Governance, Risk, and Compliance Manager - Oregon State University
Corvallis, Oregon; October 2018 to Present
Position Title: Officer-IT Sec & Comp
Department: Univ Info & Tech Admin (OIS)
Appointment Type: Professional Faculty
Position Summary:
Reporting to the Chief Information Security Officer, the Governance, Risk, and Compliance Manager is responsible for assessing and documenting OSU’s compliance and risk posture as they relate to its information assets. This position provides highly skilled technical and information security expertise for the development and implementation of the information security risk management program. Responsibilities require leadership and project management experience, as well as expertise, to assess the security of information assets deployed at and by the university.
Decision Making/Guidelines:
The Governance, Risk, and Compliance Manager works in the Information Services (IS) Office of Information Security unit. This position reviews and assesses the risk and compliance status of OSU Information Systems and programs and participates in strategic planning efforts as part of the OIS Management team.
Position Duties:
50% Risk Assessment
Lead the development and implementation of OSU’s information security risk management function within the Office of Information Security to ensure information security risks are identified and monitored.
Assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the university’s information and technology systems.
Review security of vendor systems hosting OSU data, ensuring that security controls and practices are sufficient.
30% Policy and Compliance
Lead the university-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies and regulations.
Develop and implement effective and reasonable procedures and practices to secure sensitive and confidential data and ensure information security and compliance with relevant legislation and legal interpretation.
Execute strategy for dealing with increasing number of compliance checks and external assessment processes for compliance such as PCI DSS, ITAR, NIST 800-171 and FISMA.
Serves as Data Protection Officer (DPO) [reporting to Chief Compliance Officer for these duties]: inform and advise the University of their obligations pursuant to the European Union’s General Data Protection Regulation (EU-GDPR) and other Union or Member State data protection provisions, monitor compliance with the EU-GDPR and other Union or Member State data protection provisions, provide advice on EU-GDPR data protection impact assessments and monitor its performance, cooperate with the EU-GDPR supervisory authority, act as the contact point for the EU-GDPR supervisory authority on issues relating to processing and any other relevant matter, and have due regard to the risk associated with processing operations.
10% Coordinate External Security Assessments
Work with consultants as necessary on required security assessments.
Coordinate and track all information technology and security related assessments including scope, colleges/units involved, timelines, auditing agencies and outcomes. Work with assessors as appropriate to keep focus in scope, maintain excellent relationships with external entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on responses.
10% Outreach and Awareness
Interacts in both oral and written communications with all levels of System staff including Computer center staff, developers and other ITS staff, campus technical staff, general counsel, auditors, and all System staff and students and technology vendors and contractors, in matters related to information.
Typical Requirements:
Typically requires Bachelor’s degree in Information Systems or related field.
Experience in information security, auditing and/or compliance related issues involving State and Federal Regulations.
Minimum/Required Qualifications:
A bachelor’s degree or higher is required.
Information security related training or certifications such as CISSP or CRISC, or the ability to obtain within 1-year.
Strong communication and writing skills, independent problem-solving abilities and self-direction.
Experience in information security risk management frameworks and compliance practices.
Experience in securing network technologies, client, and server operating systems.
Ability to develop security standards and guidelines based on best practices and industry standards.
Experience in common security standards and regulations relating to a higher education environment.
Skills in documenting risk and compliance activities.
Ability to facilitate cross-functional teams to implement security controls and initiatives
A demonstrable commitment to promoting and enhancing diversity.
This position is designated as a critical or security-sensitive position; therefore, the incumbent must successfully complete a criminal history check and be determined to be position qualified as per OSU Standard 576-055-0000 et seq.
Preferred (Special) Qualifications:
Advanced degree, preferably in computer science or related field.
Information security experience in higher education or government.
Experience performing information security audits or risk assessments.
Familiarity with security auditing processes.
Understanding of policy development and dissemination.
Cyber Security Specialist - Northwest Community Credit Union
Eugene, Oregon; November 2017 to October 2018
Position Primary Purpose: The Cyber Security Specialist position is responsible for actively protecting Northwest Community Credit Union’s technology assets and member financial data from external and internal threats.
Essential Functions:
Develop and implement an information security program for the Credit Union in coordination with the Information Technology Team.
Establish, review and edit security strategy, standards, processes, procedures, policies, guidelines, etc. as needed.
Interpret and recommend changes on security policies and procedures as warranted.
Evaluate the cyber security environment including access controls, assessments, mitigation detection, responses, training and awareness.
Review and analyze all project plans to insure proper cyber security measures and standards are included. Recommend and develop appropriate secure solutions based on the cyber security needs and requirements.
In conjunction with the IT department, protect the Credit Union against cyber threats that could inflict significant damage through interruption of service, intellectual property theft, network viruses, data mining, financial theft and theft of sensitive member data.
