Description
Job DutiesDevelops, implements, and maintains an ISS technical information security program, defining an annually revised corresponding strategic plan and goals. Leads development of a portfolio of IT Security controls and safeguards, driving standardization as beneficial.
Provides operational leadership on ISS IT Security initiatives impacting the Health System, including prioritizing and leading security and compliance initiatives, and implementation and use of a portfolio of controls & safeguards across IT Operations, IT Applications, and data.
Directs and coordinates IT security operations (engineers, technical staff, and external resources) in the performance of security functions, and coordinates the activities of other Health Sciences and IT staff to ensure the security and privacy. Supervises and develops technical engineering and operational staff
Oversees delivery from external resources and service providers
Functions as primary liaison with the Office of Compliance Services.
In collaboration with Compliance, provides facilitation and coordination leadership for IT security risk assessments, audit, and implementation of related remediation.
Collaborates with peer stakeholders to establish an IT security risk management program which identifies and reduces risks on an ongoing basis by aligning and prioritizing information security activities to mitigate business risk priorities. Maintains perpetual roster of prioritized risks, driving necessary visibility, communications, and remediation.
Represents the CIO and CTO at relevant standing and ad hoc meetings.
Provides support, expertise, and compliance assurance to numerous governance forums. Maintains knowledge of security-related regulatory requirements and laws (e.g., HIPAA, HITECH, PCI,), standards (NIST, COBIT, ISO, etc.) affecting healthcare privacy and security assurance, and supports awareness and communications requirements.
Monitors developments and trends within the security industry to help ensure that best practices are implemented and adoption of advanced controls is well aligned with requirements.
In collaboration with Compliance, ensures that a visible and effective Incident Response Policy and Procedure is in effect for timely enforcement, tracking, and reporting.
Provides guidance and liaison to other IT teams to ensure standard operating procedures and processes adhere to and address security requirements (e.g., change management, incident management, etc.).
Develops and implements meaningful security-related metrics that are tracked, trended, and routinely reported to management and governance. Provides progress reports on remediation activities and new implementations or upgrades.
Helps ensure that appropriate physical security controls are in place which correlates to the sensitivity level of the data being protected.
Works with stakeholders and leaders to ensure that a security requirements framework is included in all system/software/hardware due diligence, acquisition, development, and implementation, particularly ensuring requirements are addressed, architected and documented at the outset of implementation. Also ensures that security requirements are included in all Disaster Recover & Business Continuity initiatives.
Job Qualifications
Excellent security enterprise technology understanding including: SIEM, DLP, VPN, DMZ, Intrusion Detection/Prevention, Encryption, Anti-virus, etc. Excellent understanding of security architecture and design principles Excellent understanding of Identity Management governance, provisioning, and federation Excellent understanding of authentication and authorization policies, procedures and technologies Excellent understanding of security best practices including; ISO Good communication skills, both written and verbal Good collaboration skills with peers and superiors Good IT Strategic Planning skills Good Resource Capacity Planning skills Awareness of IT Governance best practices including; COBIT, Val IT, COSO Awareness of Project, Program & Portfolio Management methodology and practices Awareness of IT Service Management methodology and practices Awareness of IT Engineering Lifecycle methodology and practices Proficient in Microsoft Office Professional (Word, Excel, PowerPoint, Outlook, Project & Visio). Ability to learn University structure and policies sufficient to serve as a resource for questions, referrals, and documentation. Ability to handle sensitive and difficult situations in a professional and responsive manner; ability to exercise own judgment.
Ensures full cooperation in all risk management activities and investigations
Ability to develop and monitor a budget. Ability to interact effectively with individuals and organizations at all levels, establish and maintain good working relationships.
Ability to develop priorities, meets deadlines despite interruptions, and performs multiple complex assignments. Ability to work independently on assignments with minimal supervision. Ability to learn University systems for budgets, payroll, purchasing. Ability to work overtime as required