SEARCH CAREER OPPORTUNITIES

GENERAL SUMMARY OF POSITION: 

Under the direction of the Manager of Information Security and Compliance, the Data Protection Specialist is responsible for ensuring UMMS is compliant with regulatory and legal compliance standards related to Data Protection Laws (CCPA, HIPAA, GDPR, etc.). The role is responsible for ensuring the most current privacy processes, procedures and controls designed to meet Data Protection compliance requirements and UMMS company policies are presented to the Privacy Officer and the CISO on an ongoing basis and that UMMS's position regarding compliance is sufficient.

ESSENTIAL FUNCTIONS:

• Develop, communicate, and implement information security programs that address people, process and technology risks
• Provide expert guidance to UMMS in respect to achieving and maintaining privacy compliance with CCPA, GDPR, HIPAA and other regulations as applicable.
• Report regularly to the Privacy Officer and Chief Information Security Officer as well as present quarterly updates to the Privacy Officer and Executive Leadership
• Work with Security Architects, Security Analysts, Security Administrators and other IT and business departments to design effective and efficient procedures and controls to meet privacy compliance requirements
• Research industry trends for compliance and control implementations to ensure National General maintains reasonable and appropriate privacy compliance controls acceptable within our industry
• Assist in the design of the controls assessment program as it relates to privacy controls
• Review audit findings and risk and gap analysis reports for accuracy and effectiveness for elements related to privacy compliance
• Assist in recommending remediation activity for privacy compliance activities found deficient and evaluates remediation effectiveness upon completion
• Monitor changes in the regulatory and privacy landscape and reports on the impact of those changes to the Director/Privacy Officer and CISO
• Serve as staff support to the University's Information Security/Privacy Council
• Participate in annual University audit and other data security/privacy reviews as needed
• Develop and manage University-wide risk management, assessment, and remediation programs that meets University requirements and federal and state regulations
• Coordinate the University’s security compliance management and response initiatives
• Develop and manage information security policies and standards based on industry best practices and compliance requirements
• Develop and enhance risk management processes and play a lead role in publishing and communicating policies that provide clear direction and guidance
• Facilitate internal and third-party information security risk assessments and work closely with functional groups or departments to prioritize and remediate findings
• Drive the implementation of a framework to support Governance, Risk and Compliance (“GRC”) objectives. Realize significant, measurable gains in GRC practice maturity
• Act as a risk and compliance thought leader within the University, provide end-to-end expert guidance on how to manage relevant security risks, influence priorities and decisions across the organization
• Provide end-to-end expert leadership on how to effectively achieve and sustain compliance with regulatory, industry and contractual obligations, as well as information security policies and practices
• Ensure that contracts provide adequate protection in the areas of legal/regulatory compliance and information security
• Lead security risk assessments and manage testing of information security controls
• Participate in internal / external audits involving information security controls. Assist stakeholders in providing audit responses and remediating security control findings
• Work closely with attorney’s, regulators and third-parties while representing the University’s security position
• Drive continuous improvement in information security risk and compliance based on expert knowledge in domain areas, industry best practices, business objectives and risk tolerances
• Lead initiatives to regularly assess the adequacy and effectiveness of information security controls, security policies, direct remediation activities, compliance as related to process and workflows, and initiate actions to ensure that compliance and security gaps are successfully addressed
• Partner with IT and program management teams to define and implement a secure SDLC framework
• Perform other duties as required

REQUIRED QUALIFICATIONS:

• Bachelor’s degree in an Information Technology, Information Security, Compliance discipline or equivalent experience
• 5+ years of experience as a Privacy Compliance professional or Privacy Compliance controls Auditor
• Detailed knowledge of federal, state and international laws and regulations concerning privacy and information security (CCPA, HIPAA, GDPR, or other Privacy regulations)
• Ability to define problems, collect data, establish facts and draw valid conclusions
• Able to weigh business risks and enforce appropriate IT security policies and practices while maintaining the speed delivery that is inherent to the company
• Demonstrated detailed oriented self-starter and the ability to work independently with limited supervision and limited direction, and in collaborative team environments
• A strong ability to multi-task and manage varying priorities and projects
• Excellent interpersonal, verbal, and written communication skills with the ability to communicate security risk and compliance related concepts to a broad range of technical and non-technical staff
• Proficient in Microsoft Office (Word, Excel, Outlook, PowerPoint)
• Strong written and spoken English with excellent communication, reasoning, and presentation skills
• The ability to liaise with senior stakeholders and conduct meetings at this level
• Demonstrated ability to translate information security/privacy compliance requirements and University business needs into enterprise-wide data security/privacy standards and policy
• Working knowledge of information security standards and best practices (e.g., NIST, SANS).
• Must possess a high degree of integrity relative to computer security and the confidentiality of information.
• Experience in the successful development and implementation of enterprise-wide information security programs which reduce risk
• Ability to collaborate with IT, executive management, and business stakeholders towards achieving business and security objectives
• Excellent oral and written communication skills

PREFERRED QUALIFICATIONS:

• Information security management qualifications such as CISSP, CISM or CISA
• Hold at least one Data Protection and/or Privacy certification such as CIPP, CIPT, ISEB preferred
• Experience in a higher education environment
• Demonstrative knowledge of information security standards such as ISO/IEC 27000, NIST, FISMA, PCI, etc.