As a community, the University of Rochester is defined by a deep commitment to Meliora - Ever Better. Embedded in that ideal are the values we share: equity, leadership, integrity, openness, respect, and accountability. Together, we will set the highest standards for how we treat each other to ensure our community is welcoming to all and is a place where all can thrive. **Job Location (Full Address):** 300 Science Pkwy, Rochester, New York, United States of America, 14620 **Opening:** Worker Subtype: Regular Time Type: Full time Scheduled Weekly Hours: 40 Department: 100086 University IT / IS Work Shift: UR - Day (United States of America) Range: UR URG 117 Compensation Range: $122,044.00 - $183,065.00 _The referenced pay range represents the minimum and maximum compensation for this job. Individual annual salaries/hourly rates will be set within the job's compensation range, and will be determined by considering factors including, but not limited to, market data, education, experience, qualifications, expertise of the individual, and internal equity considerations._ **Responsibilities:** GENERAL PURPOSE Provides leadership and direction for the company's Information Security GRC requirements, as well as the Information Security Program. Responsible for establishing and maintaining the company's overall Information Security program. Implements and maintains information security policies, risk assessment and management, as well as a comprehensive controls framework with enterprise-wide third-party risk management. Develops system concepts and works on the capabilities phases of the systems development life cycle, translating technology and environmental conditions (e.g., law and regulation) into system and security designs and processes. Serves as a principal advisor to information system owners, IT leadership and the CISO on all matters, technical and otherwise, involving the security of the information systems they reside over. Works in tandem with the business owners and leadership across the clinical and administration missions of the organization to address risk, advising to ensure information security is being considered as part of decision processes. Responsible for building relationships with key personnel who have the authority or ability to ensure compliance with security laws, regulations, guidance and requirements. **ESSENTIAL FUNCTIONS** + Determines and maintains an inventory of all regulatory, commercial and organizational technology compliance requirements. Creates an IT Security risk assessment framework and periodically assesses the regulatory, commercial and organizational, inherent and residual IT Security risks. Establishes and maintains a strategy for managing security-related audits, compliance checks and external assessment processes for auditors. + Directs and conducts ongoing organization-wide risk analysis to uphold the Security program. Identifies any gaps between the desired level and the current level of maturity. Addresses known issues, according to severity and potential impact to the organization. + Works with the CISO to develop a security program and security projects that address identified risks and business security requirements. Works closely with security leadership to instill cybersecurity policies and practices throughout department units to address security operations, incident response, application security and infrastructure. Assists resource owners and IT staff in understanding and responding to security audit failures reported by auditors. Provides security communication, awareness and training for audiences, which may range from senior leaders to field staff. Implements required IT Security policies and controls to meet the desired level of maturity reflected in a given standard or framework. Develops and maintains relationships with appropriate leaders, both internal and external to the University. + Leads a team dedicated to an ongoing security maturation program. Directs team to document, communicate, and enforce areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation. Creates strong oversight with third parties, vendors, and business partners. Stays current with regulations and rules as they apply to University missions and user use of technology. Directly supervises a team of security professionals. Recruits new staff and makes hiring decisions. Trains and coaches new team members, provides ongoing daily supervision, manages employee relations, such as disciplinary action and performance management discussions, and conducts performance reviews. + Serves as a subject-matter expert on information matters. Reviews communications for IT Security team members and departmental IT liaisons to share with others related to cybersecurity and privacy. Ensures effective communication with peers and the University community. Manages efforts to communicate across stakeholders/departments to ensure alignment of goals. + Maintains relationships with the research community, and acts as a first point of contact for matters related to information security. Keeps abreast of emerging regulations and requirements in research, and advises leadership of any significant impact to information security compliance. Other duties as assigned **MINIMUM EDUCATION & EXPERIENCE** + Bachelor's degree and 10 years of Information Technology experience, inclusive of Information Security experience, required + Master's degree preferred + Or equivalent combination of education and experience + 5 years of supervisory experience required + Experience in using ITSM Tool or ticketing system preferred + Experience in Risk Management Methodology and Frameworks preferred + Experience in using ITSM Tool or ticketing system preferred + Experience in application configuration preferred **KNOWLEDGE, SKILLS AND ABILITIES** + Expert in IT and Information Security required + Expert knowledge of Microsoft Office Suite required + Ability to establish credibility and working relationships with a wide range of enterprise personnel, including operations, management, executive and legal staff, as well as external personnel, including auditors and regulators preferred + Demonstrated ability to conduct independent research and reporting preferred + Knowledge of computer networking concepts and protocols, and network security methodologies and relationship to laws, regulations, policies, and ethics surrounding cybersecurity and privacy preferred + Ability to set and manage priorities judiciously preferred + Ability to present ideas in business-friendly and user-friendly language preferred + Exceptionally self-motivated, directed and detail-oriented preferred + Superior analytical, evaluative, and problem-solving skills preferred + Ability to motivate in a team-oriented, collaborative environment preferred + Strong verbal and written communications skills preferred **LICENSES AND CERTIFICATIONS** + CISSP Certified Information Systems Security Professional upon hire preferred + Certified Systems Security Professional upon hire preferred + CISM - Certified Information Security Manager upon hire preferred + Certified Information Systems Auditor (CISA) upon hire preferred + GSEC upon hire preferred **EOE Minorities / Females / Protected Veterans / Disabled:** The University of Rochester is committed to fostering, cultivating, and preserving a culture of equity, diversity, and inclusion to advance the University’s mission to Learn, Discover, Heal, Create – and Make the World Ever Better. In support of our values and those of our society, the University is committed to not discriminating on the basis of age, color, disability, ethnicity, gender identity or expression, genetic information, marital status, military/veteran status, national origin, race, religion/creed, sex, sexual orientation, citizenship status, or any other status protected by law. This commitment extends to the administration of our policies, admissions, employment, access, and recruitment of candidates from underrepresented populations, veterans, and persons with disabilities consistent with these values and government contractor Affirmative Action obligations. Notice: If you are a **Current** **Employee,** please **log into myURHR** to search for and apply to jobs using the Jobs Hub. Your application, if submitted using this portal, cannot be moved forward. **Learn. Discover. Heal. Create.** Located in western New York, Rochester is our namesake and our home. One of the world’s leading research universities, Rochester has a long tradition of breaking boundaries—always pushing and questioning, learning and unlearning. We transform ideas into enterprises that create value and make the world ever better. If you’re looking for a career in higher education or health care, the University of Rochester may offer the perfect opportunity for your background and goals At the University of Rochester, we commit to diversity, equity, and inclusion and united by a strong commitment to be ever better—Meliora. It is an ideal that informs our shared mission to ensure all members of our community feel safe, respected, included, and valued.