Keep cybercrime at bay by using proficiency in analysis, forensics and reverse engineering to monitor and diagnose events and vulnerability issues.
Proactively mitigate, detect, report, and investigate suspicious activity.
Serve as a first responder for cyber security incidents, monitor alerts, events and incidents identified through security event management tools and confirm validity of identified incidents.
Coordinate and validate results from contracted cyber security vendors.
Assist in the continuous improvement of business continuity and disaster recovery.
Contribute proactively to company’s data and network security by keeping current on developments in cyber security, evaluating and recommending emerging security products and technologies.
Successfully complete required compliance training annually.
Perform additional duties as assigned.
Position Qualifications
Previous Experience: Minimum of three (3) years of cyber security experience, preferably supporting financial institutions.
Education: Bachelor's degree in Management Information System (MIS), Computer Science, or related field.
Certifications: Current Cyber Security certifications e.g. Certified Information Systems Security Professional (CISSP) from International Information System Security Certification Consortium (ISC)², Global Information Assurance Certification (GIAC) Gold, Certified Ethical Hacker, Information Systems Audit and Control Association (ISACA) Certifications, and vendor specific security certifications.
Job start date is contingent upon satisfactory results of background check and drug screening.
Demonstrated Abilities:
Ability to read, analyze and interpret technical data, make sound recommendations, work in a team environment and possess the ability to be a self-starter with little supervision.
Ability to exercise discretion and independent judgment in interpreting policies and procedures, making exceptions as required.
Must have excellent communication skills (oral and written).
Ability to effectively manage multiple tasks and deadlines simultaneously.
Ability to make decisions, takes action, and accepts responsibility for results.
Ability to act appropriately in a business-like manner in any situation.
Ability to analytically audit system logs and records.
Proven track record of acting in an ethical way.
Working Conditions:
Physical: Continuous standing and/or sitting for long periods of time when providing services or performing other duties related to the position. Occasional lifting up to 10 pounds. Occasional bending, squatting, or kneeling to reach supplies on ground level. Occasional reaching above shoulder level to reach supplies overhead. Continuous use of hands in repetitive tasks such as simple grasping, twisting/turning of wrists; finger dexterity to perform various accounting duties such as using a 10 key calculator, typing, and entering data into the computer system. Continuous speaking and hearing for interactions with members and coworkers. Frequent clarity of vision at 20 inches or less for normal use of computer systems. Occasional clarity of vision at 20 feet or more for security purposes.
Mental: Continuous alertness, precision, and concentration to ensure accuracy and thoroughness of documents and transactions. Continuous alertness of surroundings for security purposes. Frequent performing of basic numeric calculations, as well as writing, reading, comparing, and analyzing. Frequent use of judgment, reasoning, patience, and negotiating. Continuous memory demands in recalling Credit Union policies, services, and state and federal regulations.
Environmental: Length of workday is unpredictable. May have to work long hours because of computer failure, unusually activity or extended business meetings. Exposed to potentially hazardous condition, i.e., robbery. Receives detailed instructions and procedures to be followed to minimize the risk. Occasional travel is required.
Senior Cyber Security Analyst - SAIC, supporting the Federal Retirement Thrift Investment Board
Tysons Corner, Virginia; January 2016 to August 2017
[original position description unavailable]
Cyber Security Analyst - Leidos, supporting the U.S. Department of State
Arlington, Virginia; June 2014 to January 2016
Description:
The Leidos National Security Sector has an immediate opening for Cyber Security Analysts.
Cyber Security Analysts are part of a growing field of professionals who perform security assessments and security analyses of information technology solutions, systems, and programs within the government, health, energy, and financial industries. Cyber Security Analysts assess, analyze, and document security requirements, policies, controls, and risks to customer missions.
PRIMARY RESPONSIBILITIES:
Lead security assessments of customer systems, services, and programs with support from more senior staff
Analyze customer processes and configurations to verify that previously identified flaws have been corrected and document the results
Develop approaches for industry-specific threat analyses and the generation of vulnerability reports
Develop detailed remediation reports and recommendations for compliance and security improvements across industries based on changing threats
Ensure a consistent approach to information security programs and adherence with best practices
Professional business attire is required for client site work
Qualifications:
MINIMUM REQUIRED QUALIFICATIONS:
Currently possess at least an active Secret clearance with the ability to be granted a Top Secret clearance
Bachelor’s degree in related field or equivalent and 4+ years of related experience. An additional 4 years of experience will be considered in lieu of degree
Experience with information security control frameworks such as SAS 70/SSAE No. 16, PCI, NERC, CIP, Nuclear Energy Institute (NEI) 08-09, HIPAA, GLBA, SOX, or other security frameworks
Clearly articulate technical requirements and other information in written documentation.
