Educause Security Discussion mailing list archives
Re: Cyber security risk component in job description
From: Eric Zematis <ejz218 () LEHIGH EDU>
Date: Mon, 20 Jan 2020 14:40:35 -0500
I'm working on a similar project as an objective on my way to my BHAG of creating a 10,000 person infosec team. (@ Lehigh 10,000 = everybody). I haven't come up with a great generic info sec statement like, "Other cybersecurity duties as assigned" but I have a few simple questions to identify what items should be added to a job description. 1. Does this position have a defined data role within data governance? (i.e. Data Manager, Data Steward) 2. Does this position have access to sensitive data/systems? (e.g. SSN, Passport ID, CC#, etc) PHI? 3. Does this position have access to protected data/systems? (i.e. FERPA) 4. How does this position directly support cybersecurity? For IT related positions in an environment where cyber is in the IT group you could add a bullet stating that they are responsible to understand security policies and to promote/advocate for them to the University community. Eric On Fri, Jan 17, 2020 at 1:16 PM Valerie Vogel <vvogel () educause edu> wrote:
Hi Mark, The EDUCAUSE Information Security Guide includes some job description templates. You might find language to use in one of those templates. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/career-and-workforce-development You can also explore the NICE Cybersecurity Workforce Framework: https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework and the frameworkâs resource center <https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center>. The framework, published by NIST, establishes a taxonomy and common lexicon to describe cybersecurity work and workers. For example, you could review the Risk Management specialty area <https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/risk-management> or the Cybersecurity Management specialty area <https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/cybersecurity-management> to see if there are descriptions under abilities, knowledge, skills, or tasks that might fit your needs. Thank you, Valerie *Valerie Vogel * Senior Manager, Cybersecurity Program *EDUCAUSE* *Uncommon Thinking for the Common Good* direct: 202.331.5374 | Follow HEISC on LinkedIn <https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: @HEISCouncil | vvogel () educause edu *From: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mark Reboli <mreboli () MISERICORDIA EDU> *Reply-To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU*Date: *Friday, January 17, 2020 at 9:59 AM *To: *Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[SECURITY] Cyber security risk component in job description I am looking for some language to add to personnel all job descriptions in reference to cyber security especially in the IT department. I would appreciate anything you can share. Example would be security role or responsibility. Thank you M Mark Reboli Network/Telecom Manager Misericordia University (570) 674-6753 This e-mail and accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Eric Zematis Chief Information Security Officer | Lehigh University ejz218 () lehigh edu | 610.758.3994 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Cyber security risk component in job description Mark Reboli (Jan 17)
- <Possible follow-ups>
- Re: Cyber security risk component in job description Valerie Vogel (Jan 17)
- Re: Cyber security risk component in job description Brad Judy (Jan 17)
- Re: Cyber security risk component in job description Eric Zematis (Jan 20)
- Re: Cyber security risk component in job description Andrea Childress (Jan 21)
- Re: Cyber security risk component in job description Michael Perdunn (Jan 21)