Information Security Risk & Compliance Manager
$110,133 - $192,761/Yr
Montgomery College - Maryland, LA
posted 4 days ago
Full-time - Mid Level
Remote - Maryland, LA
Educational Services
About the position
Montgomery College, Rockville, has an immediate need for a full-time Information Security Risk and Compliance Manager in the Office of Information Technology. The work schedule is Monday-Friday, 8:30 am-5:00 pm. This is a non-bargaining, exempt, grade 37 position. Montgomery College promotes and creates a working and learning environment rooted in the basic tenets of fairness, diversity, and inclusiveness. This position is eligible for telework two (2) days a week. This eligibility is subject to change based on the needs of the unit. The Information Security Risk and Compliance Manager's role primarily includes the oversight, coordination, and management of the College's compliance with the Information Technology (IT) organization's security program and regulatory and industry compliance, e.g. PCI DSS, GLBA, FERPA, etc. This role also includes oversight and management for the design, development, and delivery of cybersecurity education and training as a component of the College's compliance obligations.
Responsibilities
- Provides leadership, oversight, and guidance for compliance with the IT Security program, related College policies, as well as federal, state, and local regulations, and industry standards.
- Schedules and manages risk assessments based on relevant frameworks and/or regulatory requirements.
- Coordinates mitigation plans based on assessment findings with the Information Systems Security Manager and the wider Cybersecurity and Risk Management team, as well as other OIT teams and College units.
- Monitors and reports on compliance with IT Security standards, as well as the enforcement of standards within the IT department.
- Facilitates the development of new IT Standards working with small and large stakeholder groups.
- Reviews and proposes changes to existing policies and procedures to ensure operating efficiency and regulatory compliance on the defined review schedule.
- Manages outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
- Assists resource owners and IT staff in understanding and responding to security audit findings.
- Leads and manages the College's IT third-party risk management program.
- Collaborates, as appropriate, with information security, procurement, compliance and/or other risk functions to maintain the third-party risk management program.
- Coordinates the identification and ranking of vendor risks.
- Coordinates the classification and tiering of vendors by risks and risk impacts.
- Builds communication and escalation plans around vendor risk management activities within the College.
- Understands and applies relevant regulatory and legal compliance requirements.
- Manages vendor risks as defined in vendor contracts and in accordance with existing risk management programs and policies.
- Develops and monitors vendor remediation actions, mitigation and contingency plans when risks or events are identified.
- Ensures third- (and increasingly, fourth) party vendor regulatory compliance.
- Coordinates the gathering of vendor risk assessment data and prepares risk assessment reports to be published and communicated to stakeholders.
- Influences vendors and business partners to ensure compliance with risk management policies.
- Partners with sourcing and vendor relationship/contract management functions where they are not part of this group to manage vendor behavior.
- Works with regulatory officers and auditors as necessary.
- Communicates identified risk requirements and violations to internal stakeholders (and end users within the business) and responsible vendors while supporting the response to, and the addressing of, these issues.
- Leads the College's Cybersecurity Education and Awareness Program.
- Provides security communication, awareness, and training for audiences, which may range from senior leaders to staff, faculty, and students.
- Identifies and evaluates top human risks to the College and the behaviors that must change to mitigate those risks.
- Develops, reviews, implements, and maintains a security awareness program to mitigate human risks present in the organization's extant operating environment.
- Creates and manages a metrics framework that effectively measures employee compliance with information security policies and the overall effectiveness of the security awareness program.
- Establishes, and then maintains, an understanding of employee awareness around the organization.
- Works with relevant business units to improve security awareness and meet regulatory and compliance standards.
- Provides leadership and manage the activities of the team by encouraging collaboration and teamwork.
- Manages a staff of information security risk and compliance professionals, hires and train new staff, conducts performance reviews, and provides coaching, including technical and personal development programs for team members.
- Provides clear direction and expectations of performance for staff and managers and holds them accountable for achieving team and unit goals as well as established personal and professional development goals.
Requirements
- Bachelor's degree and post-baccalaureate coursework or training in public policy, cybersecurity, information science, or a related field.
- The equivalent combination of education, training, certification and/or experience that provides the required knowledge and expertise to perform the essential functions of the job may be considered.
- Four years of progressively responsible experience in the management of risk and compliance issues, or similar experience managing applications, projects, or systems that require identification, evaluation, and remediation of risk.
- Two years of supervisory experience.
- Experience dealing with complex risk-related issues managing vendor relationships, information security or regulatory compliance programs, and audits.
- Recognized training or certification in cybersecurity (CISSP), compliance, and/or information assurance (CISA or CRMA); other relevant certifications may be considered.
- Eligible applicants must currently be authorized to work in the United States and not require employer visa sponsorship.
Nice-to-haves
- Experience working in higher education.
Benefits
- Generous paid vacation
- Sick leave
- Paid holidays
- Medical insurance
- Dental insurance
- Vision insurance
- Group legal benefits
- Professional development
- Retirement plan
- Educational assistance
- Tuition waiver for employee and dependents
- Wellness programming including onsite gyms, pools and classes.
