Governance, Risk, and Compliance Lead

Department

BSD CTD - Security

About the Department

The Center for Translational Data Science (CTDS) at the University of Chicago is a research center whose mission is to develop the discipline of translational data science to impactful problems in biology, medicine, healthcare, and the environment. We envision a world in which researchers have ready access to the data needed and the tools required to make data driven discoveries that increase our scientific knowledge and improve the quality of life. We architect ecosystems of large-scale commons of research data, computing resources, applications, tools, and services for the broader research community to use data at scale to pursue scientific inquiry and accelerate discovery. Learn more at https://gdc.cancer.gov/ , https://gen3.org/ , https://stats.gen3.org/ , and https://ctds.uchicago.edu/.

This at-will position is wholly or partially funded by contractual grant funding which is renewed under provisions set by the grantor of the contract. Employment will be contingent upon the continued receipt of these grant funds and satisfactory job performance.

Job Summary

The job utilizes specialized knowledge and breadth of expertise to develop and implement information security and identity management solutions. Leads teams to deploy new technologies and manage existing security infrastructure as well as respond to cyber security incidents. Anticipates risks to the organization and leads security penetration testing and security awareness outreach.

The Center for Translational Data Science (CTDS) is looking for an experienced professional who is a self-starter, organized, and passionate about GRC (Governance, Compliance, Risk) and information security. The ideal candidate is innovative, curious about new and emerging technologies, particular about details, and able to balance leadership with hands-on work while educating and driving a culture of appreciation for information security, risk management, vulnerability management and detection, and GRC throughout the Center. You will join a team who stays up to date on emerging security vulnerabilities and threats, keeps a cool head in crisis, and advocates for improving the security of CTDS’s products and services. Successful candidates will also need to have a strong technical background, superb interpersonal skills, strong writing and communication skills, advanced Microsoft 365 skills, and experience in FedRAMP compliance.

Responsibilities

• Develop and execute the organization’s GRC strategy, ensuring alignment with the organization goals and regulatory requirements.

• Manage and mentor GRC team member(s) and/or internship, fostering collaboration, professional growth and performance culture.

• Build and maintain strong relationships between the organization and internal/external parties, including, but not limited to, auditors, sponsors, and other 8UChicago organizations on topics related to information security and GRC.

• Collaborate with business teams to review and update processes for reviewing contract terms and data protection agreements across the Center, ensuring alignment with NIST 800-53, Rev. 5, and/or other applicable standards.

• Lead implementation and maintenance of all required documents related to authorizations to use and/or operate information systems compliant with FedRAMP, FISMA, CMMC, and/or any other relevant compliance and authorization frameworks, including, but not necessarily limited to, System Security Plans, Plans of Action and Milestones, policies and procedures, etc.

• Drive and participate in continuous improvement of risk management processes including quantitative analysis and adapting to new methodologies and use cases as needed.

• Serve as or delegate role of compliance lead for multiple annual internal and external assessments against frameworks such as FISMA, FedRAMP, and CMMC.

• Coordinate cross-functional efforts to address and resolve audit findings, ensuring compliance with timelines and risk mitigation priorities.

• Lead the security awareness program, developing and delivering training in coordination with other CTDS information security professionals, emerging trends and best practices, and the requirements of CTDS information technology and subject matter experts.

• Lead regular review of procedures and process to ensure alignment with operational requirements and information security and compliance controls, including gathering information from CTDS personnel and developing new procedures and processes as needed.

• Support the Security Operations team in managing security events and incidents, producing reports, and following communication.

• Conduct third-party risk assessments, ensuring compliance with University, departmental, and regulatory requirements.

• Lead initiatives to enhance control maturity and improve compliance processes by updating existing and implementing new solutions.

• Develop and maintain dashboards and reports to communicate the status and maturity of GRC activities.

• Uses depth and breadth of IT expertise to develop and implement security and compliance policies, guidelines, and safe practices for university-wide computing and networking systems.

• Leads teams to conduct in-depth information technology risk assessments; makes recommendations and designs improvements to IT security procedures.

