The Information Security Officer (ISO) provides the vision and strategy to ensure the confidentiality, integrity, and availability of Southwest Key Programs (SWK) electronic systems and information. The ISO collaborates closely with senior and executive leadership, and coordinates activities with other departments including HR, PQI, and Risk. Key responsibilities include creating and maintaining enforceable information security policies; ensuring compliance with regulatory requirements; evaluation, procurement, and deployment of security-related products; and developing and coordinating information security awareness and education programs. Additionally, the ISO will work in collaboration with the SWK Director of Risk to ensure that SWK system-wide disaster recovery and incident response plans are effective. The position may require more work hours than the normal eight-hour workday and also may require 20-25% travel.
Creates information security strategies, both short-term and long-term, in support of SWK’s goals.
Directs an ongoing, proactive risk assessment program for all new and existing systems and remains familiar with SWK’s business processes so effective controls can be put in place for those areas presenting the greatest information security risk.
Communicates risks and recommendations to mitigate risks to the executive team communicating in non-technical, relevant, cost/benefit terms so decisions can be made to ensure the security of information systems and information entrusted to SWK.
Oversees all ongoing activities related to the development, implementation, and maintenance of SWK’s information security policies and procedures.
Works with the SWK Privacy Officer to ensure full organizational compliance in securing PHI and PII.
Assists other departments including HR, PQI, and Risk, as well as programs, to ensure regulatory compliance including HIPPA.
Develops information security awareness training and education programs.
Ensures and tests that proper protections including intrusion detection and prevention systems, firewalls, and effective physical safeguards are in place and working as designed.
Performs risk assessments on a planned interval (quarterly) to review implemented processes to ensure the continuity, suitability and effectiveness of SWK’s approach to managing information security.
Performs vulnerability scanning on a re-occurring basis using specialized scanning tools and techniques that evaluates the configuration, patches, and services for known vulnerability is employed.
In collaboration with Risk, develops a business continuity/disaster recovery plan to provide for the ongoing availability of computer resources.
Defines and ensures that backup copies of information and software are completed on a routine schedule and tested regularly.
Evaluates security incidents and collaborates with the SWK Incident Response Team when sensitive information is breached.
Creates security categorization procedures to classify systems and information that is stored, processed, shared, or transmitted with respect to the type of data (e.g., confidential or sensitive) and its value to critical business functions are in place.
Defines position categorization or role based provisioning rules using least privilege model.
Performs system log monitoring to review audit logs, security events, system use, systems alerts or failures, etc.
Defines access controls and use policies and procedures to ensure appropriate use of computer assets to include but not limited to password, wireless access, remote access and mobile policies.
Defines boundary protection to protect and secure the network infrastructure and ensure transmission integrity and confidentiality.
Remains competent and current through self-directed professional reading, developing professional contacts with colleagues, attending professional development courses, attending training, conferences, and/or courses as directed by the supervisor, and obtaining certifications relevant to job duties.
As a member of the SWK Operations Team, supports and contributes to the goals and objectives of the team.
Able to react to change productively and handle other essential tasks as assigned.
Qualifications and Requirements:
Bachelor’s degree required
Master’s degree preferred
Professional certification (CISSP, GIAC, CISA, CISM, etc.) preferred
Frequently required to use hands to handle office equipment to include telephones and computer equipment.
Specific vision abilities required include ability to adjust focus for work with computers. Driving as part of travel requirements, attendance of meetings, and company errands in performance of duties. Must be able to read, write, and communicate both verbally and in written form to express and exchange ideas. While performing the responsibilities of this job, the employee must be able to access all components of work station and other office equipment. Frequent typing, writing, bending and twisting. Must be able to lift up to 50 pounds.
An office environment with constant exposure to computers, telephone equipment, etc. A busy environment with many interruptions. The noise level in the work environment is generally moderate. While performing the duties of this job the employee is exposed to weather conditions prevalent at the time. This position is mostly sedentary, involves sitting most of the time, but may involve walking or standing for brief periods of time. Frequent computer use at workstation for extended periods of time. Public contact position requiring appropriate business apparel.