Item 3.Q-August 8, 2014 ADMINISTRATIVE FACULTY POSITION DESCRIPTION QUESTIONNAIRE To expedite and facilitate the PDQ review process, please send the PDQ and Org Chart electronically to marshag@unr.edu for discussion and for initial review before routing PDQ for approval signatures. Questions - call UNR Faculty HR at 682-6114 INSTRUCTIONS: See http://www.unr.edu/hr/compensation-and-evaluation for complete instructions. Incumbent(s) Name (if applicable): Jeff Springer Position #(s): 11107 Current Title: Information Security Officer (JCC: 67469) Department: Information Technology Current Range: 5 College/Division: Provost Account #(s): 1101-109-0902 Action Proposed: (check all that apply) ( ) New position: Proposed Range: Proposed Title: (X) Title Change, Proposed Title: Chief Information Security Officer ( ) Proposed Reassignment from ( ) Revised PDQ only (no change in range or title) ( ) Line of Progression (show titles below) Range: JCC (Current or new HR assigned): I certify that the statements in this description are accurate and complete to the best of my knowledge. ____________________________________________________________ Jeff Springer __________________ Date I/we have reviewed the statements in this form and they accurately reflect the job assignments. ____________________________________________________________ Immediate Supervisor’s Signature Huapei Chen, Chief Information Officer __________________ Date ____________________________________________________________ Director/Chair/Dean Kevin Carman, Executive Vice President & Provost __________________ Date Approved for Salary Placement Committee review. ____________________________________________________________ __________________ Pres / Vice Pres / Vice Prov Signature Stacy Burton, Vice Provost, Faculty Affairs Date Action Approved by the Provost/President (Completed by Faculty HR): 67593 Range: 5 Pos #(s): 11107 JCC: EEO: 3J Eff: 8/1/2014 Approved Title: Chief Information Security Officer Employee signs on “final” stamped approved PDQ and sends to HR for personnel file. Employee Signature:_______________________________________________ __________________ Date Printed Name: ____________________________________________________ Rev: 10/1/2012 Position Description – Chief Information Security Officer Page 2 1. Summary Statement: State the major function(s) of the position and its role in the university. Attach an organizational chart with positions, ranges, and names for the division which reflects the position in it as well as those supervised in the department. (This section is used for advertisement of the position.) The Chief Information Security Officer (CISO) directs staff in identifying, developing, implementing and maintaining processes across the University of Nevada, Reno to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and consults, advises and directs the establishment and implementation of policies and procedures at all levels within the organization up to and including the President. The position is responsible for campus-wide information-related compliance as it relates to federal, state, and local regulatory requirements. In addition to the information security related duties, the individual is in charge of all centralized identity management processes and systems. The CISO supervises and manages administrative IT security faculty. The position reports to the Chief Information Officer (CIO) in Information Technology. 2. List the major responsibilities, including percentage of time devoted to each. Provide enough detail to enable a person outside the department to understand the job (percentage first with heading and then bulleted information). 30% - Security Management Work with both administrative and academic units to improve the overall information security posture of the University, to develop new and innovative systems to address emerging threats, and to increase awareness of the importance of cyber security Respond in a timely manner to all levels of information security related incidents and requests, which may include both internally and externally identified threats and compromises along with requests for information from General Counsel or law enforcement agencies Supervise and evaluate direct report IT security administrative faculty Work closely with University General Counsel on all IT related discovery requests to protect the privacy of faculty and students while ensuring the institution meets its legal obligations 25% - Identity Management Manage the centralized Active Directory systems and the processes that synchronize accounts with upstream systems Provide leadership to staff and administrators to ensure proper authorization and accounting of users and their access to University resources 25% - Security Policy and Process Management Work closely with the CIO, IT managers, and constituents to create appropriate and applicable policies and procedures that ensure the security of the IT infrastructure and data Ensure compliance with all appropriate regulations and enforce appropriate access mechanisms while also ensuring that our core business processes are not negatively impacted 20% - Vulnerability and Security Assessments Conduct regular security vulnerability assessments on University IT assets to verify compliance with campus security policies When cases of identified vulnerabilities are found, work with the impacted units to develop a remediation plan or, in the case of a critical or immediate threat, authorize the removal of network access Position Description – Chief Information Security Officer Page 3 3. Describe the level of freedom to take action and make decisions with or without supervision and how the results of the work performed impact the department, division