Job Description

Job Summary:

Information and Technology Services (ITS) at the University of Michigan has an exciting opportunity for a Data Security Analyst Senior working with the Information Assurance (IA) team. This position will be reporting to the Information Systems Security Assistant Director responsible for managing information assurance operations including, Payment Card Industry (PCI) support, risk and compliance management, vulnerability management, OS hardening, and network security. Individuals in this position are assigned to tasks of broad scope that require an expert understanding of security technologies and security and compliance frameworks. They will work independently in complex situations, and will be expected to coordinate the efforts of others.

This position will require a highly qualified individual who can proactively anticipate and work to resolve problems; as well as someone that is detail oriented and a strong critical thinker.

Flexible work arrangements are available and the position is hybrid, based in Ann Arbor, MI, requiring some days on site due to the collaborative nature of the team. Details can be worked out with the hiring manager. May require some after-hours/on-call support based on business needs. Will require travel to various locations on and off University campus.

For more information about ITS, please visit our website: http://its.umich.edu/

Who we are:

Information and Technology Services (ITS) supports U-M faculty, researchers, staff, and students in their use of technology to teach, learn, research, and work, and be leaders in their fields. We are dedicated to creating cohesive digital experiences and promoting university wide innovations. ITS's mission is to be trusted enablers of technology for the U-M community. ITS works together to provide cohesive digital experiences and seamless support to the U-M community. For more information about ITS, visit: https://its.umich.edu/about

Responsibilities:

The PCI and Data Security Analyst will focus on ensuring PCI compliance requirements are understood by U-M merchants and that security and compliance risks are mitigated, and that the security architecture of technology services is reviewed and aligned with U-M requirements. Designated roles are coordinated by management based on demand and prioritization.

PCI Compliance - Use tools and methodology to assess information security and compliance risks associated with sensitive and mission critical systems based on PCI DSS requirements and develop mitigation strategies to bring risk levels into an acceptable range.
System and Application Hardening - Develop, implement, and monitor secure system and application configuration standards in accordance with applicable policies, regulations, and laws.
Security Consulting - Provide information security consulting for units requesting information assurance assistance on a project or long-term consulting basis.
Security Architecture - Participate as an information assurance subject matter expert in the analysis and design of new enterprise systems and services; Participate in the design, implementation, and continuous improvement of security service offerings.
Duties include:

Participate in the design, development and evolution of the university's approach to risk and compliance management.
Serve as the PCI internal security assessor (ISA) for U-M, leading internal reviews of payment card processing systems to ensure compliance with PCI DSS requirements.
Support university compliance efforts by serving as a technical subject matter expert on related information assurance areas.
Participate in the analysis and design of the university's security architecture.
Provide training, guidance, and assistance to university security staff to successfully accomplish objectives. Serve as a technical resource in support of ensuring the safety of information systems assets and protecting systems from intentional or inadvertent access or destruction.
Participate in the evaluation of proposed systems, applications, and network design to determine security and compliance implications. Assess risks to university systems and identify countermeasures, plan and implement mitigating technologies and processes.
Make recommendations and participate in the development of information assurance policies, standards, and procedures. Propose, author, maintain, and enhance information security guidelines. Monitor compliance with information security policies and procedures, referring problems to the appropriate department manager.
Collaboration with other teams - Collaborate with and support other areas of the Information Assurance team including Risk Management, Vulnerability Management, Data Loss Prevention, System and Applications Hardening, Security Consulting, Network Monitoring and Protection, and Compliance.
Demonstrate skill development by actively participating in growth opportunities for continuous development and improvement and applying new skills/knowledge to the job as evident by the ability to efficiently and effectively perform assigned duties, resulting in meeting or exceeding customer expectations and performance metrics.
Demonstrate effective communication skills when providing training and mentoring to less experienced staff, resulting in staff and teams using and implementing the latest policies, procedures, and best practices to accomplish tasks.
Demonstrate ability to contribute and collaborate effectively as a member of a highly-functioning and productive team.
Demonstrate a strong commitment to collaboration, teamwork, and continual improvement.
Required Qualifications:

Bachelor degree in computer science or a related field and/or equivalent combination of education, certification and experience.
Minimum of four years demonstrated experience in information systems security.
Ability to obtain a PCI ISA certification within a specified timeframe after hire.
Experience with technical aspects of regulatory and compliance requirements such as HIPAA, PCI, CUI, FISMA, CMMC compliance.
Demonstrated understanding of security related technologies and practices including many of the following - authentication and authorization systems, encryption, endpoint protection, firewalls, IDS/IPS, incident response, mobile device security, secure remote access, secure wireless networking, PKI, risk management, SIEM, threat modeling, two-factor authentication, vulnerability management, and web application security.
Demonstrated knowledge of TCP/IP networking.
Demonstrated understanding of attack methodologies and vectors.
System administration background with Microsoft or UNIX environments including experience securing operating systems.
Excellent organizational, analytical, and independent problem solving skills.
Ability to communicate effectively, both verbally and in writing. Demonstrated success giving presentations.
Demonstrated success coordinating and completing multiple tasks within established and changing deadlines.
Respects diversity; demonstrates respect for the opinion of others; values each person's contribution to the team.
Desired Qualifications:

7 years experience in information systems security and compliance.
Experience with PCI DSS compliance.
Extensive experience assessing security and compliance risks to information systems and defining appropriate mitigation strategies.
Familiarity with industry standard security and compliance control frameworks.
CISSP, GIAC, or other equivalent information security certification.