Risk Analyst

POSITION SUMMARY:   

Duke University’s IT Security Office (ITSO) is responsible for the overall coordination, implementation, and assessment of information security at Duke University.

The ITSO Risk Analyst will work alongside several other Duke entities such as Research Computing (https://rc.duke.edu), the Office of Research & Innovation (https://research.duke.edu), contracting offices, the Campus Institutional Review Board, and Duke researchers across campus to advance computational and data intensive research.  This role will work to advance the efforts of both the ITSO and the Compute and Data Services Alliance for Research (https://research.duke.edu/CDSA/) working to use a risk-based approach to establish security and compliance requirements at a project level.

Duke researchers are experts in their fields but are not expected to also be computing and security experts.  We strive to meet researchers where they are to advance their research goals with a positive and helpful attitude.

We are looking for a Risk Analyst who will help researchers, IT staff, and research support staff understand, implement, and adhere to security best practices and regulatory requirements. This position will work closely with others across campus and participate as a member of virtual teams designed to bring a holistic approach to Duke’s research needs and risk assessments.

This role primarily focuses on cyber risk in the research fields across Duke University.  It will require excellent oral and writing skills, analytical skills, a collaborative and results-oriented attitude, and the curiosity required to stay up to date within a fast-paced field and environment.  Prior expertise in security, regulated research, vendor risk assessment, or related experience in risk and/or regulatory compliance is desirable, but not a hard requirement.

RESPONSIBILITIES: 

• Consult with Duke Office for Research & Innovation, Campus IRB, Duke Office of Information Technology, Duke University Libraries, and other departments on security requirements for research projects and other regulated institutional data.
• Focus on using a risk-based approach to establish security expectations at a project level.  These expectations would be based upon regulations, risk to the organization, and data classifications.
• Participate, as a representative from ITSO as part of the Campus IRB review process. This involves security reviews of proposed projects to identify concerns prior to project initiation. 
• Perform vendor risk assessments, including establishment and revisions to assessment process based on needs of the organization.
• Conduct data security reviews for projects handling a variety of data classifications. As a member of the IT Security office, you will provide security expertise and guidance on compliance needs during these reviews.
• Collaborate with organizational stakeholders, to update and maintain security plans for the university, OIT, and research services where required by regulation or agreement.  Identify gaps and coordinate efforts across teams to implement enhancements or updates to policies, processes, and procedures. 
• Maintain close ties through meetings, presentations, and training with Duke partner organizations to increase the institutional capabilities in research data security and data management, uphold the University’s security policies, and ensure the evolution of capabilities in response to changing security risk and threat landscape. 
• Participate in incident/audit response activities related to cybersecurity events.
• Help to guide cybersecurity efforts involving Duke’s Protected Network for Research and other secure computing enclaves. This includes drafting and managing System Security Plans, Plans of Action and Milestones, and other Duke policy documents.
• Work with and participate in the higher education community efforts focused on regulated research.  This includes staying up to date on the changing compliance landscape at the federal and state government levels.

QUALIFICATIONS: 

Education

• Bachelor’s degree in a related field is preferred with 5 years combined education / experience in a related field required.
• Certifications from organizations such as GIAC (GCCC, GSNA), ISC2 (CISSP, CGRC), ISACA (CISA, CRISC), etc. are preferred but not required.

Professional skills 

• Ability to work with minimal oversight while investigating a problem and scoping out possible solutions as well as knowing when it’s time to bring problems back to the team for help or a second opinion.
• Ability to clearly communicate security and compliance topics to stakeholders across Duke where audiences may be non-technical or security focused.
• Ability to work with a wide variety of stakeholders and respectfully share knowledge and skills. 
• Ability to be flexible and adapt to changing priorities and requirements. 

Experience

• Familiarity with cybersecurity in an academic research environment. 
• Experience implementing and documenting requirements based on security control frameworks (I.e., NIST 800-53/800-171, NIST CSF, ISO, CIS, DFARS 7012/7020, CMMC) and maintaining data security practices, such as secure storage, data access control, secure data transfer.
• Experience working directly with sensitive/controlled data research requirements.
• Experience working with third party assessors for evaluation of secured environments.
• Experience performing vendor risk assessments and reviews.

WORKING CONDITIONS:   

Occasionally required to work outside of normal business hours for planned activities, and rarely, may be contacted during off hours.  

Currently the position may work remotely or at our Durham, NC location. In the future, the role may transition to a hybrid requirement with some days required on site. 

Job Code: 00002426 ANALYST, IT, SR
Job Level: D

Duke is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status.

Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas—an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure andwelcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values.

Essential Physical Job Functions: Certain jobs at Duke University and Duke University Health System may include essential job functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department.