Information Security Risk Analyst II (Hybrid)

The University of California, Merced is required to provide a reasonable estimate of the compensation range for this role. This range takes into account the wide range of factors that are considered in making compensation decisions including but not limited to experience, skills, knowledge, abilities, education, licensure and certifications, and other business and organizational needs. It is not typical for an individual to be offered a salary at or near the top of the range for a position. Salary offers are determined based on final candidate qualifications and experience. The hourly range the University reasonably expects to pay for this position is $35.92 - $41.19.

This position may work a hybrid work modality following department guidelines.

Initial applicant review will take place on or around 3/3/2025 and posting may close any time after that without notice.

This is a 1-year, renewable contract position.

The University of California, Merced, is the newest of the University of California system's 10 campuses and the first American research university built in the 21st century. With more than 9,000 undergraduate and graduate students, UC Merced offers an environment that combines a commitment to diversity, inclusion, collaboration and professional development. With bachelor's, master's and doctoral degree programs, strong research and academic partnerships, and community involvement, the UC Merced campus is continually evolving and requires talented, knowledgeable and dynamic educators, researchers, management and staff.

Ranked among the best public universities in the nation by U.S. News and World Report, UC Merced is uniquely equipped to provide educational opportunities for highly qualified students from the San Joaquin Valley and throughout California. The campus enjoys a special connection with nearby Yosemite National Park, is on the cutting edge of sustainability in construction and design and supports the economic development of Merced and the region.

The Merced 2020 Project, a $1.3 billion public-private partnership unprecedented in higher education and completed in 2020, nearly doubled the physical capacity of the campus, enhancing academic distinction, student success and research excellence. UC Merced also operates the Downtown Campus Center, a $33 million, three-story administrative building located in the heart of Merced.

The university's mission of educational excellence and rigorous inquiry is powered by three schools and numerous research institutes and centers that seek scientific and social solutions for the Valley, California and the world. In partnership with UC San Francisco, UC Merced is preparing the way for a rigorous medical education program.

The course of UC Merced's evolution is piloted by a long-range strategic plan. Enacted in 2021, the 10-year blueprint is guiding how the values of equity and justice influence our pathway to earning Carnegie R1 research status, growing enrollment, upholding our identity as a minority-serving institution, and operationalizing how commitments to equity, diversity and inclusion are enacted in each campus unit.

Under the general supervision of the manager of the campus Information Security team, the Information Security Risk Analyst assesses and manages security and data protection solutions that support the mission of the UC Merced and protect the confidentiality, integrity, and availability of information assets owned or entrusted to the university. The Information Security Risk Analyst evaluates and supports the documentation, validation, and accreditation processes necessary to assure that new and existing information technology (IT) systems meet the University's information assurance (IA) and security requirements; prepares/maintains various security reports and dashboards, participates in vendor risk assessments and audit activities, prepares, and reviews system security architecture designs, and actively participates with business and campus units throughout the university community; tracks and reports on security risks and control effectiveness to OIT leadership; stays abreast of evolving campus needs, technology, and capabilities; and works with campus stakeholders to ensure data security needs and controls are aligned to support organizational goals and objectives.

KEY RESPONSIBILITIES

1. RISK ASSESSMENT: Develop methods to monitor and measure risk, compliance, and assurance efforts of university systems and vendor services using methods and tools such as Governance Risk and Compliance (GRC) system. Consult with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provide guidance to customers about applicability of information systems to meet business needs. Conduct risk analysis, feasibility study, and/or trade-off analysis to develop, document, and refine functional requirements and specifications. Integrate and align information security and/or information assurance (IA) policies to ensure information assets under review meets security requirements. Draft statements of preliminary or residual security risks for system operation and of gaps in system and security requirements.
2. INFORMATION SECURITY CONSULTING: Provide information security subject matter expert consulting. Perform information security analysis & assessments on vendor information security programs, systems, network devices, and applications with recommendations & assessment results provided to stakeholders. Prepare new and maintain existing information security assessment checklists and analysis documentation as required to ensure assessments are reliable, efficient, and effective. Provide formal assessment reports to management including mitigation recommendations & status.
3. DOCUMENTATION: Prepare, maintain, and review various security standards, guidelines, and policies. Prepare/maintain measurement documentation including reports, dashboards, & other security related metrics or documents. Develop/assist with the creation of formal request and procurement related documents such as Requests for proposals, request for quotations, Purchase Requests, and Response Scoring.
4. SECURITY INCIDENT MANAGEMENT: As part of the security incident management team the incumbent collects, analyzes, and reports to management regarding the causes, effects, and implications of security incidents.

