Job Description
About the Department:Mason's Information Technology Services (ITS) organization provides information technology resources, systems, services, tools, and training to the university community. ITS's mission is to advance Mason’s strategic goals, support learning, enable scholarly endeavors, and improve institutional management by effectively leveraging the resources of ITS's supporting groups. The organization consists of six groups: Enterprise Infrastructure Services; Enterprise Applications; Learning Support Services; IT Security (ITSO); Enterprise Service Delivery; Academic Strategies; and dotted line reporting to Research Computing.
About the Position:
George Mason University recognizes the importance of information security and has a targeted focus on data as an asset. The Chief Information Security Officer (CISO) ensures that Mason has the right leadership, processes, technology, and tools to effectively meet current and future information security threats. The CISO provides vision and leadership to oversee and enhance an information security program for the university’s central systems and its decentralized computing environment, while also supporting information technology risk and compliance objectives in the process. The CISO reports to Mason’s Vice President for Information Technology and Chief Information Officer (CIO) and will be a member of the ITS leadership team.
The CISO provides leadership for the development of information security strategy, policy, standards, architecture, processes, and assessments to ensure that information assets and critical processes are adequately protected with acceptable levels of controls. The CISO builds and implements a broad-based strategic roadmap for security. The CISO has substantial influence and direction over IT Security, Network Security, and the budget issues that arise in determining necessary Information Security steps. The CISO manages the information security organization, including its staff; evolving the overall information security management program; enforcing adoption of standards and practices; and balancing information security requirements with other business objectives.
Responsibilities:
Policy and Program Leadership:
Develops, communicates, and oversees the implementation of a strategic, comprehensive information security and risk roadmap for Mason and for ITS. Provides leadership across the university in information technology security processes, policies, practices, and services;
Works with Mason leadership to identify risks to the confidentiality, integrity, and availability of university systems and data;
Provides leadership in the enforcement of security and associated policies;
Provides leadership to the ITSO in the analysis, discussion, and development of security policy, standards, and practices, and guides the acquisition of advanced security technology;
Provides guidance and influences the university with regard to network and computing security needs in selecting hardware and software technologies, choosing between commercial and open source software, and determining whether services should be local or cloud-based; and
Collaborates with and supports IT colleagues to monitor, assess, and test security solutions.
Compliance, Audit, and Standards:
Develops and enhances an information security governance framework to guide Mason’s information security compliance efforts; aligning with George Mason risk posture and strategic goals;
Coordinates and tracks information security related audits at all internal, state, and federal levels and provides guidance, evaluation, and advocacy on institutional audit responses;
Ensures that the ITSO provides timely and documented responses to security concerns of IT projects via Mason’s Architectural Standards Review Board or project management processes as part of a holistic risk management program;
Assists with the assessment of business requirements, advises administration and campus personnel on IT security products, services and solutions, and serves as a contributing member of the ITS senior leadership team in the development, prioritizing, budgeting, and planning of IT security strategies and related initiatives;
Develops and implements plans (in cooperation with other departments) to ensure compliance with applicable laws, regulations, and requirements, including: FERPA (Family Educational Rights and Privacy Act), GLBA (Graham-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and the DMCA (Digital Millennium Copyright Act);
For purposes of GLBA compliance, serves as or is accountable to designate a ‘qualified individual’ responsible for overseeing, implementing, and enforcing the information security program; and
Ensures that Mason’s IT Security policies are up to date and provides appropriate protections for Mason.
Risk Management and Incident Response:
Manages a broad range of complex security and risk-related issues in information technology;
Continually evaluates risks and acts expeditiously in making decisions and recommendations, while considering the technology environment as well as the varying needs and viewpoints of a university community and its unique requirements;
Evaluates Mason’s security environment and provides strategic risk guidance for technical controls to implement appropriate defenses and safeguards;
Assists in establishing best practices and procedures for information assurance, disaster recovery, and business continuity;
Leads, plans, coordinates, and participates in required training exercises for incident response, and contingency and disaster recovery;
Leads and coordinates institutional responses to security incidents, providing timely reports during the incident and remediation as well as proposing solutions to prevent or mitigate future incidents;
Tracks security incidents and administers a Mason-wide IT Security Risk Management Program;
Works with IT and communications teams to address communication needs associated with security incidents, from isolated phishing attacks to security breaches;
Directs teams in deployment and management of appropriate security tools and other applicable enterprise-wide systems;
Provides consultation, guidance, and investigation regarding information security, policy, and security education and training;
Documents and publishes security standards, processes, and procedures that the university community is expected to meet;
Develops and enhances an information security and risk management awareness training program for all employees, contractors, and approved system users; and
Provides recommendations on security best practices and designates approved security software for Mason use.
Required Qualifications:
Master’s degree in related field or equivalent combination of education and experience;
Extensive mid/senior level leadership and managerial experience;
Extensive cybersecurity experience with IT security standards or frameworks such as ISO 27002 and NIST 800 series;
Extensive experience with security policy and administration;
Demonstrated experience with evolving state-of-the-art information security technologies and approaches;
Expert leadership experience;
Experience with information system auditing including security reviews, control selection, and evaluation of systems using a risk-based approach;
Demonstrated experience in crises management and response;
Expertise in risk management approaches to assess and address security and other types of information technology-related risks;
Demonstrated accomplishments in program leadership, policy development, and project management;
Demonstrated strong interpersonal and communications skills, plus the ability to achieve goals through influence, collaboration, and cooperation;
Demonstrated ability to communicate technical concepts and solutions to both technical and non-technical audiences;
Demonstrated ability to work with senior university staff and senior technical personnel;
Knowledge of computer forensic investigation methodology and investigation tools to collect, analyze, and preserve electronic evidence;
Integrity and high standards of personal and professional conduct;
Top Secret clearance or ability to obtain one within 6 months of hire (U.S. citizenship required); and
Required industry certifications such as a Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM), or ability to obtain within 60 days of hire.
Preferred Qualifications:
Experience working in a higher education or a research environment; and
Direct knowledge in the specific technical areas of systems administration, applications development, database administration, network operations, or data center operations.