TITLE Information Security Officer
CLASSIFICATION NUMBER 5183
IMMEDIATE SUPERVISOR Chief Information Officer (CIO)
MAJOR ADMINISTRATOR President
The Information Security Officer (ISO) provides the vision and strategies necessary to ensure the confidentiality, integrity, and availability of University electronic information by communicating risk to senior administration, creating and maintaining enforceable policies and supporting processes, and ensuring compliance with regulatory requirements. To support these activities, the ISO coordinates activities with other departments, including the evaluation, procurement, and deployment of security-related products and develops and coordinates information security awareness and education programs. Additionally, the ISO ensures a University system-wide disaster recovery and incident response plans are in place.
MINIMUM ACCEPTABLE QUALIFICATIONS
Education: A Bachelor’s degree or the equivalent is required; a Bachelor’s degree in a computer-related field is preferred.
Experience: Five years of varied information technology experience is required. Applicable experience includes, but is not limited to, computer and networking infrastructure, operating systems, application software development, project management, regulatory compliance, risk management, and providing training. Two years of direct experience in information security-related duties is required. Experience in a university setting is preferred.
Skills: The ability to understand hardware and software systems is required. The ability to maintain confidentiality in regard to information processed, stored, or accessed by the systems is required. The ability to manage multiple concurrent projects and to reason analytically is required. The ability to work with and train people possessing differing levels of technical knowledge is required. Effective verbal and written communication skills and proficiency in writing technical specifications are required. The ability to develop knowledge of, respect for, and skills to engage with those of other cultures or backgrounds is required.
Other: Professional certification (CISSP, GIAC, CISA, CISM, etc.) is preferred.
ESSENTIAL DUTIES AND RESPONSIBILITIES
1. Creates information security strategies, both short-term and long-range, in support of the University’s goals.
2. Directs an ongoing, proactive risk assessment program for all new and existing systems and remains familiar with the University’s goals and business processes so effective controls can be put in place for those areas presenting the greatest information security risk.
3. Communicates risks and recommendations to mitigate risks to the senior administration by communicating in non-technical, cost/benefit terms and in a format relevant to senior administrators so decisions can be made to ensure the security of information systems and information entrusted to the University.
4. Oversees all ongoing activities related to the development, implementation, and maintenance of the University’s information security policies and procedures by ensuring these policies and procedures encompass the overall security of electronic information at rest or in motion within the Missouri State University system and assisting departments in local process and procedure development, ensuring they are not in conflict with University policies.
5. Assists other departments to ensure regulatory compliance in areas such as the Payment Card Industry – Data Security Standards (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA), serves as the HIPAA Security Officer for the University system, and works with HIPAA Privacy Officers to ensure full compliance in securing Protected Health Information (PHI).
6. Chairs the Information Security Executive Committee (ISEC) and coordinates the activities of ISEC so that security decisions do not interrupt business processes while maintaining the confidentiality, integrity, and availability of University information.
7. Develops information security awareness training and education programs, works with other University entities to present them to faculty, staff, and students, and participates in local, regional, and national awareness and education events, as appropriate.
8. Ensures sufficient resources are available and allocated to projects by balancing project funding requirements with the assigned budgets, coordinates and tracks project expenditures to ensure resources are used effectively and within budget, and provides periodic budget reports to the Chief Information Officer.
9. Acts proactively to prevent potential disaster situations by ensuring that proper protections are in place, such as intrusion detection and prevention systems, firewalls, and effective physical safeguards, and provides for the availability of computer resources by ensuring a business continuity/disaster recovery plan is in place to offset the effects caused by intentional and unintentional acts.
10. Evaluates security incidents and determines what response, if any, is needed and coordinates University responses, including technical incident response teams, when sensitive information is breached.
11. Contributes to a work environment that encourages knowledge of, respect for, and development of skills to engage with those of other cultures or backgrounds.
12. Remains competent and current through self-directed professional reading, developing professional contacts with colleagues, attending professional development courses, attending training, conferences, and/or courses as directed by the supervisor, and obtaining certifications relevant to job duties.
13. Contributes to the overall success of the University by performing all other duties and responsibilities as assigned.
The Information Security Officer is supervised by the Chief Information Officer (CIO) and supervises the Information Security Analyst and may supervise graduate assistants and student workers.
OFFICE OF HUMAN RESOURCES
REVISED JANUARY 2016
JOB FAMILY 3
Factor 1: Educational/Experience Requirements of the Job
Level 11 - 2167 Points: A combination of education and experience equivalent to a Level 11 as indicated by the Equivalencies Chart, when permitted by the Minimum Acceptable Qualifications.
Factor 2: Supervisory Responsibility
Level 6 - 1794 Points: Supervision of a departmental work group involving highly skilled technical or complicated work. Supervision at this level involves the direction of skilled work, specialized tasks, or work of a complicated nature. This level is typical for managers who supervise other supervisors or a large group of paraprofessional or professional permanent employees in technical and skilled areas. Supervision at this level includes a full range of supervisory responsibilities including the responsibility for staffing and performance management as well as budgeting and planning functions.
Factor 3: Skill, Complexity, and Technical Mastery
Level 8 - 2500 Points: Advanced professional mastery of the principles, concepts, and specialized complicated techniques of a profession. Knowledge of the principles, emerging technical advances, and method of a specialized area of information technology. Knowledge permits the employee to develop new information technology concepts or to inspire pioneering or unprecedented projects.
Factor 4: Budgetary Control
Level 5 - 965 Points: At this level are jobs in which the incumbent has responsibility for exercising primary control over a departmental budget, including budget development and distributing funds.
Factor 5: Work Environment and Physical Demands
Level 1 - 25 Points: The work environment has only everyday discomforts associated with an office or commercial vehicle. The work area is adequately lighted, heated or cooled, and ventilated. Work is largely sedentary involving mostly sitting with occasional walking, standing, bending, or carrying of small items. No special physical demands are required of the work.
Factor 6: Work Impact and Effect
Level 6.5 - 4860 Points: Work products or services directly impact the entire university system, the well-being of large numbers of individuals, the work of other professionals, the development and operation of programs, and affects major activities across units. Typically the work is complex, and while it may involve addressing conventional problems or situations with established methods, it is more likely to involve developing new processes or models involving the planning, development, and implementation of administrative programs. Work products or services are essential to the mission of the university and/or directly affect most departments, units, and programs and large numbers of individuals on a long-term or continuing basis. Improperly performed work results courses of action that typically cannot be addressed in the short term, may require a substantial commitment of University resources to remedy in a medium to long term, and could adversely affect the university's reputation. Impact of improperly performed work may extend beyond the university.