Classified Title: Cyber Security Analyst Role/Level/Range: ATP/04/PF Starting Salary Range:$79,864.00 - $97,575.00 Employee Group: Full Time Schedule: Monday - Friday, 8:30am - 5:00pm Exempt Status: Exempt Location: School of Public Health, East Baltimore Campus Department Name: Office of Information Technology , IT Operations Personnel Area: School of Public Health
The Office of Information Technology is seeking a Cyber Security Risk and Compliance Analyst. This position is responsible for administration of a comprehensive information security program ensuring strategies and service align with the Johns Hopkins Bloomberg School of Public Health (the School) mission, goals, and objectives. This includes coordination across the School and with all associated stakeholders.
Responsibilities of this position include developing, documenting, implementing, and maintaining the security policies, standards, and procedures for the School, maintaining oversight of information custodians and security liaisons in carrying out their responsibilities, and providing support in developing and implementing a program to manage all aspects of compliance with the various regulations (e.g., HIPAA, HITECH, PCI). This position will assist with the planning, design, and implementation of technology and procedures designed to maintain the confidentiality, availability, and integrity of the information resources, computer, and networking systems of the School.
This individual will primarily be responsible to analyze and assess the privacy, protection, and use PHI/PII information house on School systems, mobile computing devices, or 3rd party environments regardless of format. Support projects and activities associated with the handling of records and information throughout their entire life cycle management. Ensure the electronic records keeping systems are maintained in a state of compliance with established Johns Hopkins privacy, electronic communications, information protection, and records management policies.
Must have strong knowledge of domestic Information Protection and Data Privacy laws and considerations, and be well versed their international equivalents. The scope of the job currently includes the assessment and evaluation of processes, projects, and environments handling records and information at the School. Responsible for coordination and support of risk management programs affecting people and assets for the School.
Provides recommendations for security compliance to technical and project leadership based upon research and evaluation of legislation, regulations (HIPAA, HITECH, FISMA, PCI, DHS, ISO, NIST), and industry best practices.
Analyzes the security posture of information systems based upon industry best practices, standards & guidelines, and regulatory requirements including, but not limited to, NIST, COBIT, and ISO.
Performs Information Assurance Certification and Accreditation Process certifications, testing and evaluations on School information systems.
Provides network security risk assessments, vulnerability assessments, network security analysis, and provides recommendations to cost effectively protect information system assets from intentional or inadvertent modification, disclosure, or destruction for larger systems and projects that are highly complex in nature. They may also involve sensitive info (PHI and PII).
Works with senior management and staff to develop and communicate security policies and establish procedures necessary to monitor and support compliance.
Provides tactical and strategic planning for ongoing management of information systems platforms.
SYSTEMS ANALYSIS AND DESIGN:
Researches, recommends, implements and supports new technologies, systems and/or processes to reduce the security threats to the School's network and IT infrastructure. These include, but are not limited to, data loss, exposure of private data, inappropriate systems access, denial of service, computer viruses and Trojans, or any other indication of compromised systems.
Provides cyber security design consulting services, by independently interpreting complex requirements and providing recommendations to cost effectively protect information system assets from intentional or inadvertent modification, disclosure, or destruction for larger systems and projects that are highly complex in nature. They may also involve sensitive info (PHI and PII).
Develops new methods to improve service processes, performance, and functionality by examining system management tools and processes. Reviews new methods suggested by others and approves the work.
Coordinates with clients and JHU entities including, but not limited to, OHIA, ORA, and IRB to review security and privacy requirements and controls within research plans, data use agreements, and contracts.
Monitors the vulnerability scanning programs and provides guidance and task assignment to technical engineers and administrators to design and implement controls to mitigate identified risks.
Maintains contact with outside contingency planning professional organizations and local/regional emergency response groups.
Represents IT cyber security risk management on institutional committees in the areas of IT security, privacy, and policy.
PROJECT COLLABORATION AND LIFECYCLE PARTICIPATION:
Develops and executes highly technical and/or complex project plans and systems based on knowledge of the business and information security needs of the School.
Represents IT cyber security risk management in business projects for security evaluations, risk assessments, data use agreement review and coordinates activities with customers.
Evaluates vendor proposals and selects the most appropriate vendor based on requirements.
Leads and provides direction to project team by reviewing work and adhering to institutional standards and guidelines to ensure collaboration and communication with team members and customers.
Provides knowledgeable technical and project management (full life-cycle) responsibilities in more than one information security discipline including, but not limited to, risk management, network intrusion detection and prevention, security event/incident response, security policy, vulnerability management, regulatory compliance, and encrypted and secure remote access.
Coordinates IT Security Awareness and outreach programs (i.e. new employee orientation and specific compliance training programs) and assists with the training and education of employees on business continuity, preparedness, and their role during a crisis event. Creates audience-appropriate documentation to serve as technical and/or end-user reference.
Assists in the development and regular review of risk management and security artifacts for School facilities and infrastructure. These include, but are not limited to, policies, standard operating procedures, business impact analysis, systems design documentation, risk management plans, disaster recovery plans, and after action reports.
