Principal Specialist, Information Security, Compliance, and Risk Assessment

University Information Technology Services (UITS) comprises a team of over 900 dedicated employees. As the University's central technology hub, UITS delivers critical enterprise-level and localized technology solutions that underpin the university's core missions of research, teaching, and learning. Serving as the foundation of academic and administrative operations, we are embracing the opportunities of a new era with enhanced services that surpass many peer institutions. In collaboration with departmental and college units, UITS strives to enrich the student experience, fostering connection, discovery, and engagement with the university and its broader community. We are committed to advancing research technologies, driving innovative solutions to global challenges, and promoting a culture rooted in entrepreneurship, diversity, and inclusion.

Outstanding UA benefits include health, dental, and vision insurance plans; life insurance and disability programs; paid vacation, sick leave, and holidays; UA/ASU/NAU tuition reduction for the employee and qualified family members; retirement plans; access to UA recreation and cultural activities; and more!

The University of Arizona has been recognized for our innovative work-life programs. For more information about working at the University of Arizona and relocations services, please click here.

Information Security Management and Compliance

• Develop, implement, and maintain information security architectures and solutions to protect the College of Medicine-Tucson's IT infrastructure.
• Evaluate and manage system security across the institution, including monitoring, documenting, and reporting changes to ensure compliance with HIPAA, FERPA, PCI, and other relevant regulations.
• Investigate and respond to potential security incidents, coordinating with relevant teams to mitigate risks and ensure timely resolution.
• Conduct, manage, and review regular vulnerability scans and logs, assigning remediation tasks and following up to completion.
• Monitor the external threat environment, advising relevant stakeholders on appropriate courses of action to mitigate risks.
• Ensure that information security concerns are integrated into the college's business strategies, requirements, and projects, supporting the alignment of IT initiatives with overall institutional goals.

Risk Assessment and Management

• Conduct comprehensive risk assessments and analyze business impacts and exposure based on emerging security threats, vulnerabilities, and risks.
• Develop and execute corrective action plans (CAP), ensuring alignment with the college's strategic goals and regulatory requirements.
• Provide continuous monitoring of the information security program, creating and updating CAPs and managing progress to completion as needed.
• Establish metrics and a reporting framework to measure the efficiency, effectiveness, and maturity level of the security program.
• Prepare and present detailed reports on the status of the information security program to senior leadership, including an annual enterprise risk assessment.

Collaboration and Stakeholder Engagement

• Serve as the primary information security liaison with the Information Security Office, the University Privacy Program Office, and other regulatory bodies.
• Collaborate with UITS ISO, the HIPAA Privacy Office, and other regulatory entities as the primary liaison during any actual or potential information security events.
• Act as a security expert in application development, database design, and network security, collaborating with teams to ensure security measures are integrated into all projects.
• Participate in the development of data management plans for researchers, ensuring information security and HIPAA compliance.
• Ensure effective communication and collaboration between the College of Medicine-Tucson, UA Health Sciences, campus IT, and external Health Care partners on matters related to information security, compliance, and risk management.

Training and Awareness

• Develop and execute the security education and communication strategy for the College of Medicine-Tucson, including advocating and enforcing participation in HIPAA Privacy and Information Security Awareness programs.
• Conduct regular training sessions for staff and faculty on information security, compliance, and risk management best practices.
• Advocate and enforce information security training activities for the HIPAA Privacy and Information Security Awareness programs.

Continuous Improvement and Innovation

• Research, design, and advocate for the adoption of new technologies that enhance the college's information security posture.
• Stay informed of current trends, news, and developments in information technology related to HIPAA compliance, vulnerabilities, security breaches, and malicious attacks.
• Periodically review the college's security control set, overseeing the introduction and implementation of new security tools and platforms as necessary.
• Prepare and maintain comprehensive documentation for all security-related activities, ensuring it meets regulatory requirements and is accessible to relevant stakeholders.
• Provide leadership and guidance on information security topics, including the development of business continuity and disaster recovery plans.

Knowledge, Skills, Abilities

• Proven ability to work effectively in a team environment, with the capacity to take independent initiative when required.
• Strong problem-solving and critical-thinking abilities, coupled with a customer-oriented approach to service delivery.
• Ability to explain complex technical concepts in simple, understandable terms for non-technical audiences.
• Proficient in conducting research and performing thorough analysis to inform decision-making.
• Demonstrated ability to quickly adapt to new challenges and continuously learn in a dynamic environment.
• High expectations for self and others, with a strong sense of accountability to meet commitments, find solutions, and own outcomes.
• Open-minded and positive attitude towards work, contributing to a supportive and productive team environment.
• Ability to periodically review security control sets and oversee the introduction and implementation of new security tools and platforms within an academic environment.
• Skilled in developing and executing security education and communication strategies, including the delivery of training for HIPAA Privacy and Information Security Awareness programs.
• Proven ability to oversee the development of incident tracking systems, ensuring that privacy and security incidents are documented, reported, and addressed in a timely manner.
• Ability to monitor the external threat environment for emerging risks and provide informed advice to stakeholders on appropriate courses of action.
• Competence in conducting, managing, and reviewing regular vulnerability scans and logs, and assigning remediation tasks.
• Commitment to staying informed about current trends and developments in information technology, particularly regarding HIPAA compliance, vulnerabilities, security breaches, and malicious attacks.
• Willingness to take on additional duties as assigned, contributing to the overall success of the IT and information security programs.
• Proficiency in common information security management frameworks and guidelines, such as ISO/IEC 27001 and the NIST SP 800 series.
• Strong understanding of relevant legal and regulatory standards, including HIPAA Security Rule, FERPA, PCI, and other applicable compliance requirements.
• Willingness and ability to be on-call during security breaches or other emergencies.
• Excellent written and verbal communication skills, with the ability to interact effectively with a wide range of stakeholders.
• Working knowledge and experience in key technology areas, including Windows, Linux, iOS, web, database management, and application development.
• Ability to lead and influence others, fostering collaboration and driving positive outcomes.
• Ability to integrate information security concerns into business strategies, requirements, and projects within a college or university setting.
• Expertise in monitoring, documenting, and reporting on information system changes to ensure compliance with HIPAA, FERPA, PCI, and other relevant regulations.

• Bachelor's degree or equivalent advanced learning attained through professional level experience required AND Minimum of 8 years of relevant work experience; OR,
• Equivalent combination of education and work experience.

• Experience in providing continuous monitoring of information security programs, including the creation and management of corrective action plans (CAP) and tracking progress to completion.
• Experience in reporting the status of information security programs to senior leadership, including conducting annual enterprise risk assessments and establishing metrics to measure the efficiency, effectiveness, and maturity of the security program.
• Demonstrated experience in providing leadership and guidance on information security, including the development and implementation of security processes, business continuity, and disaster recovery plans.
• Experience in collaborating with IT security offices, HIPAA privacy offices, and other regulatory entities, serving as a primary liaison during security events.
• Experience in developing data management plans for researchers to ensure information security and HIPAA compliance.
• Experience in creating and maintaining documentation for security-related technologies, procedures, and processes to meet regulatory and university-specific requirements.