Privacy and Information Security Risk Advisor

Staff - Non Union

Job Category

M&P - AAPS

Job Profile

AAPS Salaried - Accounting, Level C

Job Title

Privacy and Information Security Risk Advisor

Department

Privacy and Information Security Safety & Risk Services VP Finance and Operations

Compensation Range

$6,378.58 - $9,189.17 CAD Monthly

The Compensation Range is the span between the minimum and maximum base salary for a position. The midpoint of the range is approximately halfway between the minimum and the maximum and represents an employee that possesses full job knowledge, qualifications and experience for the position.

In the normal course, employees will be hired, transferred or promoted between the minimum and midpoint of the salary range for a job.

Posting End Date

October 1, 2023

Note : Applications will be accepted until 11 : 59 PM on the day prior to the Posting End Date above.

Job End Date

Nov 5, 2025

At UBC, we believe that attracting and sustaining a diverse workforce is key to the successful pursuit of excellence in research, innovation, and learning for all faculty, staff and students.

Our commitment to employment equity helps achieve inclusion and fairness, brings rich diversity to UBC as a workplace, and creates the necessary conditions for a rewarding career.

Job Summary

The Privacy and Information Security Risk Advisor operates within the Privacy & Information Security Management (PrISM) Safety & Risk Service (SRS) team.

UBC's PrISM program is an ongoing initiative to reduce the risk of a major privacy or information security breach at UBC through security governance, technology advancement, training, awareness and communications, risk management and compliance support, system identification and classification.

The PrISM Safety & Risk Services team is a key component of the PrISM program, delivering Privacy Impact Assessments (PIA) that consider privacy, operational, application and security risks and threats;

campus wide training; and risk advisory services to UBC. The team's focus is to maintain public trust in UBC, protect personal information of the UBC community and keep UBC confidential information secure, whilst enabling technology-supported business initiatives to succeed.

UBC fulfills its legal obligation to complete PIAs by performing combined privacy and information security risk assessments into a single risk assessment process.

This practice differs from many other provincial bodies who perform separate security and privacy risk assessments with limited integration between the two.

The UBC combined process is optimal for completing PIAs, as risks to personal information are forefront and paramount to the combined assessment.

Key responsibilities of this role include :

Support Lead Advisors to conduct PIAs and STRAs for large, complex and high risk projects, including documentation and logistics, STRA vendor management, follow up on remediation activities, draft updates and formal PIA / STRA reports to project leadership, and other related duties.

Conduct or oversee the completion of lower complexity risk assessments within projects to ensure they are performed correctly and that risk mitigations are identified and addressed in a timely manner, utilizing UBC assessment frameworks and tools.

Engage broadly (through training, workshops and relationship building) within assigned projects to raise awareness of privacy and information security risk and mitigations.

Select and follow project management methods, procedures, and quality objectives, and tracks metrics for assessing progress on privacy and security risk assessments throughout assigned projects.

Organizational Status

The Privacy and Information Security Risk Advisor will support the Privacy and Information Security Management (PrISM) program at UBC as part of the SRS team.

The incumbent will collaborate and work closely with a variety of constituents at the University, including Office of the University Counsel, Enterprise Data Governance, Records Management Office, Enterprise Risk Management, UBC IT Security and Faculty IT teams.

The position interfaces with all University employees, processes, and technologies that handle information (both paper and electronic records).

Work Performed

Support Lead Advisors to conduct PIAs and STRAs for large, complex and high risk projects, including documentation and logistics, STRA vendor management, follow up on remediation activities, draft updates and formal PIA / STRA reports to project leadership, and other related duties.

Conduct or oversee the completion of lower complexity risk assessments to ensure they are performed correctly and that risk mitigations are identified and addressed in a timely manner, utilizing UBC assessment frameworks and tools.

Engage broadly (through training, workshops and relationship building) within assigned projects to raise awareness of privacy and information security risk and mitigations.

Work directly with a portfolio of units across the University to identify key privacy and information security risks and determine appropriate risk mitigation activities and ensure commitment to their completion in a timely manner.

Manage liaison relationship with clients to ensure technology solutions comply with applicable privacy legislation and regulations, UBC policy and information security standards, whilst enabling business initiatives.