Implements and supports systems and/or processes to reduce the security threats to the School's network and IT infrastructure. These include, but are not limited to, data loss, exposure of private data, inappropriate systems access, denial of service, computer viruses and Trojans, or any other indication of compromised systems.
Develops new methods to improve service processes, performance, and functionality by examining governance, risk management, and change (GRC) control process.
Develops and maintains metrics and assessments regarding the effectiveness of security controls for IT managed assets and provide reports and recommendations to senior management.
Maintains documentation library including all internal and external risk assessments, audits, Security and Privacy plans and mitigation response plans (i.e. SSP, PIA, POAM).
Evaluates and forecasts the need for IT Security to sustain security program effectiveness.
Communicates critical incident information efficiently with attention to confidentiality concerns.
Bachelor's degree in an IT or related field required. Advanced degree in IT or related field preferred.
Six years of progressively responsible experience in at least one of the following disciplines: enterprise networking (wired and wireless), computer system management and administration, enterprise information or network security, continuity management, network forensics, or technical risk assessment. Two years of experience in a hands-on technical leadership role. Three years of project management and project team participation skills.
Additional experience may substitute for education.
Professional security training and/or certification (e.g. SANS/GIAC, CISA, CISM, CISSP) preferred. Possess an in-depth knowledge of information security and compliance practices and its various supporting technologies and platforms. Ability to research risks and risk-related problems to the finest detail to identify related issues and solutions.
Knowledge, Skills, & Abilities (KSA's):
Must demonstrate strong critical thinking and analytical reasoning skills.
Ability to work on multiple priorities effectively and prioritize conflicting demands.
Ability to independently execute assigned project tasks within established schedule.
Ability to work collaboratively in a team environment.
Ability to communicate effectively in the service of users and colleagues.
Writes and communicates clearly and concisely and possesses sound documentation skills.
Ability to maintain confidentiality.
Work requires a strong understanding and extensive work experience with at least two of ten ISC information security domains:
Application development security
Business continuity and disaster recovery planning
Information security governance and risk management
Legal, regulations, compliance, and investigations
Physical (environmental) security
Security architecture and design
Telecommunications and network security
Working knowledge of various compliance legislation and industry standards (e.g. HIPAA/HITECH, PCI, and FERPA).
Knowledge and experience with information security technologies, methodologies, and practices including, but not limited to, risk assessment and management, intrusion detection and prevention, vulnerability assessment and management, system administration (Windows, OS X, Linux, Unix, etc.), security policy, standards, and best practices, security incident response, auditing and security administration of network security systems and operating systems, access control, encryption, firewalls, secure proxies, networking, database and application security, security event log analysis, virus prevention and remediation, and custom programming/scripting.
Strong understanding of TCP/IP, the OSI model, and appropriate standards and practices associated with a secure technical framework.
The successful candidate(s) for this position will be subject to a pre-employment background check.
If you are interested in applying for employment with The Johns Hopkins University and require special assistance or accommodation during any part of the pre-employment process, please contact the HR Business Services Office at email@example.com. For TTY users, call via Maryland Relay or dial 711.
The following additional provisions may apply depending on which campus you will work. Your recruiter will advise accordingly.
During the Influenza ("the flu") season, as a condition of employment, The Johns Hopkins Institutions require all employees who provide ongoing services to patients or work in patient care or clinical care areas to have an annual influenza vaccination or possess an approved medical or religious exception. Failure to meet this requirement may result in termination of employment.
The pre-employment physical for positions in clinical areas, laboratories, working with research subjects, or involving community contact requires documentation of immune status against Rubella (German measles), Rubeola (Measles), Mumps, Varicella (chickenpox), Hepatitis B and documentation of having received the Tdap (Tetanus, diphtheria, pertussis) vaccination. This may include documentation of having two (2) MMR vaccines; two (2) Varicella vaccines; or antibody status to these diseases from laboratory testing. Blood tests for immunities to these diseases are ordinarily included in the pre-employment physical exam except for those employees who provide results of blood tests or immunization documentation from their own health care providers. Any vaccinations required for these diseases will be given at no cost in our Occupational Health office.
Equal Opportunity Employer Note: Job Postings are updated daily and remain online until filled.
Johns Hopkins University remains committed to its founding principle, that education for all students should be grounded in exploration and discovery. Hopkins students are challenged not just to learn but also to advance learning itself. Critical thinking, problem solving, creativity, and entrepreneurship are all encouraged and nourished in this unique educational environment. After more than 130 years, Johns Hopkins remains a world leader in both teaching and research. Faculty members and their research colleagues at the university's Applied Physics Laboratory have each year since 1979 won Johns Hopkins more federal research and development funding than any other university. The university has nine academic divisions and campuses throughout the Baltimore-Washington area. The Krieger School of Arts and Sciences, the Whiting School of Engineering, the School of Education and the Carey Business School are based at the Homewood campus in northern Baltimore. The schools of Medicine, Public Health, and Nursing share a campus in east Baltimore with The Johns Hopkins Hospital. The Peabody Institute, a leading professional school of music, is located on Mount Vernon Place in downtown Bal...timore. The Paul H. Nitze School of Advanced International Studies is located in Washington's Dupont Circle area.