Senior Information Security Specialist as part of the risk management team will safeguard information system assets by analyzing the security requirements of Adventist Health System (AHS), all of its entities, and their Information systems to identify and solve potential and actual security issues. This function will perform regular and ad-hoc risk assessments and follow up on remediation activities to update risk posture on implemented security controls. Provide Employees, Medical staff, and Contingent users (EMC) with security awareness and training. This position will also be responsible for assisting with designing, planning, implementing, and maintaining the security risk management program and related tools. Some of the other key activities include reviewing and recommending existing security policies, assessing that procedures are implemented in accordance with the security policy and standards, and that security metrics are being measured to provide snapshot of overall security governance and risk posture for the organization. The specialists in our team must analyze security requirements, measures, and concerns to help the business and operational teams in developing effective strategies for mitigating security risks. This person should also have the knowledge of industry best practices for supporting the security of information systems and related techniques in order to handle the confidentiality, integrity, and availability of the sensitive information. Strong interpersonal and communication skills, critical thinking, analytical and problem solving skills are required to avoid checkbox mentality and tackle unexpected challenges by coming up with intelligent ways of providing security through standards and alternate compensating controls. This specialist must have an excellent understanding of current security standards, protocols, up-to-date knowledge of security threats and risks, related mitigation skills along with project management experience. He/she should be able to work well under pressure, independently, and also be able to perform effectively in a team setting to achieve organizational goals.
PRINCIPAL DUTIES AND JOB RESPONSIBILITIES:
Responsibilities and essential job functions include but are not limited to the following:
• Develop an in-depth picture of the organization’s security posture through risk assessments including but not limited to interviewing stakeholders, management and other executives, reviewing compliance with security policies and standards, documentation, following up and validate remediation, and analyze the security and governance infrastructure.
• Lead risk management program and report findings to upper management.
• Support workforce members at the highest levels in the implementation, remediation, monitoring, and maintenance of security policies, standards, and security corrective actions across the organization, leveraging sound technical knowledge and security concepts.
• Perform all types of risk assessments on security controls enterprise-wide.
• Minimize security threats by examining governance, infrastructure, applications, systems, devices, and facilities to identify security flaws, using risk analysis and follow up on corrective action plan.
• Present findings in a professional manner, recommending mitigations either via new technology, alternative compensating controls, or policy modifications for improving overall security posture.
• Support security training and awareness program by providing ideas and contents to the training teams as well as conducting presentations on hot security topics for the stakeholders, as needed.
• Engage and work with a variety of internal departments and external organizations, including but not limited to legal firms, law enforcement agencies, and all other levels of government.
• Participate in the routine administrative work of the corporate data security office (CDSO).
KNOWLEDGE AND SKILLS REQUIRED:
• Knowledge of three or more of the following areas: HIPAA Security and Privacy Rule, Red Flags Rule, Healthcare IT Standards (HITSP), HITECH, Meaningful Use (MU), COBIT, PCI, and HITRUST.
• Working knowledge of information security risk management and risk assessment methodologies.
• Well versed in project management procedures and concepts.
• Must have diverse set of technical skills, such as IT infrastructure, operating systems, data centers, access controls, cloud security, applications security, malware protection, security monitoring, physical security controls, etc.
• Skilled at logging, monitoring, and reporting key performance indicators (KPI) and development of continuous improvement plans.
• Ability to analyze and manage security risks due to joint ventures, acquisitions, contract management processes, and business impact analysis (BIA).
• Ability to negotiate and work with 3rd party consultants as necessary.
• Have soft skills, such as multi-tasking, self-starter, prioritization, time management, decision making, teamwork, presentation, communication and strong interpersonal skills.
• Microsoft suite of applications (Word, Excel, PowerPoint, Project, etc.).
KNOWLEDGE AND SKILLS PREFERRED:
• Strong background in IT, information security, and enterprise architecture.
• Ability to develop a comprehensive picture of an organization’s technology and information needs, and then assess the security structures and controls designed to protect them.
• Strong technical background in security requirements and standards (e.g., HITRUST, HITECH, NIST, ISO 27001/2, ITIL, and COBIT).
• Comprehensive understanding of enterprise architecture designs related to data protection, healthcare applications, and cybersecurity.
• Thorough understanding of enterprise security systems (e.g., Firewalls, VPN, IDPS, SEIM), security threats and related risks, malware protection, and virtual networks.
• Working knowledge of asset management, pen-testing, vulnerability management, access management, configuration management, encryption techniques, secure development lifecycle (SDLC), cloud security, and 3rd party security.
• Sound understanding of Payment Card Industry (PCI) standards and requirements for PCI risk assessments.
• Knowledge of digital forensics, software programming, and application security.
• Knowledge and skills in implementing privacy, audit, and compliance is a plus.
• Team player and a quick learner with strong communication and presentation skills.
EDUCATION AND EXPERIENCE REQUIRED:
• Bachelor’s degree in Computer Science or Information Systems.
• 7 or more years of experience in risk assessments and risk-based information security programs.
• At least 3 years of experience with security frameworks (NIST, ISO, or HITRUST).
EDUCATION AND EXPERIENCE PREFERRED:
• Masters in computer science, information systems/technology, cybersecurity, or business administration from an accredited university.
• 4 or more years of work experience in security risk management in healthcare industry.
LICENSURE, CERTIFICATION OR REGISTRATION REQUIRED:
• Certified Information Systems Security Professional (CISSP)
LICENSURE, CERTIFICATION OR REGISTRATION PREFERRED:
• Project Management Professional (PMP)
• In addition to CISSP, Certified Information Security Manager (CISM)
• In addition to CISSP, Certified in Risk and Information Systems Control (CRISC)
: Information Technology
: Adventist IT
: US-FL-Altamonte Springs
: Staff / Associate
: Bachelor’s Degree