The North Carolina Administrative Office of the Courts is seeking a self-motivated and strategic professional to oversee the ongoing re-engineering of the agency’s business processes to encourage an emphasis on data protection/security, and to factor data privacy into its long-term planning efforts including the day-to-day business practices. The incumbent will be responsible for regularly assessing the agency’s compliance with state and federal privacy law. Additionally, the Privacy Officer will develop and implements appropriate remediation steps if those assessments determine that such steps are necessary.
This position works closely with the Chief Information Security Officer, Risk Management Officer and other departments throughout the AOC. This role is one of a data strategist and adviser as well as a steward for protection of highly confidential information. The ideal candidate should possess a combination of business knowledge, technical skills, people skills, and the ability to guide data strategy and control standards. The Privacy Officer will report directly to the Risk Management Officer.
Duties and Responsibilities:
· Develop and maintain a compliance program for the AOC Information Security Policies, Procedures, Guidelines, Privacy, state and federal laws
· Analyze and evaluate the effectiveness of the Information Security and Privacy program in meeting its requirements and objectives
· Participate in activities, including conducting analyses of current practices (program audits), and reporting level of compliance to the CTO and CISO.
· Draft and maintain agency-wide policies, procedures/plans, and guidelines to ensure the workforce uses and accesses only the minimum necessary data and discloses the data within principal of least privilege.
· Maintain data privacy, enforcing specific privacy requirements as it relates to agency mandates, and other legal requirements
· Collaborate with agency staff including IT, Legal, Human Resources, and other State agencies in fostering information privacy awareness relevant to all programs and services.
· Develop and oversee the implementation of corrective action plans that result from auditing and monitoring activities.
· Implement training of agency staff on privacy issues.
· Provide ongoing assessment of programs and services to ensure that the agency discloses only the minimum amount of data necessary to perform the 3rd party functions.
· Performing periodic privacy risk assessments and related ongoing compliance audits
· Participates in, investigating, and resolving privacy-related reports, including potential breach incidents
· Participates in, inquiries and investigations into privacy-related questions and complaints from workforce members, government agencies, or other sources
Knowledge, Skills and Abilities / Competencies
· B.A./B.S. in Policial Science, JDR, Communications, Computer Science, Engineering, Information Assurance, or equivalent experience
· Experience using GRC (Governance Risk and Compliance) tools
· Experience with Incident Response procedures
· General understanding of HIPAA, NIST 800-53 r4 or greater, CJI state and federal guidelines regarding privacy, and concepts of other regulated data privacy laws/standards.
· Knowledge of and experience with legal compliance of Cybersecurity and privacy laws.
· Excellent written and oral communication skills, with demonstrated ability to distill and translate complex concepts into actionable information for a variety of audiences.
· Experience working in the Information Technology auditing or other highly regulated environment.
· Experience implementing compliance requirements in a matrixed environment utilizing complex information systems.
· Comfortable in effectively presenting information one-on-one and in large groups.
· Leadership skills and ability to coordinate and influence cross-functional teams.
· Proven record of success in project management, with a particular focus on strategic planning.
· Competence in resolving problems/conflicts in a diplomatic and tactful manner; exercising discretion in handling confidential information.
· Proficient usage of Microsoft Office products including Word, Excel, PowerPoint and Outlook.
· Technically savvy utilizing a variety of electronic data platforms.
· Thorough knowledge of the Privacy Act of 1974 and related laws and regulations, Federal and State privacy policies and practices to advise Agency Privacy Officers, program managers, and agency counsel and to provide guidance and assistance relating to organizational privacy requirements, reviews, and analysis
· Possess one or more of the following certifications:
o Certified Information System Auditor (CISA)
o Certified Information Privacy Manager (CIPM)
o Certified Information Privacy Professional (CIPP)
| Skill | Required /Desired | Amount | of Experience |
|---|---|---|---|
| Experience using GRC (Governance Risk and Compliance) tools | Required | 3 | Years |
| Experience with Incident Response procedures | Required | 3 | Years |
| General understanding of HIPAA, NIST 800-53 r4 or greater, CJI state and federal guidelines regarding privacy | Required | 3 | Years |
| Knowledge of and experience with legal compliance of Cybersecurity and privacy laws. | Required | 3 | Years |
| Excellent written and oral communication skills | Required | 3 | Years |
| Experience working in the Information Technology auditing or other highly regulated environment. | Required | 3 | Years |
| Experience implementing compliance requirements in a matrixed environment utilizing complex information systems. | Required | 3 | Years |
| Possess one or more of the following: CISA, CIPM, CIPP | Nice to have | 3 | Years |
| No. | Question |
|---|---|
| Question1 | Absences greater than two weeks MUST be approved by CAI management in advance, and contact information must be provided to CAI so that the resource can be reached during his or her absence. The Client has the right to dismiss the resource if he or she does not return to work by the agreed upon date. Do you agree to this requirement? |
| Question2 | This role will be hybrid. This person will come on site one day a week. Please confirm this works. |
| Question3 | Your candidate must be able to attend an in-person interview. Do you agree to this requirement? |
| Question4 | What is your candidate's email address? |
| Question5 | How soon can your candidate start if selected for this opportunity? |
| Question6 | Vendors are encouraged to submit candidates that are available for the duration of the assignment. Do you anticipate your candidate being able to work until the proposed end date listed on this VectorVMS req? |
| Question7 | Vendors must disclose to the agency if the candidate will be subcontracted at the time of submission. Is your candidate an employee of your company or a subcontractor? Please be sure to notify a CAI Account Manager if your candidate's employee status changes. |
| Question8 | Vendors must notify the agency if any portion of the requirements listed in this task order will be outsourced to other countries. Do you anticipate outsourcing any work being done for this assignment to another country? |
| Question9 | Candidates submitted above the hourly Vendor Rate of - may not be considered for this assignment. Do you agree to this requirement? |
| Question10 | Payment for all approved hours will be paid at the straight hourly rate regardless of the total hours worked by the engaged resource. It is the responsibility of the Vendor to adhere to any applicable compensation laws including payment for overtime hours. Do you agree to this requirement? |
| Question11 | Have you thoroughly validated, and attest to the accuracy of, the credentials listed throughout your candidate’s VectorVMS profile and resume pursuant to Section 5.2.5 of ITS-009440? |