University of Southern California
University of Southern California
(USC) Department of
Information Technology Services
(ITS) is seeking a Policies and Standards InfoSec Lead with an exceptional commitment to service excellence to join its team.
InfoSec Assurance Lead
, you will be an integral member of the Security Strategy and Governance team of the
Office of the CISO
InfoSec Assurance Lead
is primarily responsible for planning, designing, and executing security assurance and risk assessment to promote the university’s information security strategy and compliance with regulatory and legal requirements. The role is also accountable for identifying security deficiencies and recommending corrective actions of identified vulnerabilities. Responsibilities include the creation and publication of internal controls, ensuring the development and maintenance of adequate compliance resources and training opportunities, and fostering a risk and compliance-focused culture within the division. This position works with IT internal support teams as well as external clients within the university to provide the highest standards of support relative to information security governance and risk management practices. Other responsibilities include providing guidance on security solutions, preparing benchmarking reports and presentations, monitoring security metrics to evaluate efficacy of security programs, and supporting security incident response activities.
THE WORK YOU WILL DO
The InfoSec Assurance Lead Will
- Leads and contributes to the assessment of multiple project risks and complexities. Participates in project handoffs including document preparation, training and education, and support to ensure smooth transitions. Assists in the selection and design of tools that allow reuse of design components and plans between similar projects.
- Helps mature information security risk management processes, programs and strategies. Aligns information security activities with regulatory requirements and internal risk management policies. Identifies security gaps and deficiencies by conducting risk assessments and recommends corrective action of identified vulnerabilities and weaknesses. Leads the planning, testing, tracking, remediation, and acceptance level for identified security risks, and the creation and publication of internal controls. Ensures requisite compliance monitoring is in place to identify control weaknesses, compliance breaches and operational loss events. Ensures adequate compliance resources and training, fostering a risk and compliance focused culture and optimizing relations with team members and regulators.
- Participates in security testing projects according to a structured process, including writing test plans, test cases and test reports. Conducts basic proof-of-concept exploits of vulnerabilities.
- Interfaces with peers and senior leadership and communicates relative information at all levels. Provides Cybersecurity guidance to less-experienced Information Security team members and other technologists across the university. Meets with project teams and other system architects to develop system designs and project plans that include the appropriate security controls and meet security standards.
- Conducts highly technical/analytical security assessments of custom web applications, mid-tier application services and backend mainframe applications, including manual penetration testing, source code and configuration review using a risk-based intelligence-led methodology. Identifies potential misuse scenarios, and advises on secure development practices.
- Conducts enterprise due-diligence activities, including security monitoring and security metrics, to evaluate effectiveness of the enterprise security program and established controls.
- Provides assistance in benchmarking technology strategies and architectures. Monitors and anticipates trends and investigates organizational objectives and needs. Provides guidance on security solutions and prepares benchmarking reports and presentations.
- Guides security incident response activities and post-event reviews of security incidents. Ensures the clear and professional documentation of root cause and risk analysis of all findings. Reviews action plans for issue resolution. Conducts investigation and reports contribution of security threats and incidents.
- Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations. Ensures senior management and staff are informed of any changes and updates in a timely manner. Establishes and maintains appropriate network of professional contacts. Maintains membership in appropriate professional organizations and publications. Attends meetings, seminars and conferences and maintains continuity of any required or desirable certifications, if applicable.
- Bachelor’s degree or combined experience/education as substitute for minimum education
- 5 or more years of demonstrated IT experience, with at least 2 years in information security.
- Working knowledge of Windows-based platforms, application and TCP/IP network security technologies, information security concepts, principles and components of a comprehensive information security program. Experience in Application Security concepts, Control frameworks and control objectives.
- Aptitude for and interest in information and application security. Exceptional organizational skills to balance work and lead projects. Strong, professional written and verbal communication skills.
- Advanced knowledge of common web technologies, enterprise and network architecture
- Strong understanding of: modern security tools and controls, secure development life cycle methodologies, programming languages or other scripting languages, web-based application architectures (IIS, Apache, etc.), financial industry regulations such as GLBA, PCI, and SOX application protocols such as MS-SQL, LDAP, and SSO, data protection controls, applied use of cryptography
- Advanced knowledge of or demonstrated experience with defense in depth, trust levels, privileges and Permissions.
- Advanced knowledge of or demonstrated experience in application penetration testing. Advanced knowledge of and experienced development of mainframe and Unix platforms. Large complex industry related experience.
THE ITS TEAM
The ITS vision aligns strategy, business, and services; affirms ITS cultural values; empowers cross-functional teamwork; embraces world-class best practices; and promotes innovation, excellence, agility, and efficiency. To achieve this vision, ITS is committed to providing a modern technology infrastructure that is resilient and delivers the performance necessary to meet the demands of a growing customer base, training in the latest technologies for its highly productive and motivated workforce, outstanding customer experience, and technology services that are aligned with the universityâ€™s mission to provide exceptional learning opportunities for students. ITS is creating a workplace where employees can develop cutting-edge skills, take pride in the services they provide, and have access to the roles and career paths that align to their abilities and potential. We are looking for top talent to join us on our journey.
USCâ€™s ITS organization represents a diverse and talented team, committed to supporting a collaborative culture and delivering secure and innovative IT services that are core to the mission of the university. We are also committed to creating and maintaining meaningful partnerships across the university. At ITS, we act with integrity in the pursuit of excellence; embrace diversity, equity, and inclusion; promote well-being; engage in open two-way communication, and are accountable for living our values. ITS strives for a supportive and inclusive culture that encourages employees to do their best work every day and where individuals are recognized and celebrated for their contributions.
USC is the leading private research university in Los Angelesâ€”a global center for arts, technology, and international business. With more than 47,500 students, we are located primarily in Los Angeles but also in various US and global satellite locations. As the largest private employer in Los Angeles, responsible for $8 billion annually in economic activity in the region, we offer the opportunity to work in a dynamic and diverse environment, in careers that span a broad spectrum of talents and skills across a variety of academic and professional schools and administrative units. As a USC employee and member of the Trojan Familyâ€”the faculty, staff, students, and alumni who make USC a great place to workâ€”you will enjoy excellent benefits, including a variety of well-being programs designed to help individuals achieve work-life balance. USC values diversity and is committed to equal opportunity in employment.
Come join the USC ITS team and work as a trusted partner in shaping an environment of innovation and excellence. Apply today!
The annual base salary range for this position is $137,000 to $150,000. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidateâ€™s work experience, education/training, key skills, internal peer equity, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.
Minimum Education Bachelor’s Degree Combined education/experience as substitute for minimum education Minimum Experience: 5 years Minimum Field of Expertise: Five or more years of demonstrated IT experience, with at least two years in information security. Working knowledge of Windows-based platforms, application and TCP/IP network security technologies, information security concepts, principles and components of a comprehensive information security program. Experience in Application Security concepts, Control frameworks and control objectives. Aptitude for and interest in information and application security. Exceptional organizational skills to balance work and lead projects. Strong, professional written and verbal communication skills.