Information Security Officer

Posting Details

Position Information

Who We Are

At Gonzaga we don’t just state our mission. We live it every day as a Catholic, Jesuit, and humanistic University. It is the reason we exist and the foundation for our purpose: educating students for lives of leadership and service. From students to faculty and staff members, everyone here knows what we stand for – and they know how valuable our mission is to the success of our institution.

Our competitive benefit packages are part of Gonzaga’s commitment to care for the whole person. Packages include medical, dental, vision, life insurance, disability insurance, flexible spending accounts, retirement, tuition benefits, and other University-provided benefits.

We also provide numerous resources which help bring balance to the complexities of work and personal life through our work/life and wellness programs.

Position Title Information Security Officer
Department Information Security & Compliance
Classification Exempt
Job Summary

ITS is in need of an Information Security Officer (ISO) to establish and maintain a university wide information security management program to ensure that information assets are adequately protected. Information is emerging as one of the university’s most valuable assets and we need a senior leader to make sure we protect the integrity of our information and the privacy for students, faculty, staff and members of our larger community. The ISO will be part of the ITS management team and regularly interact with all stakeholders on campus from the President’s Cabinet to individual students, faculty and staff members.

Work Schedule

Mon – Fri,
8 – 5

Hours per Week 40
Months per Year 12
Employment Status Regular
Temporary or Fixed-Term Assignment End Date
Total Rewards Depends on Experience
Essential Functions

The ISO is responsible for establishing and maintaining a university wide information security management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the university. The ISO position requires a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The ISO proactively works with campus stakeholders to implement practices that meet defined policies and standards for information security. The ISO also oversees a variety of IT-related risk management activities.

The ISO serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of student, faculty, staff and university information in compliance with the organization’s information security policies. A key element of the ISO’s role is working with campus leaders to determine acceptable levels of risk for the university. The ISO is highly knowledgeable about the campus environment and ensures that information systems are maintained in a fully functional, secure mode.

The ISO is also a thought leader, a consensus builder, and an integrator of people and processes. As the leader of the security program, the ISO also coordinates disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the university’s activities. It cannot be undertaken at the expense of the campus’ ability to deliver on its goals and objectives for teaching and learning. This will require the incumbent to balance the need for IT security on campus against academic freedom and flexibility for colleges and departments. Ultimately, the ISO is a campus leader, with competency in the field of information security or risk management, with eight to 10 years of relevant experience, including four years in a significant leadership role.

Personal Characteristics

  • A high level of personal integrity, character and courage, with a clear focus on what is best for the organization.
  • Exceptional relationship skills and an open and proactive communication style that is clear, direct, and inspires others.
  • A good listener, flexible in approach and willing to engage in open dialogue.
  • Dynamic, creative, energetic and inspirational, brings a sense of urgency and is proactive.
  • Focused, resilient, graceful and poised, especially when handling conflict or crises.
  • A team builder and team player with a high degree of patience and emotional intelligence.
  • Confident – open to challenge, question or to push back. Is able to deal with conflict in a productive manner.
  • Works well with all levels of the organization.
  • Values inherent in authenticity, integrity, and other personal characteristics that are compatible within the community.
  • Inspires respect and trust from his/her team.
  • A reputation for being honest and trustworthy.
Other Functions
  • Develop, implement and monitor a strategic, comprehensive university information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
  • Develop, implement and monitor a strategic, comprehensive university wide cyber security awareness program.
  • Manage the university’s information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
  • Facilitate information security governance through the implementation of a hierarchical governance program, including the formation and ongoing leadership of a university-wide information security steering committee.
  • Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
  • Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
  • Develop and manage information security budgets, and monitor them for variances.
  • Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
  • Work directly with colleges and departments to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the university on identifying acceptable levels of residual risk.
  • Provide regular reporting on the current status of the information security program to university stakeholders and the President’s Cabinet as part of a university risk management program.
  • Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
  • Develop and enhance an information security management framework based on the following as appropriate: International Organization for Standardization (ISO) 2700X, ITIL, COBIT/Risk IT and National Institute of Standards and Technology (NIST).
  • Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
  • Liaise with fellow ITS managers to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
  • Coordinate information security and risk management projects with resources from the IT organization and business unit teams.
  • Ensure that security programs are in compliance with relevant laws, regulations, executive orders, campus policies, etc. to minimize or eliminate risk and audit findings.
  • Liaise among the information security team and university compliance officer, internal and external audit, legal, risk and HR management teams as required.
  • Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
  • Manage security incidents and events to protect university IT assets, including intellectual property, regulated data and the university’s reputation.
  • Expand definition of IT assets to include the emerging Internet of Things (e.g. smart air conditioners, elevators, etc.)
  • Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
  • Liaise with external agencies, such as law enforcement, Northwest Academic Computing Consortium, American Association of Jesuit Colleges and Universities, and other advisory bodies as necessary, to ensure that the university maintains a strong security posture.
  • Coordinate the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
  • Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
  • Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
  • Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.
  • Understand campus technology and information architecture, including network, data center(s), academic technology, applications and user support.
  • Prepare a campus-wide security plan to encompass the following areas of security: network perimeter and internal, servers, desktops, remote access, and data. The plan will contain the policies, requirements, and procedures to be used by any device, server, or user connected to the Gonzaga University campus network(s). It will be a complete security architecture.
  • Evaluate and recommend new information security technologies and counter-measures against threats to information or privacy.
  • Perform other duties and fulfill responsibilities as required.
Supervision Given/Received

