IT Audit Manager – Information Security

Overview

The Office of Audit and Compliance (OAC) serves as a proactive partner and trusted advisor to University management and departments to assess and support the mitigation of risks that may have a significant impact on the achievement of the University’s objectives. The goal of the OAC is to promote a culture of risk and compliance awareness at the institution through the services it provides. OAC seeks an experienced candidate with high professional and ethical standards who will provide quality Information Security and IT Operations assurance and advisory services to the University.

Candidates with information security audit and/or operations experience are well-suited for this position. Reporting to the Director, IT Audit (Director), the IT Audit Manager – Information Security (Audit Manager) will be responsible for independently planning, executing, developing, and communicating value-add results of information security and IT operations assurance and advisory engagements to senior management. The Audit Manager will assist the Director in procuring service providers for co-sourced audit projects and supervising their performance and deliverables to clients. As a member of the University’s Information Technology Audit team, the Audit Manager will conduct key strategy and planning activities related to the annual risk assessment and IT audit plan for the University. In addition, the Audit Manager should have a desire for continued career growth and a passion for learning new and emerging technologies to enable collaboration with the Director in pursuit of continued innovation of the University’s IT audit function.

Responsibilities

The key responsibilities of this position will be to:

Execute Information Assurance and Advisory Projects Perform information security and IT operations audits and/or advisory services across a broad range of systems and technologies including but not limited to: information security, vulnerability management, application controls, network infrastructure, databases, operating systems, IT general controls, pre and post system implementation, dev ops, cloud software and platforms, disaster recovery, and incident response. Design detailed audit work programs (in many cases customized for the environment), conduct interviews, document and analyze processes and apply critical thinking to evaluate risks and controls and assess the results of audit testing. Create detailed workpapers that substantiate audit findings. Evaluate audit findings, determine root causes, and extrapolate relevant institutional themes to develop relevant and achievable recommendations based on leading practice, the risk profile of the client and institution. Prepare professional audit reports summarizing observations, recommendations, and management responses. Ensure that projects have value-add results and are completed timely. Critically apply insights and knowledge of IT and information security to enable clients to solve complex institutional problems while effectively managing risks. Follow IIA and other relevant standards in conducting assurance and advisory projects. Plan, supervise, procure services, and communicate Plan and execute all aspects of risk-based audit and advisory projects by partnering with client department management to define the scope and objectives, project resource requirements, identify needs for specialized skills, timing and budgets. Lead the development of, in partnership with Director, Request for Proposals (RSPs) for the acquisition of specialized skills in a co-sourced engagement model. Manage the execution of professional services teams on co-sourced projects and deliver value-add outcomes. Develop and manage relationships with key campus client stakeholders of varying levels of seniority and information security knowledge in the organization to enable the effective identification of risk and delivery of assurance and consulting services. Prepare and present audit and advisory project reports that communicate complex information security and IT operations concepts to a diverse group of institutional constituents including Deans and Vice Presidents, summarizing observations, recommendations, and management responses. Inter-organizational coordination of OAC data requirements and corresponding University technology systems  Develop subject matter expertise on key University business information systems (on premise and cloud hosted) and underlying data. Build relationships with key IT business system stakeholders across the institution. Partner with members of the OAC Finance and Operations audit team to gather, understand, and translate business requirements into specific data needs. Liaise with relevant system stakeholders to facilitate requests for data and assist with the validation of data provided. Provide Strategy and Leadership Support Partner with the Director to continue to mature the University’s Information Technology audit function through innovation and the implementation of new technologies, elevated testing approaches, assessment techniques, and agile engagement delivery. Collaborate with the Director to execute the annual risk-assessment strategy and draft the IT audit work plan for the University. Conduct annual risk assessment interviews with senior executives and other managers throughout the University; identify and incorporate risk data from multiple internal and external sources to assess risk and analyze results. Identify, evaluate, and operate value-add technology tools for OAC operations and internal audit projects. Proactively identify and build relationships with colleagues from other Universities to share information on industry risks and leading practices. Assist with Trustee and Senior Management presentations as required. Demonstrate foresight, superior judgment and the ability to develop creative solutions using a risk-based approach in the performance and management of all tasks. Support the progressive development of senior auditor IT audit knowledge, skills, and abilities by identifying key learning opportunities and developing value-add training materials. Keep current with developments in relevant technologies and IT audit methodologies; independently develop and propose to the Director an annual risk aligned training plan. Perform special projects and represent OAC on University committees, as required.

Qualifications

Essential Qualifications: 

High ethical standards representative of Princeton University’s commitment to excellence. 6+ years of experience in IT audit, Information Security Operations, IT management, information security analysis, IT operations, research data security, and/or systems assurance. Demonstrated ability to analyze technology systems and processes with strong attention to detail, apply critical thinking skills, and use sound business judgment in the application of auditing principles, University policies, and business practices. Excellent project management skills and demonstrated ability to achieve audit objectives on multiple, complex, concurrent projects. Demonstrated ability to translate business requirements into achievable technical terms; effective communications and translation of requirements between technical and non-technical stakeholders across the University. Experience managing multiple project stakeholders (internal and external) in concurrently running engagements. Strong analytical, problem solving, time management, and interpersonal Excellent communication skills, including proven ability to prepare and present clear and concise reports to stakeholders and articulate complex and/or technical issues. Superior judgment, diplomacy, and discretion in handling sensitive information. Demonstrated technical skills and experience in some of the following:Information system testing techniques including the use of automated assessment tools.TCP/IP based network architecture and corresponding security design and enabling technologies such as next generation firewalls, IPS/IDS, routers, and switches.Microsoft Windows, Mac OS, and Linux operating systems, Active Directory, LDAP, Office 365/Exchange, SQL and Oracle Database, VMWare, and SharePoint.Configuration management and automation technologies such as Ansible Tower or Puppet.Third party cloud offerings such as Amazon Web Services and Microsoft Azure and software as a service vendor assessments and ongoing monitoring (., System and Organization Control reports).Vulnerability assessment and/or penetration testing tools and concepts. Knowledge of one or more information security frameworks including the NIST Cyber Security Framework, NIST SP 800-171, CMMC (NIST SP 800-172), HITRUST, ISO 27000 series, and the CIS Controls. Self-motivation, initiative, and broad thinking. Current CISSP, CISA, CISM, CRISC, or other relevant certification, or a commitment to pursue. BA/BS or an advanced degree in information systems, business, or a related field.

Preferred Qualifications:

8+ years of quantifiable experience in IT and/or information security operations, effective client management, and service delivery. Advanced degree in information systems, business, or a related field. Knowledge of University operations and/or experience in higher education, especially focused on unique risks associated with academic departments, research, and techniques for effective risk management of non-centrally managed information technology. Experience assessing the implementation of privacy principles and relevant controls in information systems. Experience managing projects co-sourced with professional services firms. Knowledge of Large-scale ERP systems such as PeopleSoft, internal and external penetration testing tools and techniques, web application scanning/testing, social engineering, secure software development methodologies and enabling technology tools. Familiarity with Internet of Things (IoT) devices, industrial control systems (ICS) and supervisory control and data acquisition (SCADA).

This role is Princeton-based and does not require travel. The finalist will be required to successfully pass a background check.

Princeton University is an and all qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity or expression, national origin, disability status, protected veteran status, or any other characteristic protected by law.

Standard Weekly Hours

36.25

Eligible for Overtime

No

Benefits Eligible

Yes

Probationary Period

180 days

Essential Services Personnel (see policy for detail)

No

Physical Capacity Exam Required

No

Valid Driver’s License Required

No

Experience Level

Director #LI-JE1

---