Lead Advisor, Information Security Compliance

The Lead Advisor, Information Security Compliance (the Advisor) will be instrumental in rolling out the University’s Information Security Compliance Support Program, within UBC’s wider Privacy & Information Security Management (PrISM) program. UBC’s PrISM Program is an ongoing initiative to reduce the risk of a major privacy or information security breach at UBC through security governance, technology advancement, training, awareness and communications, risk management and compliance support, system identification and classification. This is an exciting opportunity to work with a dynamic, risk focused team that collaborates across UBC including with management and staff in other units, such as the Cybersecurity team, University Counsel, Enterprise Risk and Assurance, the Office of the CIO and UBC IT teams.

The Advisor will work with units across the University advising and overseeing the completion of information security self-assessments to ensure they are performed correctly and that risk mitigations and control gaps are identified and addressed in a timely manner. The ideal candidate will be well versed in information security controls and frameworks, be skilled in facilitation activities to elicit control maturity, be comfortable driving change through advocacy and influencing. They will be capable of developing strong trusted relationships across UBC at various levels of the organization.

Organizational Status

This position is part of the PrISM – Safety & Risk Services team and reports to the Compliance Support Manager. Work on this program will be guided by the PrISM leadership, in close consultation with Cybersecurity, IT, Data Governance and Risk Management teams. It will also involve working closely with other IT functions and data stewards within UBC’s faculties and operational entities.

Work Performed

• Leads the compliance framework attestation process directly with a portfolio of units, advising them through assessment activities towards the identification of compliance gaps and ensuring reasonable efforts are made in order to close those gaps by having security measures in place to protect UBC electronic information and systems.

• Responsible for designing and proposing solutions for existing complex or campus-wide compliance issues identified through the compliance attestation process.

• Provides expert advice and contribution to on-going strategic planning for units to move towards full compliance with UBC’s Information Security Policy and standards.

• Leads the development of methodologies for improving procedures and track and report their portfolio of units’ progress in the implementation of information security and privacy solutions.

• Manages the development of technologies(questionnaires, reporting dashboards, linkages from response to entity and compliance requirement model in Service-Now Governance Risk and Compliance or a similar product).

• Provide information security technical expertise and mentoring to operational IT teams and leadership to ensure reasonable information security measures are in place to support the ongoing information security management of the unit.

• Conduct root cause and trend analysis on information security compliance information (qualitative and quantitative).

• Develop relevant content to inform PrISM SRS clients and advisors on the UBC’s compliance framework and the acceptable use of UBC tools.

• Acquire and maintain a working knowledge of the University's technical and business environment in order to better understand the business and their priorities.

• Build and maintain strong and productive working relationships with team members, stakeholders, UBC IT, and other vendors / consultants.

• Maintain appropriate professional designations and up-to-date knowledge of current information security frameworks such as ISO 27000 series and NIST Cybersecurity Framework, methods, techniques and tools.

Consequences of Error/Judgement

UBC is a complex organization that collects and uses information to support its mandate. An information breach (especially relating to personal or other high-risk information) could have a significant financial and reputational impact on the University. The Lead Information Security Compliance Advisor plays a critical role in the identification of key privacy and information security compliance gaps, and providing appropriate recommendations to their portfolio of units of security solutions and technology to be implemented in order to close those gaps.

Sound judgment must be exercised. Lack of good judgment and/or inability to adopt sound risk management techniques may result in the failure to detect significant privacy and security compliance gaps which may lead to related exposures to the University’s information.

Supervision Received

The Lead Information Security Compliance Advisor receives direction from the Compliance Support Manager on the work performed, which will be reviewed in terms of achievement of broad Compliance Support Program objectives and goals. The incumbent must be able to work independently as well as contribute actively and collaborate openly as a team member.

Supervision Given

The Lead Information Security Compliance Advisor will supervise the compliance framework attestation work completed by the units in scope. This position will not supervise any staff, but is expected to share its expertise and experience with their peers, providing technical advice and guidance whenever the opportunity presents itself.

Minimum Qualifications

Undergraduate degree in a relevant discipline. In-depth knowledge of applications and the business requirements supporting them. Minimum of five years of related experience, or the equivalent combination of education and experience.

Preferred Qualifications

• Professional designation in information

• Solid experience in cybersecurity technology and architectural assessments, as well as security threat and risk assessments.

• Expert knowledge of information security frameworks, models and standards such as OWASP, SAMM, NIST, COBIT and ISO 27001/2.

• Knowledge of application architecture and security in cloud-based environments, such as AWS and Microsoft Azure, is an asset.

• Self-motivated with a strong commitment to providing high quality services, together with a thorough understanding and awareness of information security best practices and the ability to translate them into meaningful and value-added University-wide and local solutions.

• Knowledge of Freedom of Information and Protection of Privacy Act (FIPPA), particularly as it relates to implementing 'reasonable security arrangements' over PI under the University's control or in its custody.

• Ability to work independently with minimal management oversight, as part of a team, and cross functionally.

• Strong interpersonal skills used to lead, enthuse, motivate, influence, and educate others at all levels to drive change across the University.

• Demonstrated ability to communicate with diverse audiences (management, senior leadership, technical) using a variety of delivery mechanisms (written, oral, presentations etc.).

• Ability to effectively facilitate multi-disciplinary groups to achieve appropriate outcome

• Working knowledge of project management and change management disciplines and best practices.

• In depth understanding of key trends and players in the IT industry and higher-education sector.

• Excellent organizational, planning, and prioritization skills. Able to multi-task and deliver multiple assignments in a complex environment.

• Demonstrates the willingness, ability, and enthusiasm to help build as well as learn new processes, methodologies or technologies.