Department: Information Services
Appointment Type and Duration: Regular, Ongoing
Salary: Commensurate with experience
Compensation Band: OS-OA09-Fiscal Year 2019-2020
Application Review Begins
October 1, 2019; position open until filled
Special Instructions to Applicants
When applying you will be required to attach the following electronic documents:
1. A resume/CV; and
2. A cover letter indicating how you meet the minimum qualifications for the position.
You will also be required to submit the names of at least three professional references, their e-mail addresses, and telephone numbers as part of the application process.
Any application missing the above documents/information may be considered incomplete.
In order to ensure consideration, please submit your application materials prior to or on the listed review date.
If you would like to view the complete position description including the duties please send an email to firstname.lastname@example.org and reference the job title and job number in the subject line.
Information Services (IS) is the central information technology unit at the University of Oregon and provides wide ranging services to campus. IS consists of four major functional areas: Customer Experience, which serves as the key contact point for interactions with campus clients and customers; Applications & Middleware, which manages and supports applications, integration services, identity management and data management; Information Security, which helps protect virtual or physical information; and Technology Infrastructure, which provides administration and support for the software, hardware, and services needed to support the campus IT environment. IS also includes the Advanced Network Technology Center. IS works closely with the Network for Education and Research in Oregon.
Established in 1876, the University of Oregon offers a breadth and depth of curricula with more than 270 academic programs and provides the opportunity to work at a respected research university with a strong holistic, liberal arts foundation. The UO also has a history of political and social involvement that embraces diverse beliefs, cultures, and values, and it is committed to environmental responsibility.
The University is also proud of the newly-announced Phil and Penny Knight Campus for Accelerating Scientific Impact, an initiative specifically designed to fast-track scientific discoveries and the process of turning those discoveries into innovations that improve the quality of life for people in Oregon, the nation and beyond. IS collaborates with Research and Innovation and our schools and colleges to support the research, teaching, and learning mission of the university.
Eugene is the home of the University of Oregon’s main campus. Located in the lush Willamette Valley, Eugene is well-known for outdoor pursuits like running, cycling, rafting, and fishing, as well as arts, music, crafts, brewing, wine-making, and community-supported agriculture. With branches in Portland and on the Oregon coast, the UO is deeply connected to Oregon's natural and cultural treasures.
Reporting to the Director of Security Services & Information Assurance, the Senior IT Security Compliance Analyst will be part of the Information Security Office (ISO) team. This position will develop, implement, and evaluate short-term and long-term goals and objectives to strategically align campus needs with IT compliance to university policies, relevant laws, regulations, and requirements. This work aims to ensure the protection of enterprise systems and data, operational technologies (OT), and other internet of things (IoT) deployed at the University.
This position provides high-level IT compliance support to the University of Oregon. Responsibilities include evaluating, assessing, researching, and providing guidance and direction on appropriate security controls, products, and technologies related to the design and deployment of secure systems. The incumbent will coordinate proactive and distributed IT compliance management efforts to ensure the continuous availability, confidentiality, and integrity of information assets owned and used by the university community, consistent with the university’s risk tolerance. The incumbent will be responsible for managing and coordinating activities to support a robust and comprehensive compliance program that addresses university policies, laws, and regulations including the University Acceptable Use Policy (AUP), Information Asset Classification and Management Policy, HIPAA, NIST 800-171, GLBA, GDPR, FERPA, OCIPA, and PCI DSS.
The Senior IT Security Compliance Analyst will provide technical leadership on the most complex issues pertaining to information security compliance. This includes continuous development of the incident management and response program, in cooperation with university partners; identifying, coordinating investigation, documenting, mitigating, and remedying incidents. The incumbent will evaluate, assess, and perform risk assessments on existing systems and controls, assess active vulnerabilities and threats, and provide actionable or informational security advisories to the university community.
The Senior IT Security Compliance Analyst will work with other members of ISO to investigate, perform forensics, compile relevant technical/background information, and perform post-mortem analysis of security incidents at an enterprise level. The Senior IT Security Compliance Analyst will assist with education and outreach by providing advice to departments on current best practices related to security, developing security documentation, and participating in workshops on security-related topics. Additionally, the Senior IT Security Compliance Analyst will maintain working knowledge and remain current on the evolving risks and mitigations for the OT and IoT systems deployed at the University.
