Educause Security Discussion mailing list archives

Re: Security language in all IT job descriptions

From: John Virden <john.virden () UCR EDU>
Date: Tue, 6 Nov 2018 17:51:27 +0000

Andrea, we drafted below wording to insert into non-security position descriptions. Not all in place yet - not a fast 
moving train. Keeping them high-level for now to gain acceptance.

----------------------------------
Enterprise Solutions - Strong understanding of application development cybersecurity principles and implementation.

Enterprise Infrastructure - Familiarity with cybersecurity defense-in-depth strategies, application and implementation, 
as well as applicable frameworks.

System Engineering - Knowledge of cybersecurity system hardening and baseline security configurations for both hardware 
and software.

Campus Networks and Communications - Understanding of network access control, firewall configuration, anomaly 
detection, and network segmentation specifically regarding cybersecurity and event management.

Academic Technology and Campus Support - Awareness of general cybersecurity concepts such as anti-virus and 
anti-malware, least privilege, multi-factor authentication as well as knowledge of various compliance frameworks and 
regulations governing varying types of data.

Financial and Administrative Support - General awareness of phishing and malware, data security, and security 
frameworks specific to student and financial data.
----------------------------------

Thank you,
John

John Virden
Chief Information Security Officer
University of California, Riverside
951.827.3070 |  john.virden () ucr edu
[UC Riverside Logo]


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Andrea Childress
Sent: Tuesday, November 6, 2018 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security language in all IT job descriptions

Hello all,

Does anyone have any language in IT (or all employee) job descriptions that requires information security 
responsibility? We want to add some language to hold people accountable in job descriptions that translate into 
performance evaluation elements.

If you do, is it the same language for all job descriptions or do you have separate language by job type i.e. system 
admins are required to patch servers?

We are discussing ideas such as:
High degree of confidentiality and integrity
Coordinate and take direction from security standards
Use security approved tools and resources
Follow onboarding process for new services and projects
Communicate and report security incidents and issues to management

Thanks in advance,
Andrea

Andrea Childress
Executive Director
UNK Information Technology Services
Governance, Risk, and Compliance
Cybersecurity and Identity | ITS |
114 Otto Olsen, 68849
University of Nebraska | nebraska.edu
Kearney | Lincoln | Omaha
308-865-8789

Current thread:

Security language in all IT job descriptions Andrea Childress (Nov 06)
- Re: Security language in all IT job descriptions Kevin Wilcox (Nov 06)
- Re: Security language in all IT job descriptions John Virden (Nov 06)
- Re: Security language in all IT job descriptions Dan Oachs (Nov 07)