Location: Eugene, OR
Categories: Information Technology, Computer and Information Science
Department: Information Services
Appointment Type and Duration: Regular, Ongoing
Salary: $70,000 - $90,000 per year
Compensation Band: OS-OA08-Fiscal Year 2023-2024
FTE: 1.0

Application Review Begins
July 22, 2024; position open until filled

Special Instructions to Applicants
To be considered for this position, please submit a complete application. Complete applications must include a cover letter and resume that address how you meet the minimum and preferred qualifications, as well as professional competencies.

We are interested in finding the best candidate for the position. We encourage you to apply, even if you dont think you meet every one of our preferred qualifications--use your cover letter to let us know what is meaningful to you about the role and what transferable skills or other qualities you would bring.

Department Summary
Information Services (IS) is the central information technology organization at the University of Oregon, delivering a broad range of technology and services to the university. IS consists of four major functional areas, each led by a direct report to the VP-CIO: Customer Experience, which serves as the key contact point for interactions with campus clients and customers; Enterprise Solutions, which manages and supports applications, integration services, identity management and data management; Information Security, which helps protect virtual or physical information; and Technology Infrastructure, which provides engineering and support for research IT services and high-performance computing, networking, compute, storage, voice, data centers, audio-visual and classroom technologies, and UO staff supporting Link Oregon, Oregons state-wide research and education network.

IS has developed its IT governance practices to sustain alignment between university priorities and its values, resources, and measures of success. The IT Steering Committee, the highest governance entity, helps IS leadership continue to position the organization for optimal impact.

UO Information Security Office (ISO) -
ISO comprises four teams, each focusing on a set of principles and practices established by the NIST Cybersecurity Framework (v.1.1) that Information Services has established as the operational framework for the Universitys approach to information security:

Information Security Services & Operations (ISSO) -
ISSO focuses on the identify, protect, and detect functions of the NIST cybersecurity framework. The ISSO deploys technologies to protect the universitys resources and communication channels. This team oversees the identification of institutional assets, updates their risk representation, and provides services to protect them. Programs managed by this function include vulnerability management, email security and phishing protection, threat defense tools like intrusion defense (IDS) and intrusion protection (IPS) systems, security incident event management (SIEM). The ISSO team works with the community to advise regarding the buildout and operation of secure infrastructure to support the university academic, research, and administrative missions.

Cyber Security Operations Center (CSOC) -
CSOC focuses on the detect, respond, and recover functions of the NIST framework. The CSOC manages the university threat-intelligence feeds for indications of compromise, threat hunting, starting incident-response functions, and guiding the recovery after an incident. The group is staffed using university students who rotate through three roles: a) CSOC Analyst, b) Incident Response Analyst and c) Compliance Analyst, during the time they are part of the group.

Information Security Risk & Compliance (ISRC) -
ISRC focuses on supporting all five functions of the NIST cybersecurity framework from the point of view of compliance and controls development. The ISRC works on the creation of policies, standards, controls, guidelines, and procedures that support the information security program. The group works with the university contracts management teams in performing risk and compliance capabilities assessments related to information security for third-party vendors and research contracts. In addition, the team manages UOs cybersecurity awareness and training program and collaborates with compliance management for GLBA, HIPAA, FERPA, PCI, Red Flag, NIST, and other regulatory requirements relevant to the University.

Information Technology Disaster Recovery (ITDR) Program -
ITDR is a new function of the ISO created in 2022 as the result of one of the objectives identified during an internal information security program review. The ITDR function defines the set of procedures and supporting documentation that enables the university to restore core IT services as part of its overall business continuity plan. The program identifies critical applications and dependencies, defines an appropriate (and desired) recovery timeline based on a business impact analysis, and creates step-by-step incident-response plan for those critical applications. The program manager assigned to this function works with all IT solutions and services providers to build IS ITDR plan and make it actionable.

The Information Security Office works closely with other areas within Information Systems. Chief among these are Enterprise Solutions, which is responsible for identity and access management; Customer Experience, which includes endpoint management; and Technology Infrastructure, which has operational responsibility for network security. The CISO works closely with the peers who lead these areas on strategy and on shared commitments to implementation.

ISOs annual expense budget, including payroll, is $3M. Its professional staff sustain hybrid working arrangements and are supported by 15 students who work largely in the cybersecurity operations center. The University has invested significantly in ISO resources over the last several years in terms of both staff and systems as well as student support.

A subcommittee of the IT Steering Committee, the Information Security and Privacy Governance subcommittee, enables the Chief Information Security Officer to understand, shape, and align with overall governance and university priorities and initiatives.

Position Summary
The Cybersecurity Awareness Training and Outreach Program Manager reports to the Chief Information Security Officer and works under the direction of Information Security Office leadership to manage and execute cybersecurity awareness programs for the University of Oregon and drive a security-minded culture across employees, faculty, students, contractors and third parties. The program manager works with internal stakeholders and external cybersecurity awareness vendors to ensure the program is aligned with leaderships expectations. Also, the program manager will emphasize employee behavioral change by providing successful training and education content focused on mitigating institutional risk.

This individual oversees all components of the cybersecurity awareness program including the development, review, implementation, and maintenance of the organizations information security awareness program, as well as identification of top human risk to the university and behaviors that need to change to mitigate those risks and identify any roles which would require additional or more specialized training and ensure those roles receive it. They will create a positive program that engages staff, faculty, students, and contractors, to include focusing on changing behaviors both at home and at work. Ultimately, we want our community to demonstrate the same secure behaviors regardless of where they are or the devices they are using.

The program manager will oversee outreach campaigns aimed at communicating information security program practices, policies, and standards to members of the university community. They will also provide information about success metrics and key performance indicators as well as manage the delivery of the Oregon Cyber Resilience Summit.

Successful candidates combine business acumen, effective communication, and technical aptitude to provide cybersecurity content serving all levels of proficiency, from beginners to experts. The program manager measures the efficacy of the cybersecurity awareness program, communicates metrics to information security office leadership and makes recommendations to improve the universitys resiliency. In addition, the program manager is adept at developing trust and earning respect so that regardless of employee ability, all feel welcome to ask questions, share feedback, and support the mission. As a liaison between the Information Security Office and the business units, the program manager is people-centric, a security champion, and an example for others to follow.

The position will participate in strategic planning, including goals and objectives for the Information Security Office that support the universitys goals for student success, administrative process improvement, and research and teaching.

This position will work with the Chief Information Security Officer to identify and prioritize expenditures as well as look for new cost-effective services/strategies for the delivery of cybersecurity awareness and outreach to the campus community. It is expected that this position will ensure compliance with federal, state, and university policies and regulation, while maintaining appropriate internal control safeguards.

Essential Personnel
This position may provide essential services during times of emergencies and inclement weather. This position may be required to fulfill essential services and functions during these times.

Minimum Requirements
BA or MA in Inform