Medical College of Wisconsin

About The Position

Requirements

• Alert triage
• Incident documentation
• Risk Assessment
• Strong collaboration with Information Technology Services colleagues
• Effective partnership with colleagues from Compliance and Risk Management, the Office of Research, the Office of General Counsel, and other applicable departments.
• Is respectful, honest, and demonstrates integrity and ethics.
• Listens effectively, shares ideas and information openly, and facilitates relationship building by establishing trust.
• Strong analytical thinker.
• Possesses initiative, good judgment, and the ability to problem solve.
• Possesses strong business acumen with proven experience in thinking strategically and implementing tactically.
• Handles demanding workloads to meet objectives.
• Is customer-focused, service-oriented, and has effectively affected change.
• Makes tough decisions when needed.
• Can make decisions under conditions of high uncertainty/ambiguity.
• Stays current with cutting-edge developments in technology and the industry.
• Ability to maintain confidences.
• Ability to perform effectively in a stressful environment.
• Demonstrated leadership ability.
• Ability to work and communicate successfully with all levels of internal and external contacts.
• Ability to communicate orally and in writing clearly and logically.
• Ability to foster and maintain solid working relationships.
• Ability to effectively plan and organize projects impacting the work of others.
• Minimum Required Education: Bachelor's in Information Security, IT, or related field-or equivalent experience.
• Minimum Required Experience: 5 years in security operations, risk/compliance, or assessment roles within healthcare, higher ed, or research-intensive settings. Experience reviewing (not engineering) cloud environments against frameworks (HIPAA, NIST 800-53/171) and control catalogs (CIS Benchmarks, CSA CCM).
• Framework Fluency: HIPAA Security Rule; NIST SP 800-53 r5; NIST SP 800-171; awareness of CMMC v2; familiarity with NIH/dbGaP controlled-access requirements for genomic data.

Nice To Haves

• Certifications (preferred; or in progress): HIPAA Security Rule; NIST SP 800-53 r5; NIST SP 800-171; awareness of CMMC v2; familiarity with NIH/dbGaP controlled-access requirements for genomic data.
• Preferred Qualifications: Experience supporting ePHI and/or CUI in academic medicine or research computing; exposure to research enclaves or secured workspaces. Working knowledge of NIST CSF 2.0 mappings to HIPAA/800-53 and experience contributing to DMS Plans or security appendices for grants.

Responsibilities

• Serve as security liaison to the Office of Research, Sponsored Programs, and IRB on security language for grant submissions (e.g., DMS Plans), DUAs/DTAs, and award terms.
• Operationalize NIH/dbGaP (GDS) and, when applicable, NIST SP 800-171 expectations for research environments handling controlled-access data and/or CUI.
• Maintain award-level compliance registers (including control requirements, owners, due dates, and POA&Ms) and define monitoring cadences through award close-out.
• Draft and maintain SOPs, control narratives, and evidence-collection playbooks to support audits and attestations (HIPAA, 800-171/CMMC).
• Participate in the Incident Response process for notable events (e.g., suspected/confirmed breaches, lost or stolen devices): coordinate evidence capture, document actions, support privacy/compliance notifications, and contribute to lessons learned.
• Coordinate vulnerability management activities with engineering/platform teams (risk-based prioritization, exception tracking, remediation SLAs, and reporting).
• Coordinate with platform teams to ensure cloud guardrails (e.g., Azure Policy, AWS SCPs) are enforced; review CSPM reports (e.g., Defender for Cloud, AWS Security Hub, Prisma, Wiz) and track high-risk findings to closure.
• For cloud-related incidents, ensure forensic readiness (retention of logs, access records, snapshots) and contribute to post-incident lessons learned.
• Conduct system and vendor risk assessments mapped to HIPAA safeguards and NIST SP 800-53; document risks, compensating controls, and residual risk.
• Support CMMC readiness (where applicable to DoD-funded work) by aligning processes and artifacts to NIST SP 800-171 requirements.
• Lead recurring reviews of cloud security policies and control configurations (IAM, key management, encryption, logging/monitoring, network segmentation, backup/DR, workload isolation) mapped to HIPAA, NIST 800-53/171, CIS Benchmarks, and CSA CCM; produce written findings and remediation plans with accountable owners.
• Validate shared-responsibility alignment in third-party/SaaS platforms (BAA/DPA terms, data residency/retention, access controls) and complete vendor risk assessments with evidence collection.
• Co-deliver the annual cybersecurity training; tailor micro-trainings for research audiences handling ePHI/CUI/controlled-access data.
• Plan and execute periodic internal phishing campaigns, tracking metrics (reporting rate, click rate, credential submissions), driving targeted follow-ups, and publishing summary results.
• Coordinate the annual penetration test by defining the scope with stakeholders, managing vendor logistics and access approvals, tracking findings to remediation/retest, and curating evidence for audit readiness.
• Provide clear readouts to leadership and technology owners; ensure that findings are fed into risk registers and POA&Ms.
• Include cloud attack paths and misconfiguration scenarios in the annual penetration test scope; confirm that findings are mapped to controls and retested after remediation.

Benefits

• Outstanding Healthcare Coverage, including but not limited to Health, Vision, and Dental. Along with Flexible Spending options
• 403B Retirement Package
• Competitive Vacation and Paid Holidays offered
• Tuition Reimbursement
• Paid Parental Leave
• Pet Insurance
• On campus Fitness Facility, offering onsite classes.
• Additional discounted rates on items such as: Select cell phone plans, local fitness facilities, Milwaukee recreation and entertainment etc.