Re: Cyber security risk component in job description

[Eric Zematis <ejz218 () LEHIGH EDU>]

I'm working on a similar project as an objective on my way to my BHAG of
creating a 10,000 person infosec team. (@ Lehigh 10,000 = everybody).
I haven't come up with a great generic info sec statement like, "Other
cybersecurity duties as assigned" but I have a few simple questions to
identify what items should be added to a job description.
1. Does this position have a defined data role within data governance?
(i.e. Data Manager, Data Steward)
2. Does this position have access to sensitive data/systems? (e.g. SSN,
Passport ID, CC#, etc) PHI?
3. Does this position have access to protected data/systems? (i.e. FERPA)
4. How does this position directly support cybersecurity?

For IT related positions in an environment where cyber is in the IT group
you could add a bullet stating that they are responsible to understand
security policies and to promote/advocate for them to the University
community.
Eric

On Fri, Jan 17, 2020 at 1:16 PM Valerie Vogel <vvogel () educause edu> wrote:

> Hi Mark,
>
>
>
> The EDUCAUSE Information Security Guide includes some job description
> templates. You might find language to use in one of those templates.
>
>
> https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/career-and-workforce-development
>
>
>
> You can also explore the NICE Cybersecurity Workforce Framework:
> https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
> and the framework’s resource center
> <https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center>.
> The framework, published by NIST, establishes a taxonomy and common lexicon
> to describe cybersecurity work and workers. For example, you could review
> the Risk Management specialty area
> <https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/risk-management>
> or the Cybersecurity Management specialty area
> <https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/cybersecurity-management>
> to see if there are descriptions under abilities, knowledge, skills, or
> tasks that might fit your needs.
>
>
>
> Thank you,
>
> Valerie
>
>
>
> *Valerie Vogel *
>
> Senior Manager, Cybersecurity Program
>
> *EDUCAUSE*
> *Uncommon Thinking for the Common Good*
>
> direct: 202.331.5374 | Follow HEISC on LinkedIn
> <https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/>
> | twitter: @HEISCouncil | vvogel () educause edu
>
>
>
> *From: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
> on behalf of Mark Reboli <mreboli () MISERICORDIA EDU>
> *Reply-To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU
> >
> *Date: *Friday, January 17, 2020 at 9:59 AM
> *To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] Cyber security risk component in job description
>
>
>
> I am looking for some language to add to personnel all job descriptions in
> reference to cyber security especially in the IT department.  I would
> appreciate anything you can share.  Example would be security role or
> responsibility.
>
>
>
> Thank you
>
>
>
> M
>
>
>
> Mark Reboli
>
> Network/Telecom Manager
>
> Misericordia University
>
> (570) 674-6753
>
>
>
> This e-mail and accompanying attachments are confidential.  The
> information is intended solely for the use of the individual to whom it is
> addressed. Any review, disclosure, copying, distribution, or use of this
> e-mail communication by others is strictly prohibited. If you are not the
> intended recipient, please notify us immediately by returning this message
> to the sender and delete all copies. Thank you for your cooperation.
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Eric Zematis
Chief Information Security Officer | Lehigh University
ejz218 () lehigh edu | 610.758.3994

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community