We are currently seeking an Information Security Governance Manager to join our Governance and Risk Management, Information Security team within the Information Technology Services (ITS) department here at the University of Southern California. The Information Security Governance Manager will be responsible for owning, defining, and delivering infrastructure security governance across the Information Security Office, managing an enterprise Data Loss Prevention Program (DLP), and ensuring that governance processes are in place to maintain DLP controls. Responsibilities include assisting in external and internal audits, ensuring overall adherence to policy standards, overseeing the Security Awareness program and facilitating the highest level of compliance through assessment, remediation and escalation as necessary.
The ideal candidate must possess seven years of experience in Information Technology (or Information Security). He/she should also possess an in depth understanding of information security, security policies, account security policies and standards for logical and physical security implementations. A good understanding of the information security control measures as defined in ISO 27001, risk assessments and the ability to perform, manage and run information security audits are also requirements for this role.
Information Technology Services (ITS) is committed to providing information technology (IT) services and support to the university. ITS provides essential, university-wide services such as:
Enterprise information systems
University wired and wireless networks
Must have a Bachelorâs degree or combined education/experience as substitute for minimum education
Minimum of 7 years of directly related experience in Information Technology (or Information Security) Â
Experience performing, managing and running Information Security audits
Strong knowledge and understanding of Regulatory Compliance and Information Security control measures as defined in ISO 27001
Demonstrated knowledge and understanding of information security, security policies, account security policies and standards for logical and physical security implementations
Demonstrated working knowledge of risk assessment as it is applied to information security
Demonstrated knowledge of security architecture and risk framework principles and concepts
Demonstrated experience running a comprehensive security awareness program
Experience in a Federated or decentralized organization
Strong written communication and professional verbal communication skills
Typically possesses 10 years of experience in Information Technology (or Information Security)
Typically possesses experience GCIH/GSEC, CISM, CISA,CISSP, CRISC Certifications
Typically possesses experience in Governance, Enterprise Risk Management and Regulatory Compliance domains
Typically possesses large complex industry related experience
Serves as a Subject Matter Expert (SME) on the organizationâs strategy for the information security critical processes and associated tools, ensures the process aligns to regulatory, statutory and industry requirements and USC policy and data classification.Â Recommends programmatic and technical direction with a high degree of independence in matters relating to the investigation, impact and analysis of decisions regarding cyber security risk
Develops, operates and manages comprehensive Information Security strategies, standards, policies and programs to assess, prioritize and mitigate business risk Leads the review and formal approval process for Policy updates. Coordinates updates to the Information Security Standards. Ensures Information Security Policy and Standard documents meet or exceed industry standards, compliance requirements and customer/client expectations
Assesses and manages the adequacy of the mitigation and remediation plans of known cyber security vulnerabilities and threats, aligning with the Information Security Governance & Risk Management (ISGRM) risk framework and processes
Owns, defines, leads and delivers information security governance across technologies, departments and data assets. Ensures any risk is identified, articulated and escalated through standard governance, mitigated and communicated to all stakeholders
Facilitates communication and execution of enterprise-wide information security programs and a comprehensive, multi-pronged security awareness training program. Provides regular guidance and advocacy for best practices for information security
Defines and executes an annual risk assessment plan, and obtains plan sign-off from key stakeholders across the university. Shows key milestones, metrics, KPIs, associated budget and resource impacts to continue an effective risk management program. Create and maintain an agreed upon Risk Appetite and Key Risk Indicators (KRIs) in line with the ISGRM Risk Framework
Manages design and implementation of an enterprise Data Loss Prevention Program (DLP). Ensures governance processes are in place to maintain DLP controls across the enterprise. Ensures that DLP controls manage risk in the changing threat landscape, meet business needs and client expectations, and regulatory expectations. Facilitates business rule reviews, threshold setting, and exception management
Engages in preparation of and participates in external and internal compliance audits (PCI DSS, HIPAA, NIST, ISO 27001:2013, etc.). Supports overall validation of adherence to policy and standards through control evaluation. Ensures compliance through assessment, remediation and escalation
Utilizes the risk assessment process to educate asset and process owners on information security risks, risk management and appropriate remediation options. Manages the risk acceptance process to ensure the implications of risk acceptance are understood, risks are accepted at the correct level within the organization, and risk acceptances are tracked and reported on throughout their lifecycle. Manages the risk exception process and regular review.
Manages and maintains a risk reporting framework for management teams and governance committees. Defines and manages the Key Performance Indicators (KPIs) to assure effectiveness and compliance across processes and process owners
Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations. Ensures senior management and staff are informed of any changes and updates in a timely manner. Establishes and maintains appropriate network of professional contacts. Maintains membership in appropriate professional organizations and publications. Attends meetings, seminars and conferences and maintains continuity of any required or desirable certifications, if applicable
Develops and implements security related procedures such as office opening and closing routines, recognition of duress signals and key controls. Coordinates security activities with Department of Public Safety. Promotes and maintains standards for security conscious awareness and behavior. Maintains knowledge of University's crime prevention and suppression programs and services. Ensures dissemination of security related information to staff
Performs other duties as assigned or requested. The university reserves the right to add or change duties at any time
10 years of experience in Information Technology (or Information Security)
GCIH/GSEC, CISM, CISA,CISSP, CRISC Certifications
Experience in presenting to SVP & C Suite Executives
Experience in Governance, Enterprise Risk Management and Regulatory Compliance domains
Large complex industry related experience
Minimum EducationBachelor's DegreeCombined education/experience as substitute for minimum educationMinimum Experience: 7 yearsMinimum Field of Expertise:An in depth understanding of information security, security policies, account security policies and standards for logical and physical security implementations. A basic knowledge of Regulatory Compliance as it affects the relevant industry. A good understanding of the information security control measures as defined in ISO-17799. A working knowledge of risk assessment as it is applied to information security. The ability to perform, manage and run information security audits. A sound understanding of security architecture and risk framework principles and concepts. Demonstrable experience in running a comprehensive security awareness program. Experience in a Federated or decentralized organization.
USC’s Viterbi School of Engineering has been one of the economic engines in Southern California and a vital hub in the California economy. The technical innovations and ideas generated by the Viterbi faculty and research community have resulted in countless innovations, many becoming the foundations for new companies, products and services. The thousands of students graduating each year bring new ideas and vitality to companies in California and beyond. With an annual research budget exceeding $205M each year, more than 46 research centers and institutes, more than 180 faculty members, 7,800 students and over 60,000 impassioned alumni world-wide, the Viterbi School is addressing some of the world’s great challenges.