Provide updates and formal reports, KPIs to the relevant committee and stakeholders, including the PrISM Executive Team and program / project governance bodies as required.

Conduct formal reviews with project sponsors at project completion to confirm acceptance and satisfaction.

Select and follow project management methods, procedures, and quality objectives, and tracks metrics for assessing progress on privacy and security risk assessments throughout assigned projects.

Assess variances from the assessment project plans, budgets and schedules, develop and implement changes as necessary to ensure that the project remains within specified scope and is within time and quality objectives, and keeps management aware of the situation.

Acquire and maintain a working knowledge of the University's technical and business environment in order to better understand the business and their priorities.

Based on client feedback, develop recommendations and present options for security improvements.

Build and maintain strong and productive working relationships with team members, stakeholders, UBC IT, and other vendors / consultants.

Maintain appropriate professional designations and up-to-date knowledge of current information security frameworks, methods, techniques and tools.

Perform other related duties as required.

Consequence of Error / Judgement

UBC is a complex organization that collects and uses information to support its mandate. An information breach (especially relating to personal or other high-risk information) could have a significant financial and reputational impact on the University.

The Privacy and Information Security Risk Advisor plays a critical role in the identification of key privacy and information security risks, and providing appropriate recommendations to reduce these risks to an acceptable level.

Sound judgment must be exercised. Lack of good judgment and / or inability to adopt sound risk management techniques may result in the failure to detect significant privacy and information security related exposures to the University's confidential information.

Supervision Received

The Privacy and Information Security Risk Advisor reports directly and works under the general direction of the Senior Manager, Privacy and Information Security Risk, and under specific direction from the assigned Lead Advisor for a large, complex, high risk project.

incumbent must be able to work independently as well as contribute actively and collaborate openly as a team member.

Supervision Given

The Information Security Risk Advisor will supervise the risk assessment work completed by their portfolio of units. This position will not supervise any staff.

Minimum Qualifications

Undergraduate degree in a relevant discipline. Minimum of five years of related experience, or the equivalent combination of education and experience.

• Willingness to respect diverse perspectives, including perspectives in conflict with one's own
• Demonstrates a commitment to enhancing one's own awareness, knowledge, and skills related to equity, diversity, and inclusion

Preferred Qualifications

Undergraduate degree in a relevant discipline and a minimum of 5 years of experience or the equivalent combination of education and experience in privacy, information security and risk management.

Experience in a higher education institution would be an asset.

Professional designation in information security, control and governance (e.g. CISSP, CISA, CISM, CIPP, CRISC, CGEIT, GIAC, CPA, PMP) are desirable.

Knowledge of security activities and deliverables within the system development life cycle.

Knowledge of information security frameworks, models and standards such as OWASP, SAMM, NIST, COBIT and ISO 27001 / 2.

Knowledge of application architecture and security in cloud-based environments, such as AWS and Microsoft Azure, is an asset.

Self-motivated with a strong commitment to providing high quality services, together with a thorough understanding and awareness of information security best practices and the ability to translate them into meaningful and value added University-wide and local solutions.

Knowledge of Freedom of Information and Protection of Privacy Act (FIPPA), particularly as it relates to implementing 'reasonable security arrangements' over PI under the University's control or in its custody.

Ability and desire to take initiative at all times, tempered with the ability to exercise judgement about seeking input and advice from others.

Ability to work independently, as part of a team, and cross functionally.

High level of interpersonal skills used to lead, enthuse, motivate, influence, and educate others at all levels to drive change across the University.

Demonstrated ability to communicate effectively at all levels and with diverse audiences (management, senior leadership, technical), using a variety of delivery mechanisms (written, oral, presentations, etc.)

Ability to identify problems and develop solutions through the involvement of appropriate stakeholders.

Knowledge of project management, quality assurance, change management disciplines and best practices, and systems development methodologies

Knowledge and ability to effectively use communication and collaboration technologies

Understands key trends and players in the IT industry and higher-education sector

Excellent organizational, planning, and prioritization skills. Able to multi-task and deliver multiple assignments in a fast-paced and changing environment

Demonstrates the willingness, ability, and enthusiasm to learn new processes, methodologies or technologies