Senior Privacy and Information Security Risk Advisor

Job Summary

The Senior Privacy and Information Security Risk Advisor operates within the Privacy & Information Security Management (PrISM) Safety & Risk Service (SRS) team. UBC’s PrISM program is an ongoing initiative to reduce the risk of a major privacy or information security breach at UBC through security governance, technology advancement, training, awareness and communications, risk management and compliance support, system identification and classification.

The PrISM SRS team is a key component of the PrISM program, delivering Privacy Impact Assessments (PIA) that consider privacy, operational, application, and security risks and threats; campus-wide training; and risk advisory services to UBC. The team’s focus is to maintain public trust in UBC, protect personal information of the UBC community, and keep UBC's confidential information secure, whilst enabling technology-supported business initiatives to succeed.

This is an exciting opportunity to work with a dynamic, risk-focused team that collaborates across UBC, including with management and staff in other units, such as the Cybersecurity team, University Counsel, Enterprise Risk and Assurance, the Office of the CIO, and UBC IT teams.

The Senior Privacy and Information Security Risk Advisor will work with units across the University to identify key privacy and information security risks, determine appropriate risk mitigation activities, and ensure commitment to their completion in a timely manner. They will conduct or oversee PIAs required under FIPPA, including assessments of security risks and controls, utilizing UBC assessment frameworks and tools.

The ideal candidate will be well-versed in information security threats, risks, and controls, be skilled in facilitation activities to ensure reasonable privacy and information security measures are in place through every phase of the project’s life cycle, and be comfortable driving change through advocacy and influencing. They will be capable of developing strong, trusted relationships across UBC at various levels of the organization.

Organizational Status

This position is part of the PrISM SRS team and reports to the Manager, PrISM SRS. The incumbent will collaborate and work closely with management and staff in other units, including the Office of the University Counsel, the Office of the CIO, CyberSecurity, Enterprise Data Governance, Records Management Office, UBC IT, and Faculty IT teams. It will also involve working closely with other IT functions and data stewards within UBC’s faculties and operational entities.

Work Performed

• Conduct or oversee Privacy Impact Assessments, including Security Threat Risk Assessments, utilizing UBC assessment frameworks and tools.
• Work with units across the University to identify key privacy and information security risks and determine appropriate risk mitigation activities, and ensure commitment to their completion in a timely manner.
• Provide privacy and information security technical expertise and mentoring to project teams and other advisors to ensure reasonable privacy and information security measures are in place through every phase of the project’s life cycle, including project planning, architecture, requirements definition, procurement, implementation, and operationalization of new technology services.
• Engage broadly (through training, workshops, and relationship building) within assigned projects to raise awareness of privacy and information security risk and mitigations.
• Manage liaison relationship with clients to ensure technology solutions comply with applicable privacy legislation and regulations, UBC policy, and information security standards, whilst enabling business initiatives.
• Provide updates and formal reports to the relevant committee and stakeholders, including the PrISM Executive Team and program/project governance bodies as required.
• Conduct formal reviews with project sponsors at project completion to confirm acceptance and satisfaction.
• Select and follow project management methods, procedures, and quality objectives, and track metrics for assessing progress on privacy and security risk assessments throughout assigned projects.
• Assess variances from the assessment project plans, budgets, and schedules, develop and implement changes as necessary to ensure that the project remains within specified scope and is within time and quality objectives, and keep management aware of the situation.
• Develop relevant content to inform PrISM SRS clients and risk advisors on acceptable use of UBC tools.
• Acquire and maintain a working knowledge of the University's technical and business environment in order to better understand the business and its priorities. Based on client feedback, develop recommendations and present options for security improvements.
• Build and maintain strong and productive working relationships with team members, stakeholders, UBC IT, and other vendors / consultants.
• Maintain appropriate professional designations and up-to-date knowledge of current information security frameworks such as ISO 27000 series and NIST Cybersecurity Framework, methods, techniques, and tools.

Consequence of Error/Judgement

UBC is a complex organization that collects and uses information to support its mandate. An information breach (especially relating to personal or other high-risk information) could have a significant financial and reputational impact on the University. The Senior Privacy and Information Security Risk Advisor plays a critical role in the identification of key privacy and information security risks and provides appropriate recommendations to reduce these risks to an acceptable level.

Sound judgment must be exercised. Lack of good judgment and/or inability to adopt sound risk management techniques may result in the failure to detect significant privacy and information security-related exposures to the University's confidential information.

Supervision Received

The Senior Privacy and Information Security Risk Advisor receives direction from the Manager, PrISM SRS, on the work performed. The incumbent must be able to work independently as well as contribute actively and collaborate openly as a team member.

Supervision Given

Plans, directs, and supervises the work of project team members, such as other consultants and staff assigned to the project.

Minimum Qualifications

Undergraduate degree in a relevant discipline and a minimum of 7 years of experience or the equivalent combination of education and experience in privacy, information security and risk management.

• Willingness to respect diverse perspectives, including perspectives in conflict with one’s own
• Demonstrates a commitment to enhancing one’s own awareness, knowledge, and skills related to equity, diversity, and inclusion

Preferred Qualifications

• Professional designation in information security, control and governance e.g. CISSP, CISA, CISM, CIPP, CRISC, CGEIT, GIAC, CPA, PMP are desirable.
• Experience in cybersecurity technology and architectural assessments, as well as security threat and risk assessments.
• Knowledge of security activities and deliverables within the system development life cycle.
• Knowledge of information security frameworks, models and standards such as OWASP, SAMM, NIST, COBIT and ISO 27001/2.
• Knowledge of application architecture and security in cloud-based environments, such as AWS and Microsoft Azure, is an asset.
• Self-motivated with a strong commitment to providing high quality services, together with a thorough understanding and awareness of information security best practices and the ability to translate them into meaningful and value added University-wide and local solutions.
• Knowledge of Freedom of Information and Protection of Privacy Act FIPPA, particularly as it relates to implementing 'reasonable security arrangements' over PI under the University's control or in its custody.
• Ability and desire to take initiative at all times, tempered with the ability to exercise judgement about seeking input and advice from others.
• Ability to work independently, as part of a team, and cross functionally.
• High level of interpersonal skills used to lead, enthuse, motivate, influence, and educate others at all levels to drive change across the University.
• Demonstrated ability to communicate with diverse audiences management, senior leadership, technical using a variety of delivery mechanisms written, oral, presentations etc.
• Ability to effectively facilitate multi-disciplinary groups to achieve appropriate outcome
• Knowledge of project management, quality assurance, change management disciplines and best practices, and development methodologies
• Knowledge and ability to effectively use communication and collaboration technologies
• Understands key trends and players in the IT industry and higher-education sector
• Excellent organizational, planning, and prioritization skills. Able to multi-task and deliver multiple assignments in a fast-paced and changing environment
• Demonstrates the willingness, ability, and enthusiasm to learn new processes, methodologies or technologies

Key skills/competency

• Privacy Impact Assessments (PIA)
• Information Security Risk Management
• Risk Mitigation
• FIPPA Compliance
• Security Governance
• NIST Cybersecurity Framework
• ISO 27000 Series
• Threat and Risk Assessment
• Change Management
• Stakeholder Engagement