Senior Information Security Risk Assessor

Department Marketing Statement:

There is a reason UCSB has been named the Best Place to Work by our local media for several years running. Whether our employees are on our stunning campus, or working remotely or hybrid, they tell us they value the flexibility, stability and rich benefits we offer. Come join us as we support the mission of one of the finest public institutions in the nation. UC Santa Barbara is consistently recognized for excellence across broad fields of study. Set alongside the glorious California coast, our dynamic environment inspires scholarly ambition and creativity. Information Technology Services (ITS), the Campus' central IT unit, contributes to UC Santa Barbara's mission of research, teaching, and community service by partnering with the Campus community to efficiently deliver IT infrastructure and enterprise application services to faculty, students, staff, and affiliates. Join us in supporting the technology making world class research possible!

Benefits of Belonging:

Working at UC means being part of this vibrant institution that shines a light on what is possible. People make UC great, and UC recognizes your contributions by making this a great place to work. Excellent retirement and health are just one of the rewards. Learn more about the benefits of working at UC and why You Belong at UC.

Brief Summary of Job Duties:

The Senior Information Security Risk Assessor works within Information Technology Services' Information Assurance and Cybersecurity unit. Primary responsibility involves overseeing core information security functions in the governance, risk, and compliance areas for the university. Responsible for building and maintaining an enterprise-wide information security/digital risk management program to support the confidentiality, integrity, and availability of the university's information assets. Responsible for leading a program to identify, evaluate, and report on digital risk to meet compliance and regulatory requirements and align with IS-3 policy, supporting the university's risk posture. Follows and enhances formal guidelines for secure technologies and architectures as well as programs such as GRC tooling, vendor risk assessments, PCI compliance, research security assessments and Unit risk assessments. Collaborates with the Assistant Chief Information Security Officer for Governance, Risk, and Compliance to develop and maintain a risk register for location. Along with other ITS leadership and the Assistant Chief Information Security Officer for Governance, Risk, and Compliance, develops, manages and reports on digital risk metrics within the university. Supports internal, UC and third-party audit activities. Collaborates with business units to implement information security practices that meet defined policies and standards.

Required Qualifications:

• Bachelor's Degree in related area and/or equivalent experience/training.
• 7-9 years of Information Technology experience.
• 4-6 years of experience conducting information security risk assessments.

Preferred Qualifications:

• 1-3 years of experience conducting cloud services information security risk assessments.
• Broad knowledge of cybersecurity technologies, solutions, and processes.
• Knowledge of regulatory compliance/information security frameworks and standards assessment tools such as ISO 27001, GLBA, NIST CSF, NIST RMF, FISMA, HIPAA, PCI DSS, SOC Type II/III, and HECVAT.
• Knowledge of risk management techniques.
• Experience using Governance, Risk & Compliance (GRC), vendor risk, risk register, and other security risk management tools and platforms.
• Ability to identify and assess the severity and potential impact of risks and to communicate findings effectively to risk owners.
• Ability to create and interpret technical diagrams (e.g., network diagrams, data flow diagrams).
• Demonstrated skill at administering complex security controls and configurations to computer hardware, software, and networks.
• Knowledge of computer hardware, software and network security issues and approaches.
• Demonstrated experience selecting and applying appropriate risk management technologies.
• Self-motivated with a sense of urgency, and has demonstrated commitment to high standards of ethics, regulatory compliance, and integrity.
• Demonstrated skill in conducting internal or external risk assessments and providing guidance on the implementation, monitoring, and reporting of control processes, documentation, and compliance measures and/or remediation items.
• Ability to provide written and verbal communication skills to technical and non-technical audiences.
• Advanced interpersonal skills sufficient to work effectively with both technical and non-technical personnel at various levels in the organization.

Special Conditions of Employment

• Satisfactory conviction history background check
• UCSB is a Tobacco-Free environment

Misconduct Disclosure Requirement:

As a condition of employment, the final candidate who accepts a conditional offer of employment will be required to disclose if they have been subject to any final administrative or judicial decisions within the last seven years determining that they committed any misconduct; received notice of any allegation or are currently the subject of any administrative or disciplinary proceedings involving misconduct; have left a position after receiving notice of allegations or while under investigation in an administrative or disciplinary proceeding involving misconduct; or have filed an appeal of a finding of misconduct with a previous employer. "Misconduct" means any violation of the policies or laws governing conduct at the applicant's previous place of employment, including, but not limited to, violations of policies or laws prohibiting sexual harassment, sexual assault, or other forms of harassment, discrimination, dishonesty, or unethical conduct, as defined by the employer. For reference, below are UC's policies addressing some forms of misconduct:

• UC Sexual Violence and Sexual Harassment Policy
• UC Anti-Discrimination Policy
• Abusive Conduct in the Workplace

Job Functions and Percentages of Time:

