network attacks and information thefts; balance security needs with the SF State’s strategic business plan, identify risk factors, and determine solutions to both;
• develop security and privacy policies and procedures that provide adequate business application protection without interfering with core business requirements;
• plan and test responses to security breaches, including the discussion of the event with customers, partners, or the public;

oversee the selection, testing, configuration, deployment, and maintenance of security products; oversee a staff of employees responsible for security operations.

Position Information

Information Security Operation

• Manage an information security operational program that contains administrative, technical and physical safeguards designed to protect SF State information assets
• Document, and provide direction for mitigation of incidents involving SF State information assets
• Manage, develop and present security awareness training programs
• Manage incidents involving SF State information assets
• Facilitate and direct a campus vulnerability management program; manage and oversee the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing a realistic overview of risks and threats in the enterprise environment
• Provide regular executive level status reports on campus breaches, incidents, compliance, and other information security metrics
• Work with campus leadership, Enterprise Risk Management, and legal counsel to provide primary lead activities in supporting CO and campus litigation processes, forensic activities, eDiscovery and security audits
• Plan, manage, and coordinate information security and privacy risk assessments; identify, track, and report issues and concerns to management;
• develop guidelines to ensure SF State business processes address information security and privacy risks; develop, implement and enforce information security requirements and solutions in collaboration with ITS and Chancellor’s Office Information Security Advisory Council (ISAC);
• lead in the development / adoption and enforcement of information security policies, procedures and standards; conduct and complete a periodic review of required regulations and reports;

manage 3rd party information security risks

• Serve as primary liaison with various University departments, including but not limited to Department of Public Safety, Audit and Advisory Services, Enrollment Management, Human Resources, Enterprise Risk Management, University Counsel, Dean of Students, and Fiscal Affairs;
• advise and train on campus-wide security related issues / processes; serve as liaison with other campus ISOs, the Chancellor's Office and outside auditors and organizations related to information security and privacy issues;

facilitate campus stakeholder meetings to ensure campus alignment on information security and privacy matters

• Oversee and / or assist in performing on-going security monitoring of organization information systems
• Manage and provide technical leadership of information security projects
• Manage day-to-day information security operations; assist with oversight of change requests and attend change management meetings
• Perform other duties or special projected as assigned

Information Security Strategy

• Manage and provide leadership in the administration of the information security and privacy program strategy and governance
• Identify process improvement opportunities and develop subsequent plans of action to resolve gaps with minimal management intervention
• Develop and document procedures to comply with applicable laws, regulations, and CSU policies governing information security and privacy protection, as well as serve as the primary point of contact and liaison for the Governance, Risk, and Compliance system
• Suggest and lead in the development of risk management strategies to identify and mitigate threats and vulnerabilities to information assets
• Lead the development of, and management of the information security plan that contains safeguards designed to protect SF State information assets
• Refine and develop, as necessary, new campus policies, standards and procedures governing information security and privacy protection that align with and support the SF State plan and strategy

Minimum Qualifications

• Bachelor's degree in Information Technology or similar degree (or equivalent combination of education and experience) required;
• Seven to ten years in progressively responsible IT roles, including enterprise-level support, information security or related field
• Project management experience with demonstrated success in leading complex IT projects in non-profit / higher education environment preferred
• Demonstrated excellent collaborative, management, leadership, communication and presentation skills
• Extensive knowledge related to experience with security incident response planning and resolution
• Demonstrated ability to develop and communicate effective recommendations for securing information assets to executives, management, and staff
• Demonstrated knowledge of underlying technologies (i.e. databases, operating systems, applications, networks, security and hardware)
• A working knowledge of information security practices and concepts including : access controls and identity management, risk management, ISO 27001 / 27002 standards, security information and event management (SIEM), and security operations
• Extensive experience with policy development, procurement contract negotiation and information security awareness and training
• Must be detailed and a logical thinker with Strong problem-solving, leadership, team building, and organizational skills
• Ability to motivate team members
• Must be self-motivated and maintain positive and effective working relationships

Preferred Qualifications

• Advanced degree is highly desirable
• Certifications such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Information Technology Infrastructure Library (ITIL) Foundation are desirable
• Certifications such as Certified Privacy Program Manager (CIPM) or Project Management Professional (PMP) are beneficial
• Experience with cyber security frameworks such as ISO 27000, NIST 800
• Experience with the following security or privacy compliance programs : PCI-DSS, HIPAA, GDPR, GLBA, and FERPA is desirable
• May need to work weekend and / or early morning / night hours for special projects or on-call

Pre-