University Southern California Job Openings – Information Security Policies and Standards Lead

The

University of Southern California

(USC) Department of

Information Technology Services

(ITS) is seeking an

Information Security Policies and Standards Lead

with an exceptional commitment to service excellence to join its team.

As the

Information Security Policies and Standards Lead

, you will be an integral member of the Governance, Risk Management, and Compliance Unit of the

Office of the CISO

.

The Information Security Policies and Standards Lead is primarily responsible for developing comprehensive information security governing policies, standards, and guidelines across USC. The position will provide input to key stakeholders on the development and implementation of security policies, standard controls, and mitigation procedures. In addition, this role manages related policies by ensuring that proper governance within policy standards is aligned with requirements within the ITS organization, schools, and departments across the university. The position manages policy compliance and develops policy and standards rollout strategy and awareness campaigns. The position supports the implementation of related training systems, monitors the effectiveness of programs, and reports key metrics to leadership and stakeholders.

THE WORK YOU WILL DO

The Information Security Policies And Standards Lead

• Creates, enhances and maintains information security policies, standards, and guidelines development across the policy management lifecycle. Ensures proper governance with policy and standards that align with Information Security Enterprise Architecture. Supports and assesses IT Operations in order to identify and gain efficiencies related to existing and new policies, standards, and guidelines within Information Security
• Provides guidance to ITS, Security Liaisons, and key stakeholders across the university on the implementation of policy and standard controls and the development of necessary risk mitigation procedures.
• Works with the Office of Compliance to incorporate the necessary requirements in the information security policies and standards to support privacy regulatory compliance. Maintains policy and standards repositories. Works closely with Change Management and Communication teams to identify change impacts and required communications related to the changes to existing and new policy and standard requirements. Partners with relevant staff, faculty and students in order to specify, commission, develop, review, approve, implement, maintain and obtain compliance and awareness materials associated with the university’s cybersecurity program.
• Monitors the effectiveness of the training and awareness program and reports key metrics to the Information Security Governing Body. Evaluates the adequacy of security awareness activities. Identifies and assesses new methodologies to increase security awareness.
• Partners with Security Awareness to support content development of the university-wide security awareness training, new employee onboarding for new hires and contractors, and role-based training.
• Helps mature information security risk management processes, programs and strategies. Aligns information security activities with regulatory requirements and internal risk management policies. Identifies security gaps and deficiencies by conducting risk assessments and recommends corrective action of identified vulnerabilities and weaknesses. Leads the planning, testing, tracking, remediation, and acceptance level for identified security risks, and the creation and publication of internal controls. Ensures requisite compliance monitoring is in place to identify control weaknesses, compliance breaches and operational loss events. Ensures adequate compliance resources and training, fostering a risk and compliance-focused culture and optimizing relations with team members and regulators.
• Performs other related duties as assigned or requested. The university reserves the right to add or change duties at any time.

MINIMUM QUALIFICATIONS

• Bachelor’s degree or combined experience/education as substitute for minimum education
• 5 years’ experience in information security or risk management.
• Understanding and working knowledge of information security fundamentals and risk- based approach to information security.
• Understanding of compliance frameworks (e.g., PCI, ISO, SOX, NIST)
• Previous experience or commensurate skill in reviewing training content that is informative and engaging, inspiring and motivating employees to understand key messages around information security.
• Previous experience or commensurate skill in managing a third party service provider of training or awareness content development.
• Knowledge of learning development approaches and methodologies and is able to leverage and customize them to develop security-specific topics, learning objectives and modules.
• Knowledge of databases and storage solutions to maintain security personnel certification and notify personnel of required updates.
• Experience in developing a curriculum, creating training content and materials, and/or delivering knowledge using various methods (e.g. web-based, classroom, etc.) through various channels (e.g., eLearning, in-person, etc.).
• Ability to articulate security concepts to business users across the university.
• Demonstrable experience in presenting to large audiences with comfort, ease and confidence.
• Experience in writing security policies, standards and procedures and providing guidance for implementation.

PREFERRED QUALIFICATIONS

• Bachelor’s degree in information security, information science, computer science, or related field.
• 7 or more years’ experience in information security or risk management.
• Extensive experience in information security, risk governance, and risk management within large enterprises or complex entities.
• Experience in Higher Education industry.
• Demonstrated data analytics and risk processing skills.

THE ITS TEAM

The ITS vision aligns strategy, business, and services; affirms ITS cultural values; empowers cross-functional teamwork; embraces world-class best practices; and promotes innovation, excellence, agility, and efficiency. To achieve this vision, ITS is committed to providing a modern technology infrastructure that is resilient and delivers the performance necessary to meet the demands of a growing customer base, training in the latest technologies for its highly productive and motivated workforce, outstanding customer experience, and technology services that are aligned with the university’s mission to provide exceptional learning opportunities for students. ITS is creating a workplace where employees can develop cutting-edge skills, take pride in the services they provide, and have access to the roles and career paths that align to their abilities and potential. We are looking for top talent to join us on our journey.

ITS CULTURE

USC’s ITS organization represents a diverse and talented team, committed to supporting a collaborative culture and delivering secure and innovative IT services that are core to the mission of the university. We are also committed to creating and maintaining meaningful partnerships across the university. At ITS, we act with integrity in the pursuit of excellence; embrace diversity, equity, and inclusion; promote well-being; engage in open two-way communication, and are accountable for living our values. ITS strives for a supportive and inclusive culture that encourages employees to do their best work every day and where individuals are recognized and celebrated for their contributions.

ABOUT USC

USC is the leading private research university in Los Angeles—a global center for arts, technology, and international business. With more than 47,500 students, we are located primarily in Los Angeles but also in various US and global satellite locations. As the largest private employer in Los Angeles, responsible for $8 billion annually in economic activity in the region, we offer the opportunity to work in a dynamic and diverse environment, in careers that span a broad spectrum of talents and skills across a variety of academic and professional schools and administrative units. As a USC employee and member of the Trojan Family—the faculty, staff, students, and alumni who make USC a great place to work—you will enjoy excellent benefits, including a variety of well-being programs designed to help individuals achieve work-life balance. USC values diversity and is committed to equal opportunity in employment.

Come join the USC ITS team and work as a trusted partner in shaping an environment of innovation and excellence. Apply today!

The annual base salary range for this position is $137,000 to $150,000. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate’s work experience, education/training, key skills, internal peer equity, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

Minimum Education: Bachelor’s degree Combined experience/education as substitute for minimum education Minimum Experience: 5 years Minimum Field of Expertise: Understanding and working knowledge of information security fundamentals and risk- based approach to information security. Understanding of compliance frameworks (e.g., PCI, ISO, SOX, NIST). Previous experience or commensurate skill in reviewing training content that is informative and engaging, inspiring and motivating employees to understand key messages around information security. Previous experience or commensurate skill in managing a third party service provider of training or awareness content development. Knowledge of learning development approaches and methodologies and is able to leverage and customize them to develop security-specific topics, learning objectives and modules. Knowledge of databases and storage solutions to maintain security personnel certification and notify personnel of required updates. Experience in developing a curriculum, creating training content and materials, and/or delivering knowledge using various methods (e.g. web-based, classroom, etc.) through various channels (e.g., eLearning, in-person, etc.). Ability to articulate security concepts to business users across the university. Demonstrable experience in presenting to large audiences with comfort, ease and confidence. Experience in writing security policies, standards and procedures and providing guidance for implementation.