Reports to the CIO. Supervises a small team of information security professionals

Minimum Qualifications

Bachelor’s Degree in computer science, business administration or a technology-related field.

Minimum 10 years of experience in a combination of risk management, information security and IT jobs. At least four must be in a management/project management role. Employment history must demonstrate increasing levels of responsibility.

Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.

Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.

Poise and ability to act calmly and competently in high-pressure, high-stress situations.

Must be a critical thinker, with strong problem-solving skills.

A working knowledge of information security practices and concepts of intrusion detection/prevention, access controls and risk analysis.

Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.

Project management skills: financial/budget management, scheduling and resource management.

Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.

High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.

High degree of initiative, dependability and ability to work with little supervision.

Extensive experience in delivering clear written and verbal communication to customers on all levels of the organization.

Strong leadership skills and ability to influence cultural change within direct area of ownership and across the broader organization. Proven team builder with demonstrated ability to manage employee development and performance. Proven track record for investing in people and training others. Strong analytical skills and ability to identify and implement actionable metrics. Excellent communication and interpersonal skills. Previous experience in leading organizations with an information security focus.

Thorough knowledge of English grammar, business writing, punctuation and spelling. Ability to compose and appropriately format correspondence and reports. Working knowledge of software applications, word processing, spreadsheets and database management. Ability to manage staff and direct workload. Ability to maintain confidentiality and appropriately handle sensitive communications with employees and external agencies. Ability to quickly learn and apply a variety of federal, state, and Gonzaga policies and procedures. Must possess excellent customer service and public relations skills. Demonstrated ability to work with a variety of stakeholders, addressing the varied levels of understanding of the processes and requirements to achieve understanding and consensus.

Desired Qualifications
  • Master’s degree in science, business or other relevant field
  • Knowledge and understanding of relevant legal and regulatory requirements, such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard.
  • Experience with contract and vendor negotiations.
  • Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials, is desired.
  • Certified Information Technology Infrastructure Library (ITIL) Foundation certification.
  • Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and ones from NIST.
Physical Demands

Ability to lift 20 pounds as needed.

Ability to bend, kneel, stoop, reach and sit as needed for office work.

Extensive wrist and hand movements required as needed for keyboarding.

Ability to handle simultaneous tasks while working in a fast-paced environment.

Ability to actively communicate ideas and concepts to others.

Open Date 04/21/2017
Close Date
Open Until Filled Yes
Application Review Begins On 04/28/2017
Special Instructions to Applicants
EEO Statement

Gonzaga University is a Jesuit, Catholic, humanistic institution, and is therefore interested in candidates who will contribute to its distinctive mission. Gonzaga University is a committed EEO/AA employer and diversity candidates are encouraged to apply. All qualified applicants will receive consideration for employment without regard to their disability status and/or protected veteran status.

Clery Statement

Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics

The safety of all members of the campus community is of vital concern to Gonzaga University. Information regarding crime prevention advice, the law enforcement authority of Campus Security, policies concerning the reporting of any crimes which occurred on the campus (and other specified locations), other security and safety-related policies, as well as the crime statistics for the most recent 3-year period may be found in the Campus Safety and Security Guide and Annual Fire Safety Report. The Gonzaga-In-Florence Safety & Security Guide is also available.

A paper copy of the Campus Safety & Security Guide and Annual Fire Safety Report or the Gonzaga-In-Florence Safety & Security Guide may be obtained by contacting the Student Development Office on main campus, College Hall 120. The Florence Guide may also be obtained on the Florence campus in room 105.

Posting Supplemental Questions

Required fields are indicated with an asterisk (*).

  1. Do you have a bachelor’s degree in computer science, business administration or a technology-related field?
    • Yes
    • No
  2. Do you have a minimum 10 years of experience in a combination of risk management, information security and IT jobs with at least four being in a management/project management role?
    • Yes
    • No

Applicant Documents

Required Documents
  1. Cover Letter
  2. Resume
Optional Documents