• Governance and Compliance:
o Maintain the GRC framework in alignment with organizational policies and regulatory requirements, including FERPA, GLBA, PCI-DSS, and other privacy regulations.
o Support compliance activities related to security frameworks such as NIST SP 800-171, CIS Controls, and PCI-DSS.
o Analyze requirements needed to comply with college policies and procedures, industry standards, and federal, state, and local regulations.
o Conduct regular reviews, assessments, and updates of policies, standards, and procedures to reflect changes in frameworks, regulations, and industry standards.
• Risk Management:
o Maintain and update the risk register with identified risks, assessments, mitigation strategies, and status updates.
o Evaluate and prioritize vulnerabilities based on severity, risk exposure, exploit likelihood, and business impact.
o Document risk exceptions in accordance with established policies, ensuring proper review and approval workflows.
o Document, track and communicate risk exceptions to relevant stakeholders to promote transparency and understanding.
o Perform risk assessments and prepare reports summarizing findings and recommendations for management.
o Monitor emerging risks, industry trends, and regulatory changes; recommend enhancements based on best practices.
• Security Controls Validation:
o Validate the implementation and effectiveness of security controls by conducting and participating in internal assessments and audits.
o Collaborate with IT and security teams to remediate identified control gaps and track follow-up actions.
• Third-Party Risk Management:
o Conduct assessments of third-party vendors, including reviewing and validating security and privacy documents, and compliance evidence.
o Ensure vendors meet organizational risk, security, and compliance requirements.
o Track vendor risks, findings, and remediation activities as part of the third-party risk management program.
• Vulnerability Management:
o Conduct regular vulnerability scans and assessments across networks, systems, applications, and cloud platforms.
o Analyze scan results to identify security weaknesses, misconfigurations, and areas of elevated risk.
o Correlate vulnerability data with current threat intelligence to assess exploitability and potential impact.
o Continuously monitor the environment for new vulnerabilities, zero-days, and emerging threats.
• POA&M Management:
o Maintain detailed tracking of vulnerabilities, including deadlines, remediation progress, ownership, and closure.
o Develop, manage, and update Plans of Action and Milestones (POA&Ms).
o Validate remediation actions to ensure vulnerabilities are effectively resolved.
o Participate in cross-functional remediation projects to ensure timely and effective risk reduction.
• Reporting & Documentation:
o Produce detailed reports on identified vulnerabilities, severity levels, business impact, and remediation status.
o Maintain documentation of assessment findings, remediation efforts, compliance standards, and audit requirements.
o Present management summaries and dashboards for leadership and governance committees.
• Training & Awareness:
o Deliver training sessions on risk management practices, compliance requirements, and security standards.
o Conduct training sessions to raise awareness on vulnerabilities, secure configurations, and mitigation best practices.
o Foster a culture of compliance and risk awareness across the organization.

Competencies:
• Decision Making
o Decisions may affect a work unit or area within a department. May contribute to business and operational decisions that affect the department.
• Problem Solving
o Problems are varied, requiring analysis or interpretation of the situation. Problems are solved using knowledge and skills, and general precedents and practices.
• Independence of Action
o Results are defined and existing practices are used as guidelines to determine specific work methods and carries out work activities independently; supervisor/manager is available to resolve problems.
• Communication and Collaboration
o Contacts and information are primarily within the job’s working group, department and/or campus.
o Contacts and information sharing are external to the job’s department, but internal to the campus/campuses (i.e. other departments/campuses, central administration/services such as Human Resources, Payroll, Finance, Facilities, Mail Services, Student Services, etc.)
o Contacts and information sharing are internal/external to the College, for the primary reason of scheduling, coordinating services, collaborating, etc.

• Knowledge of cyber security and privacy industry, including the technology used to protect the confidentiality, integrity and availability of sensitive information.
• Working knowledge of security frameworks and regulatory requirements such as NIST SP 800-171, CIS Controls, FERPA, GLBA, PCI-DSS, and privacy standards.
• Knowledge, appreciation and prioritization of principles and practices of project organization, planning, records management, and general administration.
• Working knowledge of IT enterprise operations, architecture, and IT as a Service.
• Strong understanding of vulnerability management principles, methodologies, and tools
• Familiarity with patch management processes, secure configuration standards, and system hardening practices.
• Working knowledge of common threat vectors, exploitation techniques, and the vulnerability lifecycle.
• Knowledge of risk management concepts, risk scoring, risk registers, and POA&M tracking.
• Familiarity with SOC reports, third-party risk assessments, and due diligence reviews.
• Ability to analyze vulnerability data, correlate findings with threat intelligence, and assess potential business impact.
• Skilled in interpreting scan results, identifying false positives, and validating remediation actions.
• Ability to perform root-cause analysis for recurring or high-risk findings.
• Strong attention to detail when documenting risks, findings, or compliance gaps.
• Ability to manage multiple assessments, findings, risks, and remediation efforts simultaneously.
• Skill in writing policies, standards, processes and procedures.
• Skill in leading and/or conducting audits, assessments or reviews of technical systems and processes.
• Effective verbal and written communication skills, presentation, and public speaking skills.
• Effective skills in developing and presenting educational or training programs.
• Effective planning, organizational and multi-tasking skills with minimal supervision.
• Ability to think critically and analyze information and situations; present findings and make recommendations.
• Ability to identify compliance and security needs independent of management direction.
• Ability to grasp technical concepts at all levels of computer systems, from system hardware components and architecture to system integration and implementations.
• Ability to work independently and as part of a team.
• Ability to advise, train, and motivate technical and non-technical individuals in regulatory compliance and information and systems security efforts.
• Ability to work effectively with an array of constituencies in a community that is both demographically and technologically diverse.
• Ability to communicate technical concepts and data to non-technical audiences.
• Ability to achieve goals through influence, collaboration, and cooperation.
• Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
• Ability to produce technical documentation.
• Ability to handle and maintain confidential information.
• Ability to exercise judgment when policies are not well-defined.
• Ability to think critically, analyze issues and solve sensitive and complex problems under pressure.