Cyber Security Control Assessor
Description:
Required Qualifications: (as evidenced by an attached resume)
Bachelor's degree. Three [3] years of full-time experience in information technology. In lieu of the Bachelor's degree, a combination of higher education and experience totaling seven [7] years of related full time IT experience, may be considered. Familiarity with a variety of information security frameworks and compliance standards. Experience collaborating with an information/cyber security group or experience working on information/cyber security initiatives. Knowledge of network, system, and infrastructure terminology and technology. Experience with analyzing problems and designing solutions. Experience creating processes and documenting procedures.
Preferred Degree/Qualifications:
Advanced Degree. An active cyber security certification. Experience assessing security controls and/or assessing compliance with security standards/frameworks. Experience with NIST security frameworks (e.g. 800-171, 800-53, 800-30, 800-39) and FIPS security frameworks (199 and 200).
Primary Purpose:
This position will conduct independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system. The incumbent will perform security reviews, identify gaps in security architecture/controls, and develop security risk management plans as appropriate, with a special focus on research data and infrastructure. They will take the lead in cyber security control assessment and information security standard compliance (e.g. NIST 800-171, data use agreements, contract requirements), support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs), and participate in the research security working group as an extension of the enterprise-wide information security program. The incumbent will also develop policies and procedures to establish and support compliance, and document risk mitigations as appropriate. This position will work closely with the University Research Compliance Office and the CRIO in support of research priorities. Further, the incumbent will also take the lead in documenting and assessing security controls in non-research-related areas. They will work with service owners to prepare system security plans. In addition, this position will work within all other aspects of the information security program and practice at SBU such as security operations, incident response, education and awareness and identity management. The incumbent should be able to communicate with others effectively, successfully work independently as well as part of a team with a collaborative approach to problem solving and will have experience in building positive relationships. The incumbent should possess a willingness to learn and grow professionally and technically.
Duties:
Cyber Security Control Assessment: Conducts comprehensive reviews of technical and administrative controls implemented throughout the University. Coordinates and leads evaluations of an IT system or individual components to determine compliance with published standards, internal and external. Serves as internal expert on NIST 800-171 and other relevant security controls/standards. Runs vulnerability assessments and seeks other evidence to establish evidence of security controls implemented and to confirm their effectiveness. Assists with reviewing vendors and their security practices/controls.
Cyber Security Compliance: Works with distributed research and IT community to achieve security compliance in accordance with standards as prescribed by the granting/contracting agency. Meets with researchers and IT staff to explore and meet compliance requirements. Coordinates, plans, and tracks the implementation of compliance and security controls. Researches, tunes and updates security controls as requirements and capabilities change. Develops policies and procedures relevant to information security and research compliance. Serves on appropriate review and governance committees. Develops and manages system security plans and assists researchers in developing said plans, assessments, milestones and plans of action. Guides implementation of compliance programs such as CMMC and other relevant and security controls, standards and contractual requirements. Reviews data use agreements, security plans and research contracts to identify action items and requirements.
Documentation: Documents all security control and compliance efforts in a professional and consistent manner. Prepares and gathers documentation and other evidence required to demonstrate compliance and in response to internal and external audits. Reports metrics to demonstrate program effectiveness.
Information Security Program: As a member of the information security team, participate in operational meetings and efforts as required. Properly educates stakeholders and service owners on their responsibilities in relation to cybersecurity control and compliance efforts. Serves as framework and security standard subject matter expert. Assists with incident response and associated corrective actions and contractual/regulatory obligations.
Non-Essential: Other duties or projects as assigned as appropriate to rank and department mission.
Special Notes:
The Research Foundation of SUNY is a private educational corporation. Employment is subject to the Research Foundation policies and procedures, sponsor guidelines and the availability of funding. FLSA Exempt position, not eligible for the overtime provisions of the FLSA. Minimum salary threshold must be met to maintain FLSA exemption.
For this position, we are unable to sponsor candidates for work visas.
SUNY implemented a hybrid telecommuting pilot program. This position has been approved to participate in the pilot, which allows for up to 5 remote days per pay period.
This position will remain posted until filled or for a maximum of 30 days. An initial review of all applicants will occur two weeks from the posting date. For full consideration, applications must be received before the initial review date. If within the initial review no candidate was selected to fill the position posted, additional applications will be considered for the posted position; however, the posting will close once a finalist is identified, and at minimal, two weeks after the initial posting date.
Stony Brook University is committed to excellence in diversity and the creation of an inclusive learning, and working environment. All qualified applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, pregnancy, familial status, sexual orientation, gender identity or expression, age, disability, genetic information, veteran status and all other protected classes under federal or state laws.
If you need a disability-related accommodation, please call the university Office of Equity and Access (OEA) at or visit OEA.
In accordance with the Title II Crime Awareness and Security Act a copy of our crime statistics can be viewed here.
Visit our WHY WORK HERE page to learn about the total rewards we offer.
SUNY Research Foundation: A Great Place to Work.
Schedule: Full-time
Shift: Day Shift