Effectively communicate technical and non-technical concepts to a variety of audiences.
Communicate well with customer's technical staff and management.
Methodically gather, document, and present specific customer requirements.
Follow existing processes and procedures and propose updates to such.
Work with minimal supervision, set priorities, and give attention to detail and quality.
Demonstrate strong organizational and time-management skills: multi-tasking, working individually and with a team, having a positive attitude, being self-motivated and reliable, being trustworthy, having strong interpersonal and diplomatic skills, and being able to handle stress in a professional manner.
Demonstrate excellent technical skills.
Be proficient with Microsoft Office.
Have knowledge and hands-on experience with IT architecture and design (e.g., firewalls intrusion detection systems, virtual private networking, virus protection technologies, LAN/WAN design, and/or general internetworking technologies).
U.S. Citizenship required.
ADDITIONAL HIGHLY DESIRED QUALIFICATIONS:
Strongly prefer experience with federal civilian assessment and authorization process to include FISMA, NIST SP 800 Series, CNSS issuances, as well as applicable OMB memoranda and circulars.
Broad understanding of risk management practices and security program development including change management, access control, and physical security.
Broad IP network and security engineering experience including a basic understanding of IP routing, quality of service mechanisms, MPLS, and IPsec architectures.
Hands-on experience configuring, deploying, and managing mission critical network appliances such as routers, firewalls, IDS/IPS, DPI, etc.
Hands-on system administration experience with various operating systems including Windows, AIX, BSD, z/OS, RHEL, SUSE, HP-UX, QNX, etc.
Hands-on system administration experience with DB2, MS SQL, Oracle, Sybase, etc.
Experience with various programming languages.
Experience with system development lifecycles (SDLCs).
Experience with change management processes.
Have a CISSP certification or the ability to obtain one.
Physical Security Coordination Manager - SAIC, supporting JPO-MRAP
Mina Abdullah, Kuwait; November 2010 to March 2012
Duties:
Interface with US Government Security Managers, Kuwaiti officials where applicable and corporate entities to investigate, coordinate, establish and maintain physical security of a US Government sponsored facility to include more than 36,000 square meters of maintenance buildings plus staging areas covering approximately 60 Acres of land on an industrial site in Kuwait supporting the maintenance, upgrade and repair of a priority US military wheeled vehicle fleet.
Responsibilities:
Under the direction of US Government Security Management and in compliance with applicable Government regulations and commercial physical security best practices this position includes responsibilities to liaise, coordinate, determine, and implement initial physical security measures. Subsequent to the establishment of the sites physical security program management of all aspects of the sites physical security will be continually evaluated and revised as necessary in coordination with current Government Security Management Directives. Coordinate and administer overall planning, implementation, direction and organization of physical security programs for the main facility and other satellite sites in the area that may be established to support specific requirements. Ensure compliance with government and company security policies and procedures to ensure their effective and efficient operation.Conduct periodic review and emergent investigation of non-compliance issues. Research, identify, recruit, establish and manage a site specific staff of physical security specialists in accordance with applicable security regulations and site requirements to provide coordinated 24-hour a day, 7-day a week coverage of the facilities to include video surveillance, intrusion detection, and access control biometric security card systems. Supervision of this staff includes task assignment, training, motivation and discipline.
Qualifications and experience:
Education: Bachelor of Science or Bachelor of Arts and 8 years of highly successful and directly related experience or 14 years of related experience. A technical degree is desired but not required.
Experience: Minimum of eight years active field experience is required with priority given to Military and/or Federal Government employment expertise, particularly as it relates to the performance of security management or physical protection of facilities and especially when also including a demonstrated understanding of threat capabilities, tactics, techniques and procedures.
Level of Experience: Demonstrate proficiently in physical security operations to include comprehensive threat analysis. Experience with Red cell threat replication operations is highly desirable. Experience with top level physical security design of military, federal, state or local Government critical infrastructure or other high value industrial or large commercial facilities such as of the National Laboratory Systems, Nuclear Power, International Corporations, etc. is also desired. Demonstrate related experience in the following areas:
Determining System Requirements, to include requirements analysis and identification in support of a government customer, developing consensus among a number of different stakeholders, developing Concept of Operations (CONOPS) procedures and derived requirements.
Assessment and understanding of infrastructure vulnerabilities, to include potential threats, and protective measures that may be implemented to negate them.
System Design and Integration, to include participation in top level design decisions in accordance with governmental requirements leading to the procurement of appropriate systems that enhance the physical security of the facility and its workforce. This includes an awareness of the principal products and technologies available and awareness of market preferences and demonstrated operational effectiveness.
Operations Analysis and Support, to include post-design support of the functions and operation of physical security related systems, performance optimization and system evolution, operator and other stakeholder support, and operational performance analysis.
