"Associate Director, Research Security"

Job Description Summary

Federal requirements related to research security have been increasing over the past several years. These requirements include the need to establish a Research Security Program including cybersecurity as well as increasingly stringent contractual requirements related to how research data and information are stored and shared. As a preeminent research institution, the University of Pennsylvania (Penn) is committed to providing the necessary policies, infrastructure, and support to its research community for the management of regulated research data.

The Associate Director of Research Data Security will serve as a key member of the Research Security Program management team. Key responsibilities include ensuring Penn's compliance with Cybersecurity Maturity Model Certification (CMMC), NIST SP 800-171 controls, and FAR 52.204-21, assessing and advising on Penn's readiness to meet cybersecurity requirements related to NSPM-33, the evaluation of data security requirements specified in sponsored projects agreements as well as advising as to whether those requirements can currently be met in the applicable school/center, and if they cannot, provide expertise to assist with meeting compliance.

The role will coordinate institution-wide initiatives related to federal research data security requirements to mitigate research security data risks. The role will convene relevant research IT professionals from across campus to ensure an integrated, consistent, and comprehensive approach to research data security, to include, among others, the Offices of the Vice Provost for Research, Information Security and Computing, the Libraries, Central and School Administration, and Office of Audit Compliance and Privacy. The role will be a resource and subject matter expert for information regarding research data cybersecurity compliance, and risk assessment. The role will work closely with representatives from Departments, Schools, and Centers to build knowledge of and compliance with research data security requirements across campus.

The Associate Director of Research Data Security will be responsible for maintaining the campus-wide inventory of systems that house research data, including the security capabilities of each system. They will assist in identifying appropriate resources to comply with contractually specified research data security requirements. The Associate Director of Research Data Security will periodically review and monitor compliance with research data security plans as well as the overall institutional system security plan(s).

The Associate Director of Research Data Security will also provide subject matter expertise and advice to contract negotiators in the Office of Research Services, the Penn Center for Innovation, and the Office of Clinical Research, and coordinate needed action plans if there are situations where the ability to comply with contractual data security requirements is unclear. The role will participate in training content and delivery methods and will serve as an institutional resource for matters related to research data security and record keeping.

The role will interface with various stakeholders, partners, constituents, vendors, leaders, and customers/clients across the University and must exhibit the highest ethics, adherence to modeling Penn's values and behaviors/competencies and willingness to maintain and uphold confidentiality. The role is expected to engage in continuous professional development, committee work, and special projects, and successfully navigate and negotiate through a complex and decentralized/dynamic/changing higher education environment. The role actively inspires others through energy, enthusiasm, and optimism and ensures the productive resolution of conflict. The role works collaboratively with their direct report team, supervisors/managers, and diverse stakeholders across the University.

Job Responsibilities

• Develop and oversee a risk-based institutional research data security program, including training content and delivery, particularly for management of sensitive, restricted, and controlled data received, developed, shared, or used in university research projects. Periodically review System Security Plan, System Inventory and Baseline, and Document Traceability Matrix with the technical team to ensure shared understanding and preparedness for the annual Security Controls Assessment for Penn's Secure Research Environment(s) (SREs).
• Inventory and document existing University systems that house research data, including the security capabilities of each system. Document existing data safeguards and ensure that such safeguards are maintained.
• Partner with other key stakeholders in the development and maintenance of Plan of Action and Milestones (POA&M) used to identify information system weaknesses, mitigating actions, resources, and timelines for corrective actions. Partner with the Information Security Office to identify vulnerabilities and correct deficiencies as part of a continuous monitoring program. Schedule required annual Security Controls Assessment and Risk Assessment for Penn's SRE(s).
• Manage the development of project-specific information and security controls in collaboration with the PI, Office of Research Services, Penn Center for Innovation, Office of Clinical Research, Export Controls, Research Computing, Research Integrity, Information Security, Penn Global, and other campus partners. Ensure SRE users and data are appropriately onboarded and offboarded.
• Plan, design, enforce, and audit security policies and procedures which safeguard the integrity of and access to University information systems
• Investigate security incidents; perform computer forensics studies and maintain incident tracking records
• Maintain knowledge of changing information security threats and technologies
• Manage security improvement projects
• Coach and direct more junior staff
• Other duties and responsibilities as assigned

Qualifications

• Bachelor's degree and 4+ years of relevant experience (Masters degree in Information Technology, Computer Science, or a related field preferred.)
• Experience developing, maintaining, and overseeing an information systems security program and policies within a complex organization.
• Strong skills in organizing and setting priorities and accomplishing tasks by identifying risk-based solutions to time-sensitive problems.
• Demonstrated familiarity with CMMC guidelines.
• Working knowledge of information system technology and cybersecurity principles to include vulnerability scanning, network security principles, authentication and authorization, and incident response.
• Experience in the application of Risk Management Frameworks as described in the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-37, SP 800-171 and SP 800-53.
• Demonstrated ability to develop training materials and to provide individual training as appropriate.
• Ability to work effectively in a highly matrixed and decentralized environment with the ability to navigate through ambiguity and demonstrate appreciation and support for diversity, inclusion, and belonging in a constantly evolving academic/higher education environment.

The ideal candidate will model and exhibit the following competencies, behaviors, experiences, and traits to be successful in the role: [list of ideal traits]

Job Location - City, State

Philadelphia, Pennsylvania

Department / School

Division of Finance

Pay Range

$83,500.00 - $125,000.00 Annual Rate