• Bachelor's degree in computer science, mathematics, statistics, information technology and related subjects from an accredited institution; and
• 2 years of information technology experience (required); and
• 2 years of experience conducting information security risk assessments (preferred).
• Experience conducting cloud services information security assessments (preferred).
• Knowledge of cybersecurity technologies, solutions, and processes.
• Knowledge of IT Security frameworks and standards assessment tools such as ISO 27001, GLBA, NIST CSF, NIST RMF, FISMA, PCI DSS, HECVAT and CAIQ.
• Ability and experience3 in creating create risk assessment reports.
• Ability to provide written and verbal communication skills to technical and non-technical audiences.
• Knowledge of IT Security vulnerabilities.

Background check required.

How to Apply:
An online application is required for each position to apply.The University of California, Merced is aware that some web-based application processes may be cumbersome for differently abled applicants. Where appropriate, alternative accommodations will be provided. For applicants with disabilities who need additional assistance using TAM, or reasonable accommodations during the interview or search process, please contact ucmjobs@ucmerced.edu.

As a condition of employment, the final candidate who accepts a conditional offer of employment will be required to disclose if they have been subject to any final administrative or judicial decisions within the last seven years determining that they committed any misconduct; received notice of any allegations or are currently the subject of any administrative or disciplinary proceedings involving misconduct; have left a position after receiving notice of allegations or while under investigation in an administrative or disciplinary proceeding involving misconduct; or have filed an appeal of a finding of misconduct with a previous employer.

Equal Employment Opportunity:
The University of California, Merced is an Equal Opportunity/Affirmative Action employer advancing inclusive excellence. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, national origin, citizenship, sex, age, marital status, sexual orientation, gender identity or expression, disability, pregnancy, or status as a disabled veteran or Vietnam-era veteran, or other protected categories covered by the UC Nondiscrimination and Affirmative Action Policy. UC Merced intentionally promotes and maintains a discrimination- and harassment-free workplace by demonstrating it neither condones nor tolerates employment practices that discriminate against or harass any person or specific group of persons on the basis listed above. We seek candidates who will support our vision to cultivate a vibrant, equity-minded, inclusive excellence university community. When applying to UC Merced, we strongly encourage you to reflect on our Principles of Community and our 2021 strategic plan.

Vaccination Program Policy:

As a condition of employment, you will be required to comply with the University of California SARS-CoV-2 (COVID-19) Vaccination Program Policy. All Covered Individuals under the policy must provide proof of Full Vaccination or, if applicable, submit a request for Exception (based on Medical Exemption, Disability, and/or Religious Objection) or Deferral (based on pregnancy) no later than the applicable deadline. For new University of California employees, the applicable deadline is 14 days after their first date of employment.

Smoke and Tobacco Free Policy:
The University of California, Merced is a smoke and tobacco free workplace. Information and the Smoke and Tobacco Free policy is available at http://smokefree.ucmerced.edu.

E-Verify:
All employers who receive Federal contracts and grants are required to comply with E-Verify, an Internet-based system operated by the Department of Homeland Security (DHS) in partnership with the Social Security Administration (SSA). E-Verify electronically verifies employment eligibility by comparing information provided on the I-9 form to records in the DHS and SSA databases. Certain positions funded by federal contracts/subcontracts requires UC Merced to notify job applicants that an E-Verify check will be conducted and the successful candidate must pass the E-Verify check.

Pay, Benefits & Work Schedule:
For information on the comprehensive benefits package offered by the University of California visit: http://ucnet.universityofcalifornia.edu/compensation-and-benefits/