50% Risk Analysis and Management

• Develop and lead an enterprise-wide information security/digital risk management program to identify, evaluate, and report on digital risk to meet compliance and regulatory requirements and align with IS-3 policy Establish programs such as GRC tooling, vendor risk assessments, PCI compliance, research security assessments, and Unit risk assessments.
• Collaborate with the Assistant Chief Information Security Officer for Governance, Risk, and Compliance on the development of risk assessment processes and conduct risk assessment/security validation tests of projects and Units as part of an overall risk management program.
• Collaborate with Assistant Chief Information Security Officer for Governance, Risk, and Compliance to develop and maintain risk register for location.
• Collaborate with Assistant Chief Information Security Officer for Governance, Risk, and Compliance and Unit Heads to make risk exception determinations.
• Support internal, UC, and third-party audit activities Assist with the assessment of cybersecurity requirements as part of campus procurement activities.
• Provide consultative support to the Office of Research for cybersecurity requirements on grants and gifts.

20% System Architecture Design/Secure Configuration and Guideline Development

• Establish formal guidelines for secure technologies and architectures.
• Assist with the implementation of IS-3 on campus by acting as a subject matter expert for administrative, academic, and IT constituencies.
• Collaborate with Business Units to implement information security practices meeting defined policies and standards.
• Contribute to the design and development of campus cybersecurity capabilities carried out by other teams to ensure that these services advance the goals of the campus program.

20% Communication and Leadership

• Collaborate with the Assistant Chief Information Security Officer for Governance, Risk, and Compliance, security operations management and other ITS leadership to develop, manage, and report on digital risk and cybersecurity metrics Contribute for the UCSB Campus-wide Cybersecurity Awareness Month and general security/digital risk awareness communications.
• Be an active and contributing member of the campus IT community.
• Be an enthusiastic advocate of information security.
• Participate in project teams, committees, and policy development.
• Lead committees appropriate to area of expertise.

10% - Continuing Education / Professional Development

• Keep up-to-date on information security risk management frameworks and assessment tools.
• Take courses for professional development and additional certifications as appropriate.

Policy on Vaccination Programs:

As a condition of employment, you will be required to comply with the University of California Policy on Vaccinations Programs. As a condition of Physical Presence at a Location or in a University Program, all Covered Individuals* must participate in any applicable Vaccination Program by providing proof that they are Up-to-Date with any required Vaccines or submitting a request for Exception in a Mandate Program or properly declining vaccination in an Opt-Out Program no later than the Compliance Date (Capitalized terms in this paragraph are defined in the policy.). Federal, state, or local public health directives may impose additional requirements.

For more information, please visit:

• UC Santa Barbara COVID-19 Information https://www.ucsb.edu/COVID-19-information
• University of California Policy on Vaccinations https://policy.ucop.edu/doc/5000695/

* Covered Individuals: A Covered Individual includes anyone designated as Personnel or Students under this policy who Physically Access a University Facility or Program in connection with their employment, appointment, or education/training. A person accessing a Healthcare Location as a patient, or an art, athletics, entertainment, or other publicly accessible venue at a Location as a member of the public, is not a Covered Individual.

Equal Opportunity Employer:

UC Santa Barbara is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age, protected veteran status or other protected status under state or federal law.

Reasonable Accommodations:

The University of California endeavors to make the UCSB Job site (https://jobs.ucsb.edu) accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact Katherine Abad in Human Resources at 805-893-4664 or email katherine.abad@hr.ucsb.edu. This contact information is for accommodation requests only and cannot be used to inquire about the status of applications.

Privacy Notification Statement:

Privacy Notification Statement and Notice of Availability of the UCSB Annual Security & Fire Safety Report Disclosures; https://www.jobs.ucsb.edu/#privacy

Payroll Title: IT Security Analyst 4

Job Code: 000661

Job Open Date: 06/25/2025

Application Review Begins: 07/11/2025; open until filled

Department Code (Name): ISEC (ENTERPRISE SECURITY SERVICES)

Percentage of Time: 100%

Union Code (Name): 99 (Non-Represented)

Employee Class (Appointment Type): Staff (Career)

FLSA Status: Exempt

Classified Indicator Description (Personnel Program): MSP

Salary Grade: Grade 25

Pay Rate / Range: The budgeted salary range that the University reasonably expects to pay for this position is $119,000-$151,900/yr. Salary offers are determined based on final candidate qualifications and experience; the budget for the position; and the application of fair, equitable, and consistent pay practices at the University. The full salary range for this position is $104,900-$198,900/yr.

Working Days and Hours: Monday-Friday, 8:00am - 5:00pm

Benefits Eligibility: Full Benefits

Type of Remote or Hybrid Work Arrangement, if applicable: Onsite, Hybrid, Remote (California)

Special Instructions:
For full consideration, please include a resume and a cover letter as part of your application.

Application Status: If you would like to check the status of your application, please log into the Candidate Gateway where you applied and click on 'my activities'.