We use cookies. Find out more about it here. By continuing to browse this site you are agreeing to our use of cookies.

Job posting has expired

Back to search results


Duke Clinical Research Institute
United States, North Carolina, Durham
300 West Morgan Street (Show on map)
April 15, 2024

School of Medicine

Established in 1930, Duke University School of Medicine is the youngest of the nation's top medical schools. Ranked sixth among medical schools in the nation, the School takes pride in being an inclusive community of outstanding learners, investigators, clinicians, and staff where interdisciplinary collaboration is embraced and great ideas accelerate translation of fundamental scientific discoveries to improve human health locally and around the globe. Composed of more than 2,600 faculty physicians and researchers, nearly 2,000 students, and more than 6,200 staff, the Duke University School of Medicine along with the Duke University School of Nursing, and Duke University Health System comprise Duke Health, a world-class academic medical center. The Health System encompasses Duke University Hospital, Duke Regional Hospital, Duke Raleigh Hospital, Duke Health Integrated Practice, Duke Primary Care, Duke Home Care and Hospice, Duke Health and Wellness, and multiple affiliations.

Position Summary

The Associate Director, Security, Privacy and Compliance directs the strategic planning and organizational initiatives that support Duke's compliance with FISMA, GDPR, and other regulatory obligations in support of research. The successful candidate is multifaceted in privacy, security, risk, and regulatory disciplines with ability to contribute to a unified Governance, Risk, and Compliance (GRC) program for the Duke Clinical Research Institute (DCRI) and the Duke University School of Medicine (SOM). This is a critical role in our organization responsible for providing practical, timely, and strategic advice on global privacy and data security-related matters

This role oversees the development of operational plans and monitors the progress and performance of FISMA-driven practices, including capabilities development, service quality, timeliness of deliverables, and adherence to budgets. The Associate Director, Security, Privacy and Compliance serves as the primary point of contact on FISMA, GDPR and other applicable security and privacy issues for the DCRI and the Duke University SOM.

This position directly supports the DCRI Chief Research Technology Officer.

** NOTE: This position may have an opportunity to work remotely. All Duke University and Duke Health remote workers must reside in one of the following states or districts: Arizona; California; Florida; Georgia; Hawaii; Illinois; Maryland; Massachusetts; Montana; New Jersey; New York; North Carolina; Pennsylvania; South Carolina; Tennessee; Texas; Virginia or Washington, DC., Washington (State), Connecticut

Position Responsibilities

Strategic Leadership

  • Serve as the leader on data protection, privacy, and related security compliance matters.
  • Define the overall FISMA strategy for the DCRI and SOM, both in terms of a high-level roadmap with leadership involvement, and also the tactical plans for technical and research teams
  • Liaise with and educate investigators, study teams, offices (e.g. ISO, ORC, DHTS), and the Duke research community on data security and privacy requirements and expectations
  • Collaborate with related Duke and Duke Health offices (e.g., ISO, OARC, etc.) to ensure compliance and compatibility with enterprise policies and procedures
  • Analyze laws, regulations, guidance's, and policies to advise and communicate expectations to stakeholders
  • Lead effective cross-entity strategic initiatives, that include experts in information systems and security and regulatory compliance, and develop metrics to track and report status to DCRI and SOM leadership
  • Monitor and advise leadership on security and privacy trends to proactively manage DCRI and SOM compliance position

Operations Management & Service Delivery

  • Oversee financial and staff resources including operating budgets, line management of personnel, matrix management, and vendor services.
  • Monitor and assess the effectiveness of data protection, privacy, and related security controls and work closely with Information Security and business stakeholders on compliance validation, gap analyses, and process improvement.
  • Develop, enhance, and operationalize data protection, privacy, and related security policies, processes, and controls to comply with applicable laws, regulations, and standards.
  • Collaborate closely with key stakeholders and facilitate applicable components of internal and vendor audits and directly support sponsor/government audits of Duke.
  • Assess business critical systems and related data flows to ensure compliance with data protection laws and perform privacy risk and impact assessments.
  • Evaluate tools and implement automation measures to better manage data collection, data mapping, data rights requests, and privacy risk management.
  • Design of roadmap and implementation of enterprise GRC framework.
  • Develop and deliver training to educate stakeholders on data protection and privacy regulations and requirements.

Research Support

  • Advise PI's and proposal teams on the data and technical approaches that will fulfill FISMA and other relevant data protection and privacy requirements on their grants and contracts
  • Represent Duke in the business development process through sponsor interactions, marketing materials, budgeting and contracting process
  • Advise on operating methods including project management, data/system architecture, software development life cycle (SDLC), and processes to achieve Authority to Operate (ATO) milestones with governmental agencies
  • Lead negotiations with government agencies on FISMA compliance requirements resulting in systems being granted an ATO

Education and Experience

  • Bachelor's Degree in Computer Science, Engineering, Information Security, or related field required; Masters preferred.
  • 10+ years of experience in data protection, privacy, and security compliance with solid understanding of GRC and enterprise risk management, including 3+ years in technical leadership.
  • Proven ability to design and implement reliable, repeatable, and auditable data protection, privacy, and security controls in accordance with leading compliance standards (e.g., FISMA/FedRAMP, ISO27xxx series, SOC2).
  • Experience documenting, implementing, and assessing cybersecurity controls using NIST SP 800-53 Revision 4 and FISMA requirements/guidance.
  • Experience successfully leading the work to receive an ATO approval from federal agency.
  • Strong understanding of data privacy regulations and laws (e.g., GDPR, UK GDPR, CCPA, HIPAA) and experience in enabling GRC solutions and controls for data protection, privacy, and security.
  • Practical experience in performing privacy impact assessments and conducting assessments related to third-party/vendor risk, enterprise risk, and data protection risk.
  • Excellent verbal and written communication, analytical, and interpersonal skills.
  • Demonstrated effectiveness in collaborating with internal stakeholders with flexibility, transparency, and respect, all with a desire to establish solid, lasting working relationships.
  • Ability to devise business-friendly, pragmatic solutions that reduce risk and enhance value.
  • Ability to prioritize and work with a sense of urgency; works with agility and can pivot as needed; thrives in a fast-paced environment.

Skills, Training and Certifications:

  • Professional or academic training in cybersecurity or regulatory science; related 3rd party certifications expected.
  • Must be ready to successfully receive federal security clearance if determined necessary (e.g. US Citizen).

Duke is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status.

Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas-an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure and welcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values.

Essential Physical Job Functions: Certain jobs at Duke University and Duke University Health System may include essentialjob functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department.