Reporting to the Information Security Officer, Information Technology Services (IT Services), the Senior Information Security Specialist (Specialist) plays a key role at the University in the protection of the confidentiality, integrity, and availability of information assets and information systems of high importance to the University. Responsible for advising on strategies and internal controls to mitigate risk to information and information systems, the Specialist works in close collaboration with business and technical managers and stakeholders across the University including, the University’s Chief Privacy Officer, Records Manager, Legal Counsel, Insurance Manager, Manager Internal Audit, and Procurement Specialists. Accountable for the maintenance of Queen’s information security policy instruments, the Specialist regularly evaluates, reports, and recommends changes to information security practices for efficacy and compliance with the University’s policies, external requirements, and applicable laws. The Specialist plays an integral role in leading the change management process relative to Information Security across the University. The Specialist is both a business and technical professional who has mastered a broad spectrum of information security practices and business functions. The Specialist possesses a strong ability to communicate, interface, and collaborate with others based on sound business management principles and practices.
Governance, Risk and Compliance:
Leads information security compliance process by working with diverse stakeholders across the University to identify information security risks in the use of technology to understand and accept the risks and responsibilities associated with their services.
Leads the design and maintenance of the information security compliance process in accordance with the University’s policies, applicable laws, external requirements, and the findings and recommendations from audits and incidents. The process describes the steps for the assessment and on-going management of information security, privacy, and legal risks associated with services.
Leads the development of the information security policy instruments for the information security compliance process. The instruments describe the information security controls applicable to a given type of service according to the classification of the data stored, transmitted or processed by the service; and importance of the service to Queen’s operations.
Leads the development of support material that provides guidance for staff and faculty to address commonly known information security conditions.
Leads the development of operationalization plans that provide the strategy to operationalize and communicate the information security compliance process to the Queen’s community.
Leads management reporting on the information security compliance process and findings from assessments. Maintains ongoing reporting to Internal Audit and oversight committees on the process and progress of the action plans.
Acts as an information security consultant to the University, providing specialized advice on information security practices, threats, and issues.
Leads study and evaluation of stakeholder engagements; works with operations teams to ensure client satisfaction and operational excellence.
Evaluates the digital environment for information security risks, and determines and recommends improvements to current information security risk management controls in consideration of business impact and cost options analysis.
Maintains the currency of the University’s information security policy instruments (policy, standards, procedures); provides expert advice to staff and faculty in the development of local unit information security policies; and provides technical guidance in the application of the security policy instruments.
Establishes and maintains the information security controls risk register and compliance workflow.
Assesses information technology infrastructure, data flows/processes, and operating procedures in accordance with established standards for efficiency, accuracy, security and risk mitigation.
Respects diversity and promotes inclusion in the workplace.
Participates in externally led information security audits and assessments, tracks and reports on the status of mitigation activities.
Interprets regulations and other external requirements as they pertain to the security of information systems, platforms, and IT operating processes, practices and procedures.
Information Security Program Management:
Contributes to activities focused on Information Security Management including Policy Management, Information Assurance and Resource Protection, IT Risk and Compliance, IT Resiliency and Disaster Recovery, Education and Awareness, IT Physical Security, and Incident Management.
Responsible for maintaining the data classification framework and associated policy instruments, user tools, and support guidance.
Evaluates cybersecurity services and recommends changes to improve client satisfaction or the protection of information and technology; contributes to creation of the annual cybersecurity services operating budget.
Develops business and technical information security documentation.
Stays abreast of IT and Information Security best practices, standards, and resources to ensure continuous optimization of delivery effectiveness.
Collaborates and liaises with other institutions, vendors, law authorities and other partners in information security practices.
Conducts operational tasks of the Information Security Office.
When called upon to participate on an incident response team, may analyze security incidents to determine the root cause, identify actions to threats and breaches and recommend appropriate tools and countermeasures.
