- NIST Standards
- Project Management
- SANS GIAC
The Security Director is responsible for the organization's Information Security (InfoSec) Program including program governance, management, technical architecture, policy and procedures, daily operations, enterprise education, risk assessments/remediation, and cybersecurity incident response and resolution. The position oversees ensuring the confidentiality, integrity and access of electronic protected health information and of monitoring program compliance as well as investigation and tracking of incidents and breaches and in compliance with federal and state laws. The Security Director monitors and reports results of security program activities and initiatives to the General Counsel and the Security Governance Committee.
The Director, Information Security reports directly to the Chief Information Officer.
Participate as a member of the senior management team in governance processes of the organization’s security strategies
Lead strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies and practices.
Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization.
Ensures information security policies, standards, and procedures are reviewed and updated annually, and periodic audits are performed.
Identifies areas of weakness in the computer network and defines configurations and tools for mitigation of potential threats.
Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
Creates a culture of cyber security and drives behavioral changes that allow end-user to be better “cyber-aware” practitioners.
Manages security incidents and events involving electronic protected information including: Protected Health Information (PHI), and Personal Identifiable Information (PII), and Payment Card Industry Data Security Standards (PCI DSS)
Ensures that the disaster recovery, business continuity, risk management and access controls needs of the enterprise are documented in plans; annual table top exercises are conducted; and education is provided to applicable leadership and staff.
Ensures that WRMS complies with the HIPAA administrative, technical and physical safeguards
Collaborates with organization senior management and Chief Information Officer for ongoing governance and oversight of the security program.
Align standards, frameworks and security with overall business and technology strategy
Create solutions that balance business requirements with information and cyber security requirements
Identify and communicate current and emerging security threats
Perform vulnerability testing and security assessments
Research security systems and authentication protocols
Develop requirements for local, wide, and virtual private networks security architectures
Develop requirements for routers, firewalls, and related network devices
Works closely with the Corporate Compliance Officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison between the information systems and compliance departments.
Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation as well as development and implementation of security risk management plan.
Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
Oversees, develops and/or delivers initial and ongoing security training to the workforce.
Participates in the development, implementation, and ongoing compliance monitoring of all Business Associates and Business Associate Agreements, to ensure security concerns, requirements, and responsibilities are addressed.
Assists Corporate Compliance Officer as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
Collaborate with Corporate Compliance Officer, Human Resources, and IS Leadership to establish and maintain a system for ensuring that security and privacy policies are met.
Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities, and organizational officers in any compliance reviews or investigations.
Serves as information security consultant to all departments for all data security related issues.
Bachelor’s degree in information systems or a related healthcare or technical field.
5+ years’ experience managing and/or directing an IT and/or Information Security operation.
5+ years’ experience working with state and federal information security laws, including but not limited to HIPAA, NIST, PCI and all other applicable regulations.
Proven experience in planning, organizing and developing IT security and facility security system technologies.
Considerable working knowledge of strategic business theories, business processes, personnel management, and budget management.
Strong personnel management skills in hiring, mentoring, and managing a team of InfoSec staff members to perform their daily duties but to also grow in their information security knowledge.
Demonstrated collaboration, teamwork and long-term planning skills
Advanced project management skills.
Excellent interpersonal skills.
Excellent communication skills, both oral and written.
Ability to present complex ideas in business-friendly and user-friendly language.
Knowledge of HIPAA, state and federal guidelines related to the privacy and security of protected health information (PHI), electronic protected health information (ePHI), personally identifiable information (PII), and consumer data.
Healthcare Privacy and Security (CHPS)
Information Systems Security Professional (CISSP)
GIAC Critical Security Controls Certification (GCCC)
Certified Cloud Security Professional (CCSP)
GIAC Certified Enterprise Defender (GCED)
Certified Ethical Hacker (CEH)
CompTIA A+ - CompTIA Network+ - CompTIA Security+ - ICAgile