Educause Security Discussion mailing list archives

Re: Cyber security risk component in job description

From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 17 Jan 2020 18:23:42 +0000

Since Valerie noted NICE, I’ll chime in that I’ve been playing with that framework for my last two postings. My first 
attempt was a pretty rigid alignment to their job descriptions, duties and KSA’s (knowledge, skills and abilities). 
That felt a little awkward in places so with my most recent posting I have moved away from their job descriptions and 
duties, but kept their KSA’s (cherry picking appropriate ones).

I think the KSA’s have been successful. We recently started requiring KSAs on job postings here and HR was happy to see 
that we not only had some, but understood the difference between K, S and A. I let them know we had help. They found 
the NICE framework interesting because not many fields have an independent standard for job descriptions.

I find NICE a useful reference for sample descriptions of duties, knowledge, skills and abilities. Unfortunately, I 
think full adoption of NICE would create prohibitively long job descriptions, so I don’t expect us to totally jump into 
it.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Valerie Vogel <vvogel () EDUCAUSE EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, January 17, 2020 at 11:16 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Cyber security risk component in job description

Hi Mark,

The EDUCAUSE Information Security Guide includes some job description templates. You might find language to use in one 
of those templates.
https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/career-and-workforce-development

You can also explore the NICE Cybersecurity Workforce Framework: 
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework and the framework’s resource 
center<https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center>. The 
framework, published by NIST, establishes a taxonomy and common lexicon to describe cybersecurity work and workers. For 
example, you could review the Risk Management specialty 
area<https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/risk-management> or the 
Cybersecurity Management specialty 
area<https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/cybersecurity-management> to 
see if there are descriptions under abilities, knowledge, skills, or tasks that might fit your needs.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: 
@HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mark Reboli <mreboli () 
MISERICORDIA EDU>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, January 17, 2020 at 9:59 AM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Cyber security risk component in job description

I am looking for some language to add to personnel all job descriptions in reference to cyber security especially in 
the IT department.  I would appreciate anything you can share.  Example would be security role or responsibility.

Thank you

M

Mark Reboli
Network/Telecom Manager
Misericordia University
(570) 674-6753

This e-mail and accompanying attachments are confidential.  The information is intended solely for the use of the 
individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication 
by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this 
message to the sender and delete all copies. Thank you for your cooperation.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Cyber security risk component in job description Mark Reboli (Jan 17)
- <Possible follow-ups>
- Re: Cyber security risk component in job description Valerie Vogel (Jan 17)
  - Re: Cyber security risk component in job description Brad Judy (Jan 17)
  - Re: Cyber security risk component in job description Eric Zematis (Jan 20)
- Re: Cyber security risk component in job description Andrea Childress (Jan 21)
  - Re: Cyber security risk component in job description Michael Perdunn (Jan 21)