Reviews and documents security risk and controls surrounding enterprise information technologies, applications and services. Maintains policies, standards and procedures to align with information security frameworks and enterprise strategies. Supports the information security awareness and training program.
- Develop, update and maintain Information Security policies, standards, guidelines, and procedures. Identify gaps where new policies, standards, guidelines, or procedures are required and work with SMEs to develop the necessary documents.
- Perform research on behalf of the department on IT security matters. Develop Northwell “position papers” and guidelines to address any changes to reflect current best practices, and complete security questionnaires on behalf of Northwell Health.
- Candidate must have a strong healthcare security background.
Perform application security reviews, vendor/business associate assessments, threat modeling and vulnerability analysis based on the NIST/HITRUST framework.
Oversee corrective action plan development, establish remediation priorities, and track status.
Provide information security subject matter expertise to developers, engineers, and workforce members on information security risk assessments, vulnerability remediation and threat detection techniques.
Maintain Information Security policies, standards and guidelines.
Develop and maintain security awareness and training materials to reinforce required security controls and address gaps noted in assessments.
Write technical reports based on security review findings and recommendations.
- High School Diploma or equivalent, required and minimum of eight (8) years progressively responsible information technology risk management or security experience, required
- Bachelor’s Degree in Information Security or Audit or related field, required AND
- Minimum of five (5) years progressively responsible information security assessment or audit experience, required.
- Thorough knowledge and understanding of current information risk assessment techniques, required.
- Working knowledge of IT standards, federal and state compliance regulations, and security frameworks including HIPAA, HITRUST, NIST, ISO27001, and PCI-DSS, required.
- In-depth technical knowledge of Information Security principles and processes and experience writing/maintaining information security policies, standards and guidelines, required.
- Attention to detail, excellent writing, documentation, communication, presentation, customer service and interpersonal skills, and the ability to work with all levels of management, required.
- Healthcare environment, preferred.
- Certified in at least one of the following: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Security+, Global Information Assurance Certification (GIAC) or related certification, preferred.