Information Security Manager:
CHOP

16483-en_US
CHOP
Philadelphia Pennsylvania
Healthcare
Description

Req ID: 16483

Shift: Days

Employment Status: AF - Active - Regular - Full Time 

Job Summary

1. Demonstrates expert knowledge and understanding of Information security principles, general IT controls (e.g., business continuity and change management), regulatory standards (HIPAA Security Rules, PCI, and HITECH, FISMA) or any new or amended laws, regulatory standards and requirements
2. Knowledgeable in cloud computing, security and privacy for cloud computing and related cloud standards (e.g., ISO 27000 standards)
3. Demonstrates expertise in network security issues, firewall concepts, network security architecture.
4. Hands-on knowledge of information security technologies such as continuous security monitoring, anti-malware controls, intrusion detection/prevention.
5. Expertise in managing cybersecurity risks and related response teams, such as the Computer Incident Response Teams (CIRT).
6. Experience managing a Security Operations Center (SOC) or similar operating environment
7. Expertise in specific security issues around Windows, UNIX, cloud platforms, and risk and vulnerability management
8. Excellent written communication skills, with a focus on communicating the business impact of technically complex issues.

Job Responsibilities

General Management
1. Manage a diverse team of professional resources providing InfoSec and compliance support for CHOP business and clinical systems, including managing matrix reporting relationships and consultants.
2. Effectively assess InfoSec resource allocation and manage resource productivity, prioritization of work, and individual goals/objectives, including performing bi-annual and annual performance evaluations
3. With the assistance of CHOP Human Resources, coordinates recruitment of qualified and competent support staff, professional and technical staff.
4. Manage operational initiatives and capital planning projects, as deemed necessary by the CISO.
5. Develop and maintain positive relationships with senior and executive leadership and other Hospital and corporate personnel (customers).
6. Produce/deliver management level presentations to CIO leadership team, IS personnel, clinical/business units and other senior/executive leadership.
7. Participate in the production of executive level presentations with CISO for Board presentations (e.g., Audit Committee) and CHOP senior/executive management committees (e.g., Risk Committees).
8. Perform related duties as needed.

Risk Management, Audit & Compliance
1. Work closely with and support the CISO, CTO, and other IS leadership to maintain the Information Security Management Program model for the Hospital, the Research Institute and any related affiliates and Hospital groups (e.g., Office of General Counsel, Compliance and Privacy Offices).
2. Manage compliance to regulatory requirements (e.g., PCI DSS, HIPAA Security Rule, FISMA), including supporting internal and external audit activities and support vendor data risk assessments
3. Manage and support emerging frameworks and processes related to security for cloud computing, including developing and managing cloud security operational processes/procedures for the Hospital, the Research Institute, and Hospital strategic partners.
4. Develops and/or interprets CHOP information security policies, standards, and procedures and manages the maintenance of revisions and updates based on Hospital policy.
5. Manages the Hospital’s Governance, Risk, Compliance (GRC) technology and related processes to support identification and tracking of enterprise IT risks and annual risk assessment compliance.
6. Monitor the effectiveness of the InfoSec and regulatory compliance services provided.

Business Continuity Planning & Operations
1. Provide leadership for InfoSec through collaboration with the Business Continuity Management and Quality Assurance teams to assist with development and interpretation of policies, standards, guidance and procedures supporting Hospital compliance with contingency planning for HIPAA
2. Provide leadership to support Hospital initiatives around business continuity management through partnerships in table top exercises, including leading the CHOP IS/InfoSec SWAT team to achieve Hospital goals.
3. Providers leadership in conjunction with Business Continuity management in support of contingency planning and disaster recovery processes, including managing scheduled risk assessments and clinical/business contingency activities to reduce impact of emerging threats to the Hospital (e.g., cyber liability insurance, tabletops/planned exercises).

Job Responsibilities (Continued)

Threat & Vulnerability
1. Manage the Hospital’s Security Operations Center activities (SOC), including metric reporting to the CISO, CTO, and IS management and team members that support the SOC.
2. Manage matrixed teams that support the Hospital’s cybersecurity approach and its SOC in incident identification, risk assessment, response prioritization, and actions planning.
3. Manage a suite of technology tools (e.g., DLP, SIEM) and support threat and vulnerability management procedures and processes.
4. Support eDiscovery and Hospital investigations (both external and internal) and support at required legal litigation as deemed necessary by the Office of General Counsel.
5. Manage annual penetration testing and related regulatory requirements for compliance against industry standards (e.g., PCI, HIPAA Security) and any other emerging standards or threats to the Hospital network.
6. Partner with the Director of Privacy and other Hospital management to support compliance with regulatory requirements (e.g., HIPAA Privacy).
7. Manage the Hospital monitoring processes and procedures for log analysis and Security Incident and Event Monitoring.

