TITLE Electronic Information Regulatory Compliance Specialist
CLASSIFICATION NUMBER 5181
IMMEDIATE SUPERVISOR Information Security Officer (ISO)
MAJOR ADMINISTRATOR Chief Information Officer (CIO)
The Electronic Information Regulatory Compliance Specialist reviews and evaluates information security compliance issues/concerns within the Missouri State University system, ensures that the University is in compliance with the information security rules and regulations of regulatory agencies, and that University practices meet the standards set by the University in relation to state and federal compliance issues. Under the direction of the Information Security Officer, the Regulatory Compliance Specialist ensures that all information security-related governmental regulations are properly implemented, provides technical assistance to University units in that implementation, and participates in security awareness activities by speaking to groups and producing awareness materials
MINIMUM ACCEPTABLE QUALIFICATIONS
Education: A Bachelor’s degree or an equivalent combination of education and experience is required; a Bachelor’s degree in a computer-related field is preferred.
Experience: Five years experience in health care or higher education is required in a position requiring demonstrated leadership and familiarity with regulatory compliance practices in operational, financial, quality assurance, and/or human resource areas. Three years of varied information technology experience which must include general experience in personal computers and operating systems, server operating systems, network protocols and architecture, and project management is required. Experience in a university setting is preferred.
Skills: Must be able to maintain confidentiality in regard to information security activities. The ability to manage multiple concurrent projects and to reason analytically is required. Must understand basic information security principles and be able to use information security standards to advise the campus community on techniques for securing data. The ability to work with and train people possessing differing levels of technical knowledge is required. Effective verbal and written communication skills and proficiency in writing technical specifications are required. The ability to develop knowledge of, respect for, and skills to engage with those of other cultures or backgrounds is required.
Other: Professional information security certification (CISSP, GIAC, CISA, CISM, etc.) is preferred.
ESSENTIAL DUTIES AND RESONSIBLITIES
1. Assists the Information Security Officer (ISO) in creating both short-term and long-term information security and regulatory compliance strategies.
2. Assures regulatory compliance related to electronic information in areas such as Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and Gramm-Leach-Bliley (GLB), serves as the HIPAA Unit Security Officer for the Computer Services department, and works with the HIPAA Unit Security Officers to ensure full compliance in securing electronic Protected Health Information (ePHI).
3. Identifies potential areas of information security compliance vulnerability and risk, develops/implements corrective action plans for resolution of problematic issues, and provides general guidance on how to avoid or deal with similar situations in the future.
4. Develops and periodically reviews and updates information security policies, procedures, and associated documentation to ensure continuing currency and relevance in providing guidance to management and employees regarding regulatory compliance.
5. Collaborates with other departments (e.g. Internal Audit, Legal Counsel, Human Resources, etc.) to direct information security compliance issues to appropriate existing channels for investigation and resolution.
6. Conducts risk assessments for all new and existing electronic information systems and remains familiar with the University’s goals and business processes so effective controls can be put in place for those areas presenting the greatest risk.
7. Provides reports on a regular basis, and as directed or requested, to keep the Chief Information Officer and senior management informed of the operation and progress of compliance efforts.
8. Acts as an independent reviewer and evaluator to ensure that compliance issues/concerns within the organization are being appropriately evaluated, investigated and resolved.
9. Communicates the results of risk assessments to stake-holders in non-technical terms so effective decisions can be made to ensure the safety and security of data subject to government regulation.
10. Ensures that the University’s information security policies and procedures are followed to secure electronic information at rest or in motion within the Missouri State University system.
11. Ensures proper reporting of information security violations or potential violations to duly authorized enforcement agencies as appropriate and/or required.
12. Works with the Information Security Officer and others as appropriate to develop an effective information security compliance training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
13. Contributes to a work environment that encourages knowledge of, respect for, and development of skills to engage with those of other cultures or backgrounds.
14. Remains competent and current through self-directed professional reading, developing professional contacts with colleagues, attending professional development courses, attending training, conferences, and/or courses as directed by the supervisor, and obtaining certifications relevant to job duties.
15. Contributes to the overall success of the University by performing all other duties and responsibilities as assigned.
The Electronic Information Regulatory Compliance Specialist is supervised by the Information Security Officer (ISO) and may supervise graduate assistants and student workers.
OFFICE OF HUMAN RESOURCES
REVISED MARCH 2013
JOB FAMILY 3
Factor 1: Educational/Experience Requirements of the Job
Level 10 - 1970 Points: A combination of education and experience equivalent to a Level 10 as indicated by the Equivalencies Chart, when permitted by the Minimum Acceptable Qualifications.
Factor 2: Supervisory Responsibility
Level 1 - 299 Points: Little or no supervisory responsibility for the work of others.
Factor 3: Skill, Complexity, and Technical Mastery
Level 7 - 2200 Points: Professional knowledge of the principles, concepts, and specialized complicated techniques of a profession. Knowledge of a wide range of information technology methods and procedures and specialized knowledge in one or more specific functions. Knowledge permits the incumbent to provide authoritative advice on difficult assignments such as planning advanced systems. Skill in applying knowledge through analyzing, designing, organizing, and developing major programs, systems, and networks.
Factor 4: Budgetary Control
Level 1 - 193 Points: Jobs at this level involve no budgetary control except for the normal responsibilities associated with monitoring and reporting everyday expenses.
Factor 5: Work Environment and Physical Demands
Level 1 - 25 Points: The work environment has only everyday discomforts associated with an office or commercial vehicle. The work area is adequately lighted, heated or cooled, and ventilated. Work is largely sedentary involving mostly sitting with occasional walking, standing, bending, or carrying of small items. No special physical demands are required of the work.
Factor 6: Work Impact and Effect
Level 5 - 3780 Points: Work products or services directly impact the entire university system and the well-being of large numbers of individuals. Typically the work is complex and may involve addressing conventional problems or situations with established methods or resolving critical problems or developing new processes or models to address specific problems. Improperly performed work and/or equipment or software failures produce errors and delays that affect the operations and/or reputations of the entire University. Improperly performed work and/or equipment or software failures may be remedied in the short to medium term, but at very substantial cost of time and resources. The scope of improperly performed work and/or equipment or software failure is system-wide and the nature of the activity requires that emergency repairs be performed.