The Senior Information Security Solutions Analyst (Sr. ISSA) focuses on strategy, compliance, governance, and risk management methodologies to protect the confidentiality, integrity, and availability of Towson University's (TU) information assets. The position will include a high degree of judgment in consideration of acceptable risk, residual risk, and identification of sufficient compensating controls. Additionally, the Sr. ISSA will serve as a consultant and advisor for complex projects to mitigate risk to acceptable levels by balancing total cost of ownership and IT services. Finally, the candidate is expected to promote security best practices within the Office of Technology Services (OTS) and university-wide business units.
Perform risk management activities such as third-party risk assessments, design to build risk analysis, vulnerability analysis, and threat intelligence. Additionally, provide technical guidance and serve as primary escalation point for TU's risk assessment process of identifying cyber risks.
Review third party audit validation reports (e.g., SOC2, PCI-DSS, etc.) as part of the risk assessment process.
Identify and recommend appropriate mitigating and compensating controls by leveraging a broad knowledge of technologies, processes, and controls.
Review architectures to ensure proper security and recommend mitigations and or compensating controls as necessary.
Consult with Information Security Leadership, OTS, legal, and Management Advisory and Compliance Services as necessary throughout the risk assessment process.
Serve as thought leader for Information Security technologies and initiatives as an active member of the OIS Leadership team.
Research new security technologies, methods, and standards for feasibility and appropriateness for TU’s use by evaluating business strategies and requirements.
Work collaboratively with the Project Management Office (PMO) and Project Managers to ensure security best practices (e.g., disaster recovery, auditing requirements, data classification controls, etc.). Additionally, provide security consulting leadership to project teams during the design/planning phases and work to effectively transition to operations and engineering groups.
Serve as a back-up to the Director as necessary for projects and daily operations.
Provide subject matter expert technical guidance related to regulatory requirements such as PCI, HIPAA, local and state government requirements, and other compliance mandates within OTS and business units.
Evaluate and negotiate security exceptions and standard deviations to ensure protection of confidentiality, integrity, and availability of TU's information assets.
Assess and analyze the level of compliance with all internal policies, procedures, defined standards, and industry best practices. Assist with management and continuous improvement of the OTS Internal Controls program.
Administration of relevant cybersecurity control validations and processes.
Monitor and assess compliance with approved policies, processes, procedures, and practices as relates to user access appropriateness and least privilege.
At the direction of the Director of Information Security, assigned as the Incident Coordinator for the Computer Security Incident Response Team (CSIRT), which involves managing, coordinating, and tracking activities during incident investigations.
Facilitation of Disaster Recovery testing and Incident Response tabletop exercises.
Bachelor’s degree and five years of related experience.
Hands-on experience with IT Security tools and technology (e.g., Firewalls, Anti-Virus, Vulnerability Management, etc.).
Working knowledge of compliance regulations such as HIPPA, PCI, FERPA, etc.
Strong communication, collaboration, and technical skills. Should be able to work effectively with others at all levels across the organization and provide authoritative guidance to management and staff within the organization.
Strong project planning/execution skills.
Excellent verbal and written communication skills.
Ability to work after hours and holidays.
Experience with analyzing IT vendor assessment questionnaires (e.g., HECVAT, SIG, CAIQ, etc.).
Experience with Risk Management Frameworks (e.g., NIST, OCTAVE, TARA, etc.).
Achieved a relevant cybersecurity industry certification (e.g., CISSP, CISA, Security+, etc.).
Able to work independently, must be self-motivated, and demonstrate initiative.
Previous experience as a system administrator, network engineer, or equivalent.
A Criminal Background Investigation is required for the hired candidate and the results may impact employment.
Salary and Benefits
Competitive salary and full university benefits that include excellent health, life insurance, and retirement plans; tuition remission; and 22 days of annual leave, 14 holidays, personal and sick days. To learn more about our benefits, please click here.
This position will be open for a minimum of 14 days. Cover letter and resume are requested, but not required.
Internal Number: 190000B6
About Towson University
The largest comprehensive university in the Baltimore area, Towson University is nationally recognized for its excellent programs in the arts and sciences, communications, business, health professions, education, fine arts and computer information systems. Located in suburban Towson, eight miles north of Baltimore, our beautifully landscaped, 328-acre setting offers a pleasant environment for study and a diverse campus life, as well as easy access to a wealth of university and community resources. Towson University's educational experience branches out to off-campus locations throughout Maryland, including a number of online options. Our many interdisciplinary partnerships with public and private organizations throughout Maryland provide opportunities for research, internships and jobs. Towson University is a founding member of the Coalition of Urban and Metropolitan Universities (CUMU).