Experience in Perimeter Intrusion Detection Systems (PIDS), other Intrusion Detection Systems (IDS), and/or Physical Security and Monitoring and Control Systems is highly desired.
Administration and management, to include prior supervision of a workforce performing physical protection tasks for a facility is also highly desirable.
Candidate must be proficient in the Microsoft Office suite, specifically Word, PowerPoint, and Excel applications. The position will require interfacing with customers, technical support personnel on the project, as well as subcontractors and other contractors operating in and around the same facility.
Project Risk Management Specialist - SAIC, supporting U.S. Joint Forces Command
Suffolk, VA; March 2010 to October 2010
[original position description unavailable]
Technical Writer/Network Accreditation Coordinator - SAIC, supporting U.S. Joint Forces Command
Suffolk, VA; July 2007 to March 2010
Requirements:
The ASSET Business Unit currently has an opening for a Technical Writer at U.S. Joint Forces Command's (USJFCOM) J9/Joint Innovation & Experimentation (JI&E) Directorate, Suffolk VA.
JOB DESCRIPTION:
Scope: Plan, assemble, coordinate all Interim Authority to Operate (IATO) and Authority to Operate (ATO) documentation, Interim Authority to Connect (IATC) and Authority to Connect (ATC) documents for USJFCOM's JI&E Directorate experimentation events. Work closely with JI&E Experimental Engineering Support (EES) technical staff members including system administrators and network support staff, and JI&E Pathway Program managers to ensure the proper Information Technology and Network security setups, monitoring, coordination, and technical documentation are provided in time for pre-event Spirals and execution of J9 supported experimentation events. Assist JI&E's Information Assurance staff, Designated Approving Authority (DAA), and if required, J6's and the High Performance Computing Modernization Office's (HPCMO) DAAs and other external agencies with coordinating final draft System Security Accreditation Authorization (SSAA) IATO/ATO/IATC/ATC end products.
REQUIRED EDUCATION/SKILLS:
Bachelor degree from an accredited college or university in Journalism, communications, or Media Preparation techniques or related field and two (2) years experience in writing or editing pamphlets, manuscripts, military or Government publications to include research, analysis of information, write and edit final manuscripts; or two (2) years experience in journalism or equivalent field.
DESIRED SKILLS: DoD IA Training; IATO/ATO processing experience.
Training and Development Specialist - Raytheon, supporting the NTC Operations Group
Fort Irwin, CA; July 2007 to March 2010
Training Analysis Division
Position is full-time salaried (exempt) working with the Life Cycle Contractor Support for the Live Training (LT) Program, National Training Center Instrumentation System (NTC-IS). The NTC-IS is located at Fort Irwin, CA, in the Mojave Desert, approximately forty miles northeast of Barstow, CA. NTC-IS operations support the NTC mission: to provide realistic joint and combined arms training focused on developing soldiers, leaders, and units of the United States military for success on the 21st Century Battle Field.
RESPONSIBILITIES
Responsible for role-playing under simulated battlefield conditions. Work under the direction of COB Supervisor. Participate in work activities of contractor personnel in support of instructional and scenario training. Participates in training activities, scenarios, missions, and instructional classes. Assist in the planning, coordination, support, preparation, and performance of scheduled and short-notice events or missions. Support AARs and the process. Participate in military style training events to include: raids or attacks, intelligence gathering, handling of pyrotechnics and other duties as required. Role-play as required. Gather mission data for submission to OCs for AARs and products. Follow instructions and train employees. Will adhere to Company, Site Manager, Division Manager and Team leader directives, memoranda, policies and procedures. Support quality/ISO, security and training programs.
REQUIREMENTS
Desired Education: Associates Degree in training or related field
Experience: Four (4) years experience with an understanding of Army tactical doctrine as defined by FM 100-5 and FM 71-3. Should also be familiar with Civil Affairs doctrine. Military experience in planning and conducting training activities. Acting or role-playing experience.
Desired Physical Abilities: Must be able to perform duties and travel in extreme weather conditions (heat, cold, and wind) and at height (helicopter travel, mountain tops, elevated walk areas and towers).
Must be able to work in isolated conditions and field environment and be able to travel in tactical vehicles. Must endure the rigors of the Mojave Desert climate. Will be expected to live and work in the NTC maneuver area during rotational training exercises.
Special Requirements: Must have valid drivers license and maintain Post driving privileges. Obtain Military licenses & Night Vision certification if required. Travel off road in company 4x4 vehicles and military tactical vehicles if required. Must be able to lift a maximum of 50lbs and wear appropriate personal protective equipment. Willing to work any shift to include weekends and Holidays. Must be able to obtain a U.S. Government Security Clearance.
|