and/or the university as a whole. Level of Freedom: The CISO works independently with little direction or supervision to identify and resolve key IT security issues. Issues are routinely handled in the best interest of the University without direction. Issues of great import or consequence are discussed with the CIO. Impact: The individual makes high level strategic decisions that impact all aspects of computing and network communications on campus. Policies and procedures implemented by the position have a broad influence on all campus activities that rely on any form of electronic communications including but not limited to email, internet browsing, payroll and file storage. Additionally, the position works closely with University General Counsel on all IT related discovery requests and must protect the privacy of faculty and students while ensuring the institution meets its legal obligations. Ineffective performance of any of the duties associated with the position can result in the University being vulnerable to malicious IT attacks to the entire campus infrastructure and incidences of identity or information theft of University information. 4. Describe the knowledge, skills (to include cognitive requirement and verbal and written communication), and abilities (to include task complexity, problem solving, creativity and innovation) essential to successful performance of this job (in bullet format). Knowledge Networking hardware and software including, but not limited to, Ethernet, switching, routing firewalls, access control lists All modern Operating Systems including Solaris, Linux, Windows 2012, 2008, 8 Internet Protocols including, but not limited to, HTTP,TCP/IP,SQL,DHCP,DNS,NTP, LDAP, Kerberos Security threats including, but not limited to, Advanced Persistent Threats (APT), Virus, Spyware, etc. IT security systems, i.e., Authentication servers, Firewalls, Intrusion Prevention systems, Antivirus servers, System Information and Event Management (SIEM) products, and wireless network security Regulatory environments including, but not limited to, Federal Information Security Management Act (FISMA), Procurement Card Industry (PCI), Family Educational Rights and Privacy Act (FERPA), and Health Insurance Portability and Accountability Act (HIPAA) Skills Excellent verbal and written communication to relay complex ideas clearly to non-technical individuals Analytical, decision-making, and problem-solving skills - research issues/situations, develop and provide solutions, make appropriate decisions, and implement solutions; bring concerns to management Complex data analysis Excellent organizational skills in order to effectively program and maintain computer systems in a complex computer environment Lightweight Directory Access Protocol (LDAP) Directory Management Excellent documentation skills, including the ability to write reports, summarize complex issues and exercise professional judgment in the communication of responses in an appropriate and sensitive manner Supervisory skills, including an ability to teach and mentor staff Position Description – Chief Information Security Officer Page 4 Ability to: Make business-critical decisions in a timely manner Provide relevant input to the policy development process Stay current in discipline and security trends by seeking out and learning new information pertinent to performance of duties Maintain confidentiality of highly sensitive information Develop and sustain effective working relationships with faculty, staff, colleagues and other members of the campus community Work with diverse populations and be sensitive to gender, disabilities, and cultural and ethnic diversity issues Contribute to and support the department, college, and university strategic plan 5. Describe the type of personal contacts encountered in performing the duties of the job. Explain the nature and purpose of these contacts: i.e., to provide services, to resolve problems, to negotiate. Internal University administrators and administrative and classified staff Higher level university administrators, directors, assistance vice presidents, and vice presidents IT Staff Reason for Contact To provide policy interpretation, answer questions, respond to needs and provide solutions to IT security problems External Campus computing professionals, internal and external auditors Vendors Reason for Contact To plan, coordinate, and report on IT security initiatives and activities To provide set direction, guidance, advice and consultation on all IT security related issues and projects To identify vulnerability points prior to a system compromise, develop solutions and implement resolutions To make decisions regarding acquisition and improvement of equipment and software; negotiate contracts with regard to security 6. Indicate the minimum qualifications which are necessary in filling this position should it become vacant. Please keep in mind the duties/responsibilities of the position rather than the qualifications of the incumbent. a. Minimum educational level, including appropriate field, if any. Bachelor’s Degree from a regionally accredited institution with emphasis or major in Computer Information Systems or a related field b. Minimum type and amount of work experience, in addition to the above required education necessary for a person entering this position. Bachelor’s Degree and six years, or Master’s Degree and four years, of relevant administration experience with large scale security-related projects and systems Position Description – Chief Information Security Officer Preferred Licenses or Certifications: Certified Information Systems Security Professional (CISSP) c. Indicate any license or certificate required for this position. None Page 5