Job Description

Job Description

The Associate Director of IT Risk and Compliance is responsible for managing the university’s IT Risk and Compliance program, overseeing the IT software procurement security assessment program, advising the University IT Security Office (ITSO) on security policies, and participating in university service and outreach.

Responsibilities of this position include:
• Managing the university’s Information Technology Risk and Compliance program and supervising members of the IT Risk and Compliance team
• Managing the university’s Information Technology Governance, Risk, and Compliance (GRC) platform
• Providing guidance, tools, and subject matter expertise for departments performing IT risk assessments
• Participating in enterprise risk management activities
• Managing, and participating in, the third-party and in-house software procurement security review process
• Assisting the University IT Security Officer in the development and reporting of ITSO's annual and strategic plans related to risk and compliance.
• Leading, developing, and mentoring employees involved in compliance and risk-related activities
• Participating in university service and outreach by representing ITSO, DoIT, and/or Virginia Tech on internal and external committees
• Working with and advising the University IT Security Officer and Executive Director for IT Policies and Strategic Engagement on IT security policies and standards

No visa sponsorship is available for this position.

Required Qualifications

• Master’s degree in computer science, Information Systems, STEM, or a related field or bachelor's degree with equivalent work experience to a master's degree
• Significant information security, audit, and/or compliance work experience, with experience measuring compliance against various regulations, industry standards, and/or policies
• Demonstrated ability to manage multiple projects and programs
• Demonstrated ability to effectively communicate across a broad range of campus audiences
• Knowledgeable, with experience, in the following:
- Information risk management concepts
- Cloud and vendor security standards and assessment frameworks (for example, HECVAT and SOC 2), including vendor and contract management issues
- Ability to quickly understand technical concepts and determine the implications of particular requirements and policies
• Strong analytical, organizational, and problem solving skills
• Committed to supporting and promoting a diverse and inclusive campus community

Preferred Qualifications

• Certified in Risk and Information Systems Control (CRISC), Certified Information System Auditor (CISA), Certified Information Security Manager (CISM), or Certified Information Systems Security Professional (CISSP) certification
• Familiar with the following information security and compliance frameworks: NIST SP 800-171, NIST Cybersecurity Framework, FERPA, GLBA, PCI, Center for Internet Security (CIS) Controls
• Experience in vulnerability scanning and/or application security testing practices
• Experience in evaluating business processes and making recommendations for improvements
• Experience working in a higher education environment