This position reports to the CIO and has overall responsibility for ensuring that appropriate policies, standards, procedures and automated mechanisms, designed to appropriately protect the security of information are documented and followed across the Institutions (University of Utah and University of Utah Hospital and Clinics). Sensitive or protected information may include information related to patients, employees, students, and faculty, as well as information protected by state, federal, or industry policy (FERPA, HIPAA, FISMA, PCI, etc.). This information may exist in either electronic or paper form.The Chief Information Security Officer (CISO) has management responsibility over the Information Security Office, including the hiring, evaluating, training, performance management, salary administration, mentorship, development and retention of staff.The position works closely with the General Counsel of both the University and Hospital and Clinics, those areas within Information Technology with responsibility for system and network security, access control, physical security, application development and/or application product selection and procurement, as well as all relevant academic and administrative Schools and Departments throughout the Institutions.This position also interfaces with other Utah higher education institutions, as well as other private and governmental agencies.The CISO will work with relevant government and regulatory agencies to interpret regulations related to the protection of information owned or trusted to the control of one of the University of Utah institutions.The CISO will provide advice and counsel related to the development of policies, procedures and electronic safeguards designed to meet the needs of government regulations. The CISO must help the Institutions identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement safeguard programs, and regularly monitor and test those programs. The CISO will work with appropriate senior leadership to determine methods for dealing with infractions of policies associated with privacy and security, and will identify individuals or groups where inappropriate behavior exists. The CISO will be responsible for development of procedures related to internal reaction to a security event.Additionally, the CISO will take a leadership role in coordinating activities related to a security event and will act as a focal point for the distribution of security information including alerts, notices of significant intrusions, etc. They will also develop and conduct regularly scheduled security and privacy awareness programs.