• Solves complex problems relating to user security needs and supports the implementation of procedures to accommodate them. Ensures that user community understands and adheres to necessary procedures to maintain security.

• Performs other related work as needed.

Minimum Qualifications

Education:

Minimum requirements include a college or university degree in related field.

Work Experience:

Minimum requirements include knowledge and skills developed through 7+ years of work experience in a related job discipline.

Certifications:

---

Preferred Qualifications

Experience:

• 7+ years business/technical/information security/risk compliance.

• Information security risk analysis, auditing, compliance, policies, and overall governance and communication.

• Demonstrated success implementing and Information Security control frameworks and standards such as ITIL, CIS Top 20, Soc2, GDPR, NIST CSF / 800-53, FISMA, and FedRAMP.

• Strong knowledge of audit and risk management methodologies, such as COBIT, NIST 800-37/800-30, 800-171, FAIR.

• Experience with implementing, maintaining, and enhancing use of GRC, IAM, and risk management tools and solutions.

• Experience with information security and GRC matters related to bioinformatics and other computing and data sharing environments related to human subject data like NCI Genomic Data Commons and Gen3.

Licenses and Certifications:

• CISA, CRISC, GIAC, CISM, or CISSP Certifications highly preferred.

Preferred Competencies

• Knowledge of hybrid IT systems, networking, and cloud environments (AWS, Google, etc.).

• Ability to respond to changing priorities and operate effectively in a dynamic demand-based environment, requiring extreme flexibility and responsiveness.

• Ability to weigh Center, partner, and agency needs against security and risk tolerance.

• Ability to conceptualize a course of action and to organize for the successful completion of that action are critical, often under tight deadlines.

• Ability to present information in a consistent and concise manner.

• Strong written and verbal communication skills and ability to foster collaborative working relationships.

• Knowledge of data and privacy risks and concerns related to emerging ML/AI technologies.

Working Conditions

• Hybrid.

• Office environment.

• 1-2 days per week in office.

Application Documents

• Resume (required)

• Cover Letter (preferred)

When applying, the document(s) MUST be uploaded via the My Experience page, in the section titled Application Documents of the application.

Job Family

Information Technology

Role Impact

Individual Contributor

Scheduled Weekly Hours

40

Drug Test Required
 

No

Health Screen Required
 

No

Motor Vehicle Record Inquiry Required
 

No

Pay Rate Type

Salary

​
FLSA Status

Exempt

​
Pay Range

$126,755.00 - $164,036.36

The included pay rate or range represents the University’s good faith estimate of the possible compensation offer for this role at the time of posting.

Benefits Eligible

Yes

The University of Chicago offers a wide range of benefits programs and resources for eligible employees, including health, retirement, and paid time off. Information about the benefit offerings can be found in the Benefits Guidebook.

Posting Statement
 

The University of Chicago is an Affirmative Action/Equal Opportunity/Disabled/Veterans and does not discriminate on the basis of race, color, religion, sex, sexual orientation, gender, gender identity, national or ethnic origin, age, status as an individual with a disability, military or veteran status, genetic information, or other protected classes under the law. For additional information please see the University's Notice of Nondiscrimination.

 

Staff Job seekers in need of a reasonable accommodation to complete the application process should call 773-702-5800 or submit a request via Applicant Inquiry Form.

 

We seek a diverse pool of applicants who wish to join an academic community that places the highest value on rigorous inquiry and encourages a diversity of perspectives, experiences, groups of individuals, and ideas to inform and stimulate intellectual challenge, engagement, and exchange.

 

All offers of employment are contingent upon a background check that includes a review of conviction history.  A conviction does not automatically preclude University employment.  Rather, the University considers conviction information on a case-by-case basis and assesses the nature of the offense, the circumstances surrounding it, the proximity in time of the conviction, and its relevance to the position.

 

The University of Chicago's Annual Security & Fire Safety Report (Report) provides information about University offices and programs that provide safety support, crime and fire statistics, emergency response and communications plans, and other policies and information. The Report can be accessed online at: http://securityreport.uchicago.edu. Paper copies of the Report are available, upon request, from the University of Chicago Police Department, 850 E. 61st Street, Chicago, IL 60637.