This position is responsible for establishing information security policies and standards and supporting enterprise compliance actions and initiatives. This position also manages third party communications programs, promotes information security awareness across the enterprise, and performs enterprise data governance activities.
Works with oversight committees and privacy, legal and compliance stakeholders to develop enterprise information security policies that address purpose, scope, and policy directives.
Periodically reviews and updates information security, IT security policies, standards and procedures, taking into account the outputs of risk assessments, violations, and exceptions.
Reviews legal, regulatory and contractual information security compliance requirements, develop strategy for addressing requirements, and provides periodic statement on information security compliance status. Analyzes and tracks outstanding information and IT Security audit non-conformities.
Identifies, monitors, and resolves and/or escalates information security compliance issues.
Oversees third party information security assessments and conducts ongoing third party assurance, including auditing of outsourced information security activities. Provides support for Joint Ventures and Mergers & Acquisitions.
Defines information security training and awareness strategy, develops and refine materials and content, and manages delivery. Incorporates security training and awareness into standard corporate communications with ongoing metrics to drive behavioral improvement.
Regularly communicates metrics reports to the CISO and executive management team. Maintain budgetary oversight for governance and compliance functions.
Develops and oversees the department budget in conjunction with corporate goals and objectives. This position is accountable for meeting annual budgetary goals. Identifies and prioritizes security program expenditures in coordination with I/T, Audit, Compliance, and Legal.
Bachelors Degree in Computer Science, Information Systems, Engineering, Business Administration or a related field.
Requires proficiency level typically attained with 10 or more years experience in information security experience in positions of increasing responsibility including 7 or more years of security governance and 5 years of leadership experience. Strong understanding of governance and control disciplines within the healthcare industry.Strong understanding of cyber risk management and ability to effectively communicate cyber risk functions to executives.Strong understanding of cyber risk frameworks and ability to lead and oversee the execution and implementation of the frameworks.Extensive experience in risk evaluation and mitigation strategies.Strong understanding of metrics development and executive reporting.Demonstrated experience with implementing and managing GRC technologies.Extensive experience with authoring, implementing and maintaining information security policies and guidelines in alignment with the risk tolerance of the organization.Demonstrated experience in raising awareness of information and technology risk throughout an organization.Experience strategizing with cross-functional business partners on information security solutions.Strong understanding of risk-based decision-making (i.e. risk analysis, mitigation, resolution, acceptance, etc.).Demonstrated organizational and leadership skills with the ability to lead, build, and develop a team of senior IT professionals through formal and informal reporting relationships.Demonstrated communication skills with the ability to build relationship and influence others to get results.Extensive knowledge in governance frameworks including: ISO 27001, NIST, COBIT, ITIL.Extensive knowledge in regulations and/or contractual obligations including: HIPAA, PCI, Sarbanes Oxley, GLBA, SOC /SSAE16.
Advanced Degree in Computer Science, Information Systems, Engineering, Business Administration, or a related field.Industry certifications: CISSP, CISA, CISM, CRISC, EAP, etc.
Additional related education and/or experience preferred.