TITLE Information Security Officer
CLASSIFICATION NUMBER 5183
IMMEDIATE SUPERVISOR Chief Information Officer (CIO)
MAJOR ADMINISTRATOR Vice President, Administrative and Information Services
The Information Security Officer (ISO) provides the vision and strategies necessary to ensure the confidentiality, integrity, and availability of University electronic information by communicating risk to senior administration, creating and maintaining enforceable policies and supporting processes, and ensuring compliance with regulatory requirements. To support these activities, the ISO coordinates activities with other departments, including the evaluation, procurement, and deployment of security-related products and develops and coordinates information security awareness and education programs. Additionally, the ISO ensures a University system-wide disaster recovery and incident response plans are in place.
MINIMUM ACCEPTABLE QUALIFICATIONS
Education: A Bachelor’s degree or the equivalent is required; a Bachelor’s degree in a computer-related field is preferred.
Experience: Five years of varied information technology experience is required. Applicable experience includes, but is not limited to, computer and networking infrastructure, operating systems, application software development, project management, regulatory compliance, risk management, and providing training. One year of direct experience in information security-related duties is required. Experience in a university setting is preferred.
Skills: The ability to understand hardware and software systems is required. The ability to maintain confidentiality in regard to information processed, stored, or accessed by the systems is required. The ability to manage multiple concurrent projects and to reason analytically is required. The ability to work with and train people possessing differing levels of technical knowledge is required. Effective verbal and written communication skills and proficiency in writing technical specifications are required. The ability to develop knowledge of, respect for, and skills to engage with those of other cultures or backgrounds is required.
Other: Professional certification (CISSP, GIAC, CISA, CISM, etc.) is preferred.
ESSENTIAL DUTIES AND RESONSIBLITIES
1. Creates information security strategies, both short-term and long-range, in support of the University’s goals.
2. Directs an ongoing, proactive risk assessment program for all new and existing systems and remains familiar with the University’s goals and business processes so effective controls can be put in place for those areas presenting the greatest risk.
3. Communicates risks and solutions to mitigate risks to the senior administration by communicating in non-technical, cost/benefit terms and in a format relevant to senior administrators so decisions can be made to ensure the safety and security of information.
4. Oversees all ongoing activities related to the development, implementation, and maintenance of the University’s information security policies and procedures by ensuring these policies and procedures encompass the overall security of electronic information at rest or in motion within the Missouri State University system and assisting departments in local policy development, ensuring they are not in conflict with University policies.
5. Assists other departments to ensure regulatory compliance in areas such as the Payment Card Industry – Data Security Standards (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA), serves as the HIPAA Security Officer for the University system, and works with HIPAA Privacy Officers to ensure full compliance in securing Protected Health Information (PHI).
6. Chairs the Information Security Executive Committee (ISEC) and coordinates the activities of ISEC so that security decisions do not interrupt business processes while maintaining the confidentiality, integrity, and availability of University information.
7. Develops information security awareness training and education programs, works with other University entities to present them to faculty, staff, and students, and participates in local, regional, and national awareness and education events, as appropriate.
8. Ensures sufficient resources are available and allocated to projects by balancing project funding requirements with the assigned budgets, coordinates and tracks project expenditures to ensure resources are used effectively and within budget, and provides periodic budget reports to the senior administration.
9. Acts proactively to prevent potential disaster situations by ensuring that proper protections are in place such as intrusion detection and prevention systems, firewalls, and effective physical safeguards and provides for the availability of computer resources by ensuring a business continuity/disaster recovery plan is in place to offset the effects caused by intentional and unintentional acts.
10. Evaluates security incidents and determines what response, if any, is needed and coordinates University responses, including public information efforts and technical incident response teams, when sensitive information is breached.
11. Contributes to a work environment that encourages knowledge of, respect for, and development of skills to engage with those of other cultures or backgrounds.
12. Remains competent and current through self-directed professional reading, developing professional contacts with colleagues, attending professional development courses, attending training, conferences, and/or courses as directed by the supervisor, and obtaining certifications relevant to job duties.
13. Contributes to the overall success of the University by performing all other duties and responsibilities as assigned.
The Information Security Officer is supervised by the Chief Information Officer (CIO) and supervises the Electronic Information Regulatory Compliance Specialist and may supervise graduate assistants and student workers.
OFFICE OF HUMAN RESOURCES
REVISED OCTOBER 2012
JOB FAMILY 3
Factor 1: Educational/Experience Requirements of the Job
Level 10 - 1970 Points: A combination of education and experience equivalent to a Level 10 as indicated by the Equivalencies Chart, when permitted by the Minimum Acceptable Qualifications.
Factor 2: Supervisory Responsibility
Level 4 - 1196 Points: Supervision of a work group including hiring, training, planning, and directing the work of employees. At this level the job often requires close supervision of a rather small number of permanent employees, and/or small numbers of part-time workers, graduate assistants, and/or student workers performing relatively complicated technical or skilled work, and/or other groups of employees at a similar level. At this level it is frequently necessary to train and instruct others, and plan and direct work. Supervisory responsibilities may consume moderate amounts of work time and may include general work planning tasks.
Factor 3: Skill, Complexity, and Technical Mastery
Level 7.5 - 2350 Points: Skill, complexity, and technical mastery is somewhat above the requirements for a level 2200, but somewhat below the skill, complexity, and technical mastery requirements at level 2500.
Factor 4: Budgetary Control
Level 3 - 579 Points: Jobs at this level are responsible for identifying areas of need and for developing proposals that request funding to fulfill those needs.
Factor 5: Work Environment and Physical Demands
Level 1 - 25 Points: The work environment has only everyday discomforts associated with an office or commercial vehicle. The work area is adequately lighted, heated or cooled, and ventilated. Work is largely sedentary involving mostly sitting with occasional walking, standing, bending, or carrying of small items. No special physical demands are required of the work.
Factor 6: Work Impact and Effect
Level 6 - 4500 Points: Work products or services directly impact the work of other professionals, the development and operation of programs, affect major activities across units, and/or impact the well-being of large numbers of individuals. Typically the work is complex, and while it may involve addressing conventional problems or situations with established methods, it is more likely to involve developing new processes or models involving the planning, development, and implementation of administrative programs. Work products or services are essential to the mission of the university and/or directly affect most departments, units, and programs and large numbers of individuals on a long-term or continuing basis. Improperly performed work results in courses of action that typically cannot be addressed in the short term and may require a substantial commitment of University resources to remedy in a medium to long term.