The vCISO shall provide expert virtual cybersecurity services up to twenty (20) hours a week during normal business hours which may be exceeded in the event of a security incident or breach. HCC seeks a fresh perspective on its security measures and protocols to not only improve its posture, but also to identify new risks and opportunities. The vCISO will also be responsible for leading HCC’s efforts to address the nine (9) elements of the Gramm-LeachBliley Act (GLBA) for compliance purposes. 1. Perform a detailed cyber risk assessment that includes the following, but not limited to: • Analyze and iterate upon previous risk assessment conducted in 2024. • Identify, estimate, and prioritize potential information cyber security risks at college. • Examine HCC's current technology, security controls, policies, and procedures to assess potential threats or attacks; and • Evaluate HCC's threat landscape, vulnerabilities, and cyber gaps that pose a risk to its assets. 2. Be prepared to act as HCC’s Qualified Individual (QI) to present quarterly reports to HCC. 3. Board of Trustees and leadership as required and specified by GLBA. 4. Enhance HCC’s information security program using a framework such as, Center of Internet Security (CIS) Critical Security Controls, or CIS Implementation Group 1 (IG1) that protects HCC in accordance with GLBA security requirements: • Use industry standard benchmarks to track adherence to selected frameworks. • If needed develop a step-by-step process for server hardening. 5. Perform third-party and partner evaluations Higher Education Community Vendor Assessment Toolkit (HECVAT). Review and update as needed, third-party vendor. management policy. 6. Provide information security leadership, communication, investigation, mitigation, containment, and post-incident analysis in the event of a cyber incident. 7. Update and enhance existing cybersecurity policies and procedures as required by GLBA. The policies include but are not limited to: • Incident Response Plan
