Job Description

Category:
Administrative/ Clerical

Facility:
Corporate

Department:
IS Security

Req Number:
51157

Job Details:

POSITION SUMMARY

Reporting to the Chief Information Security Officer (CISO), the OIS, Information Security Manager will be responsible for the oversight and ongoing success of the Security Management team within the Office of Information Security (OIS).

KEY RESPONSIBILITIES

The OIS, Information Security Manager will be responsible for;
* Supporting the Operations, Engineering and Applications teams by providing the necessary security expertise required to ensure that applications and infrastructure are implemented in accordance with company objectives for risk acceptance
* Defining the technical security requirements for all IT Security; policies, procedures, standards, guidelines, education, etc.
* Ensuring that the organizations infrastructure and applications meet our technical security objectives and are designed, implemented and executed effectively, efficiently and economically
* Performing, reviewing, evaluating, assessing, documenting and communicating the results of technical security assessments, (e.g., vulnerability assessments, penetration tests; system or application assessments, etc.)
* Recommending, documenting and monitoring the implementation of any prescribed corrective actions resulting from assigned security assessments
* Providing technical and forensic support during investigations into any suspected security incidents in accordance with company security incident handling, reporting and management procedures
* Producing as required, any security metrics reports for the Chief Information Security Officer (CISO) and any other stakeholders or security steering committees prescribed
* Responding to requests for consultation or other inquiries from staff and provide security advice as required
* Support any requests for information by any external authoritative agencies as required (E.g., assessors, auditors, investigators, etc.)
* Providing any requested input for the ongoing maturation and development of the information security, risk, compliance and governance strategies necessary to support the business planning process
* Maintain currency and expertise with emerging trends in security, risk, compliance and governance standards and technologies (both internal and external)
* Assuring that all necessary security documentation is maintained and updated
* The following specific tools and processes;
* OIS Tier One operational support, incident and request intake (Help Desk tickets, OIS Email Box & Support Calls)
* Security risk, threat and vulnerability analytics
* Application security assessments
* Infrastructure security assessments
* Information and Asset Management, Security and Protection software (e.g., DLP, FIM, CASB, Threat/Vulnerability Management, etc.)

CHALLENGES/PROBLEM SOLVING

* Information security presents a challenge in that there is never a "100% secure" environment, and organizations must decide "how much security is enough."
* Information security threats must be assessed in light of their likelihood of occurrence, the potential impact of a security breach, the cost to mitigate the risk. Potential impacts of security breaches can be financial, legal, public image. For example, loss of revenue due to information outage or theft, civil and criminal legal penalties, and unwanted publicity due to the disclosure of patients' confidential information or company sensitive information.
* Constantly evolving external security threats range from individual hackers targeting Steward Health Care to steal and publicize confidential information to non-specific malicious computer viruses that cause extensive, long-term damage to company operations.
* Internal security threats must be addressed as well; a high percentage of all security breaches originate inside the organization. Internal security safeguards include role-based security access controls, effective password management practices and training/awareness programs.
* Information security is a process, not a project. Although enhancements are made to our program on a project basis (such as a new intrusion detection product), it is the ongoing vigilance in monitoring all security processes that that leads to an effective security program.
* The most effective security strategy is "defense in depth." This means that multiple layers of technical, administrative and physical security safeguards must be employed. The challenge is to implement and oversee an effective mix of safeguards without over or under-emphasizing any particular safeguard.

DECISION MAKING/LEADERSHIP RESPONSIBILITIES

* Developing, updating and managing assigned information security programs and processes
* Managing, monitoring and administering assigned security, governance, risk, and compliance tools and applications
* Determining appropriate security controls and countermeasures necessary to support information security policies and standards as well as required regulatory obligations.
* Interpreting, risk analysis, and identifying appropriate safeguards necessary to mitigate the risks, and overseeing their implementation.
* Aid in annual financial budget planning and maintenance
* Contributing to the development and maintenance of the organization's information security policies, procedures, standards and guidelines
* Leading by example by engaging with business and IT leaders, peer organizations and third-parties with professionalism and poise

QUALIFICATIONS (KNOWLEDGE/SKILLS/ABILITIES/BEHAVIORS)

Behavioral Competencies and Personal Proficiencies:
* Professionalism, great attitude and high aptitude
* Effective communicator
* Organized and planful
* Risk-based decision-maker
* Agile. Transitions smoothly between tactical and strategic thinking
* Conflict resolution skills, influencer and negotiator
* Professional
* Takes Initiative, then maintains drive and enthusiasm
* Organizational competence and astuteness
* Sets and reflects a commitment to high standards
* Teamwork/collaboration
* Selfless, compassionate and responsiveness to peers and patients
* Confidence and high integrity

Professional Qualifications:
* Expert working knowledge of security, governance, risk, compliance and privacy concepts and practices as they apply to health care and information technology
* Expert working knowledge of relevant authoritative source material (e.g., HIPAA, PCI, Joint Commission, GDPR, Meaningful Use, MIPS, MACRA, etc.)
* Expert working knowledge of relevant industry best practices (e.g., NIST, FIPS, FISMA, COBIT, ITIL, ISO, etc.)
* Expert working knowledge of business risk management strategies and management practices

EDUCATION/RELEVANT EXPERIENCE

Requirements and Preferences:
* Master's or Bachelor's degree in a related area
* Professional Certification(s) in information security, governance, risk and/or compliance (e.g., CISSP, CEH, GSEC, CISM, CISA, CCSP, CompTIA Security+, etc.)
* Previous experience in managing information security, governance, risk and/or compliance programs
* Minimum (5) years previous experience working in a security operations and/or engineering role
* Previous experience in Healthcare and understanding of applicable compliance requirements
* Demonstrated experience consistent with ISO 27000; ITIL; NIST 800 series, and any other controls that are applicable to network security monitoring/analysis, event escalation, cyber threat analysis, and vulnerability analysis
* Specific experience in monitoring, evaluating, and interpreting vulnerabilities, CVEs, remedies, mitigation measures, techniques for escalation, social engineering tactics, phishing techniques, and performing vulnerability assessments



Application Instructions

Please click on the link below to apply for this position. A new window will open and direct you to apply at our corporate careers page. We look forward to hearing from you!

Apply Online