Reporting to the OIS, Information Security Manager will be responsible for performing the tasks necessary to ensure the success of the Security Management team within the Office of Information Security (OIS).
The OIS, Information Security Analyst will be responsible for supporting the OIS, Information Security Manager's efforts in;
Supporting the Operations, Engineering and Applications teams by providing the necessary security expertise required to ensure that applications and infrastructure are implemented in accordance with company objectives for risk acceptance
Defining the technical security requirements for all IT Security; policies, procedures, standards, guidelines, education, etc.
Ensuring that the organizations infrastructure and applications meet our technical security objectives and are designed, implemented and executed effectively, efficiently and economically
Performing, reviewing, evaluating, assessing, documenting and communicating the results of technical security assessments, (e.g., vulnerability assessments, penetration tests; system or application assessments, etc.)
Recommending, documenting and monitoring the implementation of any prescribed corrective actions resulting from assigned security assessments
Providing technical and forensic support during investigations into any suspected security incidents in accordance with company security incident handling, reporting and management procedures
Producing as required, any security metrics reports for the Chief Information Security Officer (CISO) and any other stakeholders or security steering committees prescribed
Responding to requests for consultation or other inquiries from staff and provide security advice as required
Support any requests for information by any external authoritative agencies as required (E.g., assessors, auditors, investigators, etc.)
Providing any requested input for the ongoing maturation and development of the information security, risk, compliance and governance strategies necessary to support the business planning process
Maintain currency and expertise with emerging trends in security, risk, compliance and governance standards and technologies (both internal and external)
Assuring that all necessary security documentation is maintained and updated
The following specific tools and processes;
OIS Tier One operational support, incident and request intake (Help Desk tickets, OIS Email Box & Support Calls)
Security risk, threat and vulnerability analytics
Application security assessments
Infrastructure security assessments
Information and Asset Management, Security and Protection software (e.g., DLP, FIM, CASB, Threat/Vulnerability Management, etc.)
Information security presents a challenge in that there is never a "100% secure" environment, and organizations must decide "how much security is enough."
Information security threats must be assessed in light of their likelihood of occurrence, the potential impact of a security breach, the cost to mitigate the risk. Potential impacts of security breaches can be financial, legal, public image. For example, loss of revenue due to information outage or theft, civil and criminal legal penalties, and unwanted publicity due to the disclosure of patients' confidential information or company sensitive information.
Constantly evolving external security threats range from individual hackers targeting our client to steal and publicize confidential information to non-specific malicious computer viruses that cause extensive, long-term damage to company operations.
Internal security threats must be addressed as well; a high percentage of all security breaches originate inside the organization. Internal security safeguards include role-based security access controls, effective password management practices and training/awareness programs.
Information security is a process, not a project. Although enhancements are made to our program on a project basis (such as a new intrusion detection product), it is the ongoing vigilance in monitoring all security processes that that leads to an effective security program.
The most effective security strategy is "defense in depth." This means that multiple layers of technical, administrative and physical security safeguards must be employed. The challenge is to implement and oversee an effective mix of safeguards without over or under-emphasizing any particular safeguard.
Behavioral Competencies and Personal Proficiencies:
Professionalism, great attitude and high aptitude
Organized and planful
Agile. Transitions smoothly between tactical and strategic thinking
Conflict resolution skills, influencer and negotiator
Takes Initiative, then maintains drive and enthusiasm
Organizational competence and astuteness
Sets and reflects a commitment to high standards
Selfless, compassionate and responsiveness to peers and patients
Confidence and high integrity
Good working knowledge of security, governance, risk, compliance and privacy concepts and practices as they apply to health care and information technology
Good working knowledge of relevant authoritative source material (e.g., HIPAA, PCI, Joint Commission, GDPR, Meaningful Use, MIPS, MACRA, etc.)
Good working knowledge of relevant industry best practices (e.g., NIST, FIPS, FISMA, COBIT, ITIL, ISO, etc.)
Good working knowledge of business risk management strategies and management practices
Requirements and Preferences:
Bachelor's degree in a related area
Professional Certification(s) in information security, governance, risk and/or compliance (e.g., CISSP, CEH, GSEC, CISM, CISA, CCSP, CompTIA Security+, etc.)
Minimum of (2) years previous experience working in a security operations and/or engineering role
Previous experience in Healthcare and understanding of applicable compliance requirements
Demonstrated experience consistent with ISO 27000; ITIL; NIST 800 series, and any other controls that are applicable to network security monitoring/analysis, event escalation, cyber threat analysis, and vulnerability analysis
Specific experience in monitoring, evaluating, and interpreting vulnerabilities, CVEs, remedies, mitigation measures, techniques for escalation, social engineering tactics, phishing techniques, and performing vulnerability assessments