Building Relationships: builds constructive working relationships characterized by a high level of acceptance, cooperation, and mutual respect.
Business Acumen: builds strong business acumen by sustaining a strong customer service perspective.
Change Management: champions change and fosters the team and environment for change.
Collaboration and Teamwork: promotes collaboration and commitment within a team to achieve goals and deliverables.
Communication: displays confidence and articulates a clear message when interacting with diverse audiences utilizing excellent verbal and written communication skills.
Client Orientation: builds and maintains a client-centric culture by working closely with the customer while maintaining a high level of client satisfaction.
Decision Making & Judgement: relies on experience, thinking several steps ahead in deciding the best course of current/future actions to develop, recommend policy framework based on analysis of emerging trends.
Integrity: earns others’ trust and respect through consistent honesty and professionalism in all interactions.
Initiative: acts to address problems; focuses on results and desired outcomes and how best to achieve them and gets the job done.
Leadership: sets clear, meaningful, challenging, and attainable common goals and expectations that are linked to the mission, vision, values and goals aligned with the organization and strives to achieve them.
Planning & Organizing: executes proposed actions within predetermined timelines against organizational goals. Develops and integrates current/future plans to achieve the overall organization goals.
Strategic Perspective: develops and proactively implements long term organizational goals, considering the competitive landscape, that will move the organization forward.
Innovation: develops creative ideas that provide solutions to all types of workplace challenges.
Driving for Results: demonstrates a desire to meet and exceed one’s own performance objectives. Not accepting the status quo, takes a calculated risk to improve the organization’s performance.
Developing Others: enables team members to grow and succeed through consistent constructive feedback, and encouragement.
Self-Development: displays an ongoing commitment to learning and self-improvement to enhance the performance of the team.
Contributes to the development of IT Services strategic plans and objectives.
Designs, advises, and guides the implementation of the University’s information security policy instruments, capabilities and services.
Determines appropriate information security controls for the protection of institutional data and technology for departmental stakeholders across the institution.
Assesses residual risk and recommends practices that reduce risk.
Participates in budget planning and decision?making as a member of the broader IT Services leadership team. Recommends changes to the unit’s operating budget.
Assesses appropriate “fit” of technical solutions relative to functional requirements, conformance to University standards, and ability to integrate within the Queen’s IT architecture.
Plans new initiatives within the team or unit, and upon request, technological initiatives for other units and departments. Determines project guidelines and timelines.
Allocates time and resources such that objectives are achieved, operational requirements are met, or to ensure project completion, based on the priority of current workloads. Makes decisions on completeness of all related development and support assignments, relative to planning timelines and project work plans.
Appropriately prioritizes, implements and oversees responses to information security incidents and urgent or emergency situations.
Works as a member of the IT Services management team, determines approach to ensure all areas are supporting each other and collectively meeting IT Services goals.
Determines when to advise or involve management.
University degree in Computer Science, Information Management, Cybersecurity Management, or related field.
Certifications: completion of CISSP is mandatory; CISM, CISA is an asset.
Demonstrated experience in Information Security Management.
Progressive experience leading teams and technical projects.
Experience with threat/risk assessment methodologies, risk management principles and procedures.
Experience with security technology and applications, data protection techniques, and technical architectures.
Experience investigating and resolving Information Security incidents.
Experience configuring security features in operating systems, applications, databases, and telecommunication devices.
Knowledge of IT continuity and disaster recovery planning.
Knowledge on the application of information security within the OSI or TCP/IP model.
Comprehensive knowledge of how telecommunication protocols and services, ports, switches and routers, are used to obfuscate malicious behaviour, gain unauthorized access, alter data integrity or impact system availability.
Comprehensive knowledge of cybersecurity frameworks (e.g. NIST, Cloud Security Alliance).
Excellent verbal and written communication skills including experience in writing technical documentation and delivering business centric presentations.
Consideration may be given to an equivalent combination of education and experience.