Career Center

Department: Information Security Office
Salary/Grade: ITS/82

Are you looking to continue or grow your career in Information Security, Risk and Compliance? To scale the cybersecurity program across the university, the Northwestern University Information Security Office is hiring a Senior Information Security Risk and Compliance Analyst to our growing Security Operations team. Successful candidates will apply their combined technical and analytical skills to identify and catalog information security risks in a university environment. The Senior Information Security Risk and Compliance Analyst will then work with distributed units and IT professionals to make informed risk decisions and develop mitigation strategies.

An Information Security Risk and Compliance Analyst uniquely combines the technical understanding of information security risks and possible mitigations along with a partnership role to serve as a resource to the broader Northwestern community about risk evaluation. This job is perfect for someone who enjoys working in a fast-paced and evolving information security environment, as well as coming up with creative solutions for risk mitigation and compliance. The ideal candidate will demonstrate strong written and verbal communication skills, have experience with core information security mitigation practices, and experience with risk management and compliance standards in both educational and research environments.

Northwestern IT strongly values diversity in all forms. We live our values in our hiring practices and encourage women, racial and ethnic minorities, individuals of all sexual orientations and gender identities, individuals with disabilities, and veterans to apply.

Job Summary:

Under limited supervision, apply cross-disciplinary Information Technology, Information Security, and Risk/Compliance knowledge to provide risk-focused privacy and security analysis services to customers across the university, including: cybersecurity risk consulting, risk reporting and assignment, project purchase analysis, exception requests, as well as leading and delivering on Information Security projects related to risk and compliance, as well as providing mentoring and guidance to other staff. This position will collaborate closely with other areas of Northwestern University Information Technology, distributed IT/InfoSec professionals, and the broader university community.

Please Note: This position will be required to participate in an on-call schedule that may result in occasional evening or weekend work.

Specific Responsibilities:

Strategic Planning

• Consult with University Risk Management and Compliance as well as other strategic partners from across Northwestern on IT-related risks, requirements, policies, and standards
• Advise on university requirements for development, implementation, and refinement of solutions for security monitoring, detection, and response, in collaboration with other members of the Information Security Operations team
• Contribute to Risk Assessment and Security Evaluations
  • Provide Guidance and Support in evaluating vendors, open-source products, and internally developed systems
  • Communicate how security standards, frameworks, and compliance documentation measure compliance of systems and applications
  • Support processes and systems around vulnerability assessments, risk analysis, and risk mitigation procedures
• Represent the Information Security Office in collaborative and strategic initiatives, applying expertise and functioning as an integral, complementary part of the information security team

Administration

• Performs Information Security third party due diligence and ongoing assessments of vendors to assess risks and determine effectiveness of controls. Also investigates and reports IS violations, third party data breach, supply chain vulnerabilities.
• Assist with issues and exception management process, maintenance of information risk register.
• Review existing practices, developing protocols for implementing cybersecurity controls, solutions, capabilities, and compliance
• Act as information security point-of-contact for assigned domain(s)
• Provide recommendations on emerging issues and the resources needed to address them to inform management-level decision-making
• Promote compliance and risk-based controls prioritization related to assigned domain(s)
• Facilitate university-wide information security risk processes amongst stakeholders, risk owners, data stewards, data trustees, and university senior leadership

Development

• Serve as a resource for the Information Security Office, Northwestern University Information Technology, faculty, researchers, and other members of the university community about information security risk management and compliance
• Lead assigned projects in the design, development, testing, and implementation of technical solutions which advance strategic initiatives in Information Security and Privacy, including projects affecting the overall security posture of Northwestern University
• Develop and communicate relevant security-related information, staying informed of needs and initiatives that impact administration, teaching, and research at Northwestern
• Provide recommendations for continual process improvement in information security risk and compliance management
• Review existing information security practices, developing and implementing systems and solutions for additional controls, capabilities, or compliance
• Implement recommendations for assigned projects in consultation with project team(s) and/or other information security staff
• Draft and review documentation such as analyses of technical, administrative, or procedural risk and compliance issues; procedural documentation/playbooks; and team documentation

Performance

• Collaborate with units, end users, and distributed IT professionals to advise on and provide user-focused education about security practices that align with NIST-based cybersecurity policies, standards, and other requirements, as well as all applicable legal and regulatory requirements
• Consult with faculty and researchers on the development of technology control plans and grant proposals, as well as the fulfillment of cybersecurity risk and compliance requirements for grants
• Collaborate with other information security staff as needed for incident remediation or security incident investigations
• Participate in information security risk management aspects of IT and administrative operations
• Develop and maintain information security risk and compliance expertise through university-provided and external training/seminars/courses; staying abreast of industry trends, methods, and published literature; and participating in professional development programs/initiatives and approved by information security management.   

Supervises

• Cultivate subject-matter expertise and skills in less experienced information security staff, in coordination with their supervisors and information security management
• Other duties as assigned.

Minimum Qualifications:

• Successful completion of a full 4-year course of study in an accredited college or university leading to a bachelor's or higher degree; OR appropriate combination of education and experience.
• 4+ years experience in information technology, information security, risk management, compliance auditing, data governance, or closely related field
• Experience working with policies and standards based on recognized industry frameworks (e.g. NIST, ISO, COBIT)

Infrastructure (extends across applications)

• identity management/provisioning
• information security
• Microsoft Office (Word, Excel, PowerPoint, Access, Outlook)
• Microsoft SharePoint

Compliance

• FERPA
• FISMA
• HIPAA
• HITECH
• NIST 800-171
• NIST 800-53

Analytical

• critical thinking
• enterprise architecture
• enterprise directory services
• judgment
• problem solving

Project

• organizational skills
• planning

Minimum Competencies: (Skills, knowledge, and abilities.)

• 7+ years of practical experience within technology and security environment.
• Strong oral and written communications skills.
• Ability to weigh business needs against security risk and compliance concerns and articulate issues to the user community.

Preferred Qualifications:

• Experience in a higher education environment
• Experience with large-scale research environments
• Experience developing or editing information security policies, information security governance, or risk and compliance governance
• Experience with network engineering, system administration, or operations
• Experience with cloud platforms (AWS, Azure, GCP)
• Experience implementing cybersecurity projects
• Security or technology industry certification (e.g. CISSP, SANS, CISA, CRISC, or similar)
• Create a Job Alert for Similar Jobs