Job Responsibilities (Continued)

Personal Security
1. Manage the InfoSec and compliance risk education, training and awareness program for new, existing employees, and other authorized users of Hospital Technology Resources (e.g., New Hire Orientation, New Leader Orientation, and Mandatory Awareness Training).
2. Manage the production of general and specialized education and training for the Hospital, Research Institute workforce and affiliates (e.g., Simulated Phishing)
3. Champion the implementation of related security controls to mitigate risk to the organization and facilitate the achievement of clinical/business goals and objectives.
4. Partner with Hospital Security management on facility plans for security highly sensitive and confidential Hospital locations that maintain protected health information.

Budget, Vendor Management and Optimization
1. Support fiscal year operational and capital planning processes, including tracking IS capital and operating budgets
2. Assist CISO to manage overall service maintenance agreement budget and training request budget.
3. Establish, monitor and maintain InfoSec departmental productivity measures and metrics, and assess compliance against established measures/metrics
4. Support Hospital and IS departmental vendor management/contract authorization processes
5. Performs related duties as needed.

Required Education and Experience

Industry security certification required:
• HealthCare Information Security and Privacy Practitioner (HCISPP) or,
• Certified Internal Auditor (CIA) or,
• Certified Information Systems Security Professional (CISSP) or,
• Certified Information Systems Auditor (CISA) or,
• Certified Information Security Manager (CISM) or,
• Certified in the Governance of Enterprise IT (CGEIT) or,
• Certified in Risk and Information Systems Control (CRISC) or other industry related certification.

Additional Education and Experience:
• Bachelor’s degree in Computer Science, Information Systems, or related field required
• 12-15 years of experience with a broad range of exposure to InfoSec aspects, including security controls, baselines standards, general business planning, systems analysis, system development, maintenance, and application development
• 6+ years of experience with information security, regulatory compliance and risk management concepts
• 4+ years’ experience with managing team(s) and project(s) and with working in matrixed high performance teams.
• Minimal 1 year managing a SOC environment
• Demonstrates comprehensive knowledge and understanding of Information security principles, general and IT controls (e.g., access controls, risk management, change management), related security policies and procedures.
• Exhibits knowledge of industry regulatory standards and accreditation requirements or control frameworks (HIPAA, PCI, Joint Commission, NIST, Red Flags, ISO 27000 series)

Additional Technical Requirements

• Comprehensive know of information security regulations, standards and leading practices, including understanding of EHR application access controls
• Experience with risk management and cloud computing standards and frameworks
• Knowledge of database query techniques & data mining to analyze data or other related database functionality
• Knowledge of Microsoft Active Directory, UNIX, and Clinical Applications a plus
• Experience implementing application level security in clinical and financial systems (e.g., Epic, Lawson). ERP experience a plus
• General understanding of networking and communication techniques including WANs, LANs, Internet, Intranet, protocols, such as TCP/IP and their impact on security
• Microsoft, UNIX, Lawson, and Clinical Applications (e.g., Epic)
• Experience with industry standard SDLC methodologies; hands-on experience in Project Server methodologies, PMO project management skills, including use of MS productivity tools

All CHOP employees who work in a patient building or who provide patient care are required to receive an annual influenza vaccine unless they are granted a medical or religious exemption.

Children's Hospital of Philadelphia is committed to providing a safe and healthy environment for its patients, family members, visitors and employees. In an effort to achieve this goal, employment at Children's Hospital of Philadelphia, other than for positions with regularly scheduled hours in New Jersey, is contingent upon an attestation that the job applicant does not use tobacco products or nicotine in any form and a negative nicotine screen (the latter occurs after a job offer).

Children's Hospital of Philadelphia is an equal opportunity employer. We do not discriminate on the basis of race, color, gender, gender identity, sexual orientation, age, religion, national or ethnic origin, disability or protected veteran status.

VEVRAA Federal Contractor/Seeking priority referrals for protected veterans.  Please contact our hiring official with any referrals or questions.

CHOP Careers Contact 

Talent Acquisition

2716 South Street, 6th Floor

Philadelphia, PA 19146 

Phone: 866-820-9288 

Email:TalentAcquisition@email.chop.edu

 

 

Basic Qualifications
Requirement