Manager, IT Risk Assessment

The University of Arizona College of Medicine is seeking a first-rate specialist to join its Information Technology Services Department (COM ITS) as Manager, IT Risk Assessment. Reporting to the Director of Infrastructure Services and Customer Care, this position will direct college-wide information security projects and provide technical expertise for security related regulatory and audit compliance activities. This position will plan, execute, and manage multi-faceted projects related to risk management, mitigation and response, compliance, control assurance, and user awareness.

The successful candidate will provide expertise and assistance to ensure the College of Medicine’s information assets are protected. Working with the UA Information Security Office and the UA HIPAA Privacy Officer, the incumbent will contribute substantially to policy and standards development for the College of Medicine and the University. This position will facilitate information security risk analysis and risk management processes and identify acceptable levels of residual risk. It is a goal of COM ITS to be seen as a leader in technology at the University and amongst its peer institutions. This position plays a key role in achieving that vision.

The College of Medicine supports the UA’s diversity and inclusiveness strategic initiatives designed to create an inclusive environment for all faculty, staff, and students. The candidate is expected to support diversity and inclusiveness efforts in the department and college.

Outstanding UA benefits include health, dental, and vision insurance plans; life insurance and disability programs; paid vacation, sick leave, and holidays; UA/ASU/NAU tuition reduction for the employee and qualified family members; state and optional retirement plans; access to UA recreation and cultural activities; and more!

The University of Arizona has been listed by Forbes as one of America’s Best Employers in the United States and WorldatWork and the Arizona Department of Health Services have recognized us for our innovative work-life programs. For more information about working at the University of Arizona and relocation services, please click here.

• Identify risks which might occur.

• Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches or malicious attacks.

• Continuously evaluate communication security, data vulnerability, business continuity, and compliance risks.

• Identify vulnerabilities or weaknesses in systems.

• Examine employee compliance with security controls and deficiencies.

• Evaluate security policy, processes and procedures for completeness.

• Ensure that controls are adequate to protect sensitive information systems.

• Clearly document and define risks and potential impacts of an event and identify systems affected by the defined risk.

• Assist in identifying breaches in security or tracking the source of an unauthorized intrusion.

• Identify defensive steps to take, including necessary firewalls, security software and data encryption.

• Work with the COM ITS to ensure that infrastructure and applications patching and remediation be done.

• Communicate recommended business continuity preparations and controls, including deficiencies, to business units.

• Recommend improvements in network security, identity management and logging.

• Thorough understanding of privacy and security laws (state and federal), industry standards, information security policy frameworks, as well as extensive knowledge about a wide range of privacy/security laws, regulations and standards relevant to higher education.

• In-depth knowledge of information technology security as it relates to all aspects of the protection of information assets and institutional data.

• Ability to balance information security needs with the organization’s strategic plans, values, and other risks to formulate effective solutions.

• Proven strong communication and interpersonal skills at all levels of an institution.

• The ability to influence or gain acceptance from others in sensitive situations, without damaging relationships.

• Solid understanding of NIST Cybersecurity Framework and ability to understand and interpret information security laws as they may apply to the College.

• Ability to be a team player, able to practice discretion around sensitive issues.

• A strong understanding of the importance with keeping abreast of current security threats and in staying current with security technology evolution.

• Bachelor’s degree in Information Technology or a related area AND three years of information technology experience which may include systems administration, network systems administration, applications design/development which would include a minimum of two years information security specific experience; OR, seven years of progressive information technology experience which may include systems administration, network systems administration, applications design/development which would include a minimum of two years information security specific experience; OR, any equivalent combination of experience, training and/or education.

• Management expertise in determining and recommending actions and affecting change across the College, providing a clear understanding and the information necessary for departments and individuals to carry out their responsibilities for information security risk management.

• Security specific certification such as CISSP, various GIAC (such as GCED, GPPA), or CISM.

• In-depth experience addressing the technical controls of at least one of the following: PCI-DSS, HIPAA, GLBA, FERPA, NIST 800-171.

• Experience leading complex security-related projects.

• Experience working in an academic medicine, research, or patient care organization.