This position will perform ongoing security awareness and training for the University community and continuously measure and make improvements to ensure effectiveness of the training program. The incumbent will participate in development, implementation, and continuous improvement of the University cybersecurity metrics program to align University needs with security decision-making and ensure university-wide accountability. The Senior IT Security Compliance Analyst is required to apply critical thinking and risk analysis methodologies when considering the relative risks and rewards of potential actions. The incumbent will choose the most appropriate course of action when evaluating the impact of vulnerabilities, threats and possible solutions, and consider both micro and macro impacts of their decisions. The Senior IT Security Compliance Analyst will stay abreast of evolving University needs, technology capabilities, and threat intelligence from a variety of sources to optimize systems and data protection measures. This position will work with University stakeholders to ensure security needs and controls are aligned to support organizational goals and objectives. This position will also provide off-hours, on-call support on a rotation basis in coordination with other groups within Information Services and other stakeholders, as needed.
Though this position only directly supervises student employees, the Senior IT Security Compliance Analyst possesses authority to formulate and carry out management decisions, represent management’s interests, and take discretionary actions as appropriate. This position carries out and makes decisions at a high-level, which can affect varying levels of the University.
This position may provide essential services during times of emergencies and inclement weather. This position may be required to fulfill essential services and functions during these times.
Candidates who promote and enhance diversity are strongly desired.
• Bachelor’s degree or demonstrated equivalent skills and experience.
• Four years of experience working in an IT position with significant information security or compliance responsibilities; this may include responsibilities as a security or compliance professional, an IT auditor, or as an IT administrator (e.g., network, systems, application, or cloud administrator) with significant experience implementing, assessing, or supporting security controls. An advanced degree (Masters) may be substituted for one year of experience.
• Demonstrated expertise in 3 or more of the following IT Security domains: Security Compliance , Data Security, Digital Forensics, Incident Response and Analysis, IT Systems and Operations, Network Security, Systems and Applications Security, Vulnerability Management or Penetration Testing, or Cloud Security. Preference will be given to applicants with experience that includes Security Compliance (e.g., NIST SP-800-171, NIST SP-800-53, GLBA, HIPAA, PCI DSS, ISO 27001, NIST Cybersecurity or ISO 27002 frameworks).
• Ability to work effectively with faculty, staff, and students from a variety of diverse backgrounds.
• Demonstrated problem-solving skills.
• Ability to adapt within a rapidly changing technical environment.
• Excellent verbal and written communication skills, including the ability to explain technical concepts to audiences with a wide range of technical skills.
• Ability to work independently as well as in a team-oriented, collaborative environment.
• Bachelor’s degree in Computer Science, Information Technology/Systems, Information Security, Information Systems Auditing, or relevant field.
• Demonstrated familiarity with well-known security frameworks and standards such as the NIST Cybersecurity Framework, ISO 27002 Security Framework, COBIT, NIST 800-171, PCI DSS, HIPAA Security Rule, GLBA, GDPR, etc.
• Demonstrated familiarity with Governance Risk and Compliance (GRC) tools for supporting risk management, managing compliance and responding to audits.
• Demonstrated understanding of developing and guiding the development of key security documentation including standards, guidelines, data flow diagrams, applications and network security architecture diagrams.
• At least two years of experience in an academic campus IT environment.
• Working knowledge of any of several programming languages (e.g. Python, Perl, Ruby, Java, C, shell-scripting).
• Working knowledge of Vulnerability Assessment and Penetration Testing tools (e.g. Nessus, NMAP, Qualys, Nexpose, Metasploit).
• Demonstrated familiarity with information security tools and processes such as event triage, enterprise information security forensic tools, vulnerability scanning tools, penetration testing platforms.
• Certification in or progress toward at least one designation in an information security, risk, compliance or related discipline (e.g. CISSP, CISA, CISM, CSA+, CASP, GESC, GCIA).
FLSA Exempt: Yes
All offers of employment are contingent upon successful completion of a background inquiry.
The University of Oregon is proud to offer a robust benefits package to eligible employees, including health insurance, retirement plans and paid time off. For more information about benefits, visit http://hr.uoregon.edu/careers/about-benefits.
The University of Oregon is an equal opportunity, affirmative action institution committed to cultural diversity and compliance with the ADA. The University encourages all qualified individuals to apply, and does not discriminate on the basis of any protected status, including veteran and disability status. The University is committed to providing reasonable accommodations to applicants and employees with disabilities. To request an accommodation in connection with the application process, please contact us at email@example.com or 541-346-5112.
UO prohibits discrimination on the basis of race, color, sex, national or ethnic origin, age, religion, marital status, disability, veteran status, sexual orientation, gender identity, and gender expression in all programs, activities and employment practices as required by Title IX, other applicable laws, and policies. Retaliation is prohibited by UO policy. Questions may be referred to the Title IX Coordinator, Office of Civil Rights Compliance, or to the Office for Civil Rights. Contact information, related policies, and complaint procedures are listed on the statement of non-discrimination.
In compliance with federal law, the University of Oregon prepares an annual report on campus security and fire safety programs and services. The Annual Campus Security and Fire Safety Report is available online at http://police.uoregon.edu/annual-report.