Resp & Qualifications PRINCIPAL ACCOUNTABILITIES:
Under the supervision of the Manager, Information Security, the incumbent’s accountabilities include, but are not limited to the following:
- Execute security governance and compliance leadership through the design and implementation of security policies, procedures, guidelines, and standards to maintain the confidentiality, integrity and availability of information systems and data.
- Represent Information Security from Security Governance and Compliance perspective.
- Design, implement, and integrate security solutions to address enterprise risks and exposures.
- Develop and maintain Information Security Metrics supported by KPIs and KRIs.
- Provide support and guidance to a team of technically diverse personnel of senior level security specialists and junior level security specialists.
- Provide appropriate training to other security specialists and external customers on developed policies standards, procedures, and guidelines.
- Implement necessary enhancements/updates/upgrades to existing security products.
- Serve as lead technical information security coordinator/project lead and as a contributor to cross functional teams for deployment and support of security specific projects and infrastructure to provide information security to the enterprise.
- Apply technology and processes to ensure the enterprise is protected and secured in the following areas:
- Identity and access management.
- Data protection (through the use of technologies such as whole disk encryption, end-to-end e-mail security, public and private key management, data leakage prevention, web application and source code security, database security, etc.)
- Network devices and infrastructure, desktop/mobile devices and remote access to the network,
- Information governance to ensure data is managed based on its sensitivity, information security policies, guidelines, and standards.
- Information governance through performing day-to-day maintenance and addressing issues and problems associated with security tools.
- Provide general support to the Information Security department in carrying out its’ assigned functions and responsibilities.
- Provide ad hoc off-hours support and problem resolution as directed by departmental requirements, service level agreements and internal support procedures.
- Provide assistance with audit issues and recommendations for remediation from an Information Security perspective.
- Interact with other IT Operations teams to develop tactical and strategic programs to address processes, controls, organization and infrastructure to manage information security related concerns and satisfy directives.
- Properly interpret business and technical requirements into security solutions and designs that are consistent with the current information security architecture.
- Implement and assist in enforcement of company security policies.
- Document results of system and application reviews including corrective action taken and security related documentation.
- Assist with reviews of current and new CareFirst systems and applications, including changes to existing applications/systems, to assure compliance with Information Security policies and standards.
- Apply creative thinking in problem solving and identifying opportunities for improvements in security.
- Provide Information Security related recommendations regarding CareFirst infrastructure components (communications network, physical security, data access, computer hardware/software and data confidentiality, integrity, and availability).
- Work with intra/interdepartmental technical and business personnel in a dynamic and varying environment.
- Collaborate with other Information Security specialists, designers, developers, and architects.
- Work with other technical teams in the organization such as IT Operations and IT Applications.
- Share ideas, discuss alternatives, and seek input.
- Maintain familiarity with state-of-the-art concepts, procedures, software, and techniques in Information Security in order to be able to effectively assess the needs for and further develop the CareFirst Information Security environment.
College Degree in an Information Security or Technology related field or equivalent experience plus 7+ years related work experience. The incumbent will possess a high level of expertise in information security concepts, information security policies and system architecture concepts and have experience in process definition, workflow design, and process mapping. In depth understanding in multiple areas of Information Security such as networking (TCP/IP, OSI model, network protocols), operating system fundamentals (Windows, UNIX, mainframe), security technologies (firewalls, switches, routers, IPSEC, IDS/IPS, etc.), voice technologies, authentication technologies, wireless architectures, encryption key management, and mobile device technologies. Also, must have knowledge of vulnerability assessments, privacy assessments, incident response, security policy creation, enterprise security strategies, and governance.
The incumbent must also have an ability to learn Information Security concepts and tools quickly and effectively in a large, complex multi-platform environment.Abilities/Skills
(candidate should possess most of these):
- Ability to identify and resolve complex issues and develop security solutions to meet CareFirst’s business and technology goals.
- Strong written documentation skills and technical writing are required.
- Excellent presentation and verbal communication skills.
- Ability to effectively lead/complete tasks with a minimal level of supervision.
- Strong computer skills, including knowledge of Microsoft Windows, e-mail systems (Microsoft Exchange)
- Possess broad understanding of the following systems/skill sets:
- System hardening concepts and techniques to support technical standards
- Network and remote access controls
- Unix, Linux, Web application servers
- Virtualization technologies
- Encryption technologies and key management
- Familiarity with access control methodologies (MAC, DAC, RBAC)
- Professional certification such as CISSP, CRISC, CISA, or CISM (lead level only).
- Proven ability to translate technical requirements to the business.
- Proficiency in the creation/modification, ratification, and socialization ofsecurity policies, technical standards, procedures, and guidelines.
- Proficiency with security controls for cloud environments (Azure and AWS).
- Proficiency with control implementation and monitoring in addition to information security metrics, dashboards, and reporting.
- Experience working with Information Security tools in a large, complex, multi-platform environment.
- Knowledge of Microsoft security and compliance tools/technologies such as Microsoft Information Protection, DLP and MCAS.
- Proficiency in DLP/DRM tools and methodologies in order to lead an enterprise-wide deployment.
- Proficiency in data classification/data governance methodologies and approaches to ensure data is managed based on its sensitivity, information security policies, guidelines, and standards.
- Project management skills to lead information security projects including project planning/reporting, requirements gathering, stakeholder engagement and tracking deliverables to completion.
- Experience in Audit responses and tracking from an Information Security standpoint to further mature control coverage and monitoring.
- Proficiency with the HIPAA Security Rule and compliance requirements.
#LI-FM1Equal Employment Opportunity
CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of theCompany to provide equal employment opportunities to allqualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.Hire Range Disclaimer
Actual salary will be based on relevant job experience and work history.Where To Apply
Please visit our website to apply: www.carefirst.com/careersClosing Date Please apply before: 9/1/21Federal Disc/Physical Demand
Note: The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.
The associate is primarily seated while performing the duties of the position. Occasional walking or standing is required. The hands are regularly used to write, type, key and handle or feel small controls and objects. The associate must frequently talk and hear. Weights up to 25 pounds are occasionally lifted.Sponsorship in US
Must be eligible to work in the U.S. without Sponsorship