Assistant Director, Security & Identity (28624)
New York City, NY
Job posting number: #7068500
Posted: August 3, 2020
Application Deadline: Open Until Filled
Job DescriptionPosition Summary
Responsible for the security risk management program including building and maintaining roadmaps for initiatives and projects, risk assessments, incident response, operational management, regulatory and policy compliance and ensuring WCM adheres to federal, state and local regulatory controls as they relate to the institution.
This role works closely with leadership and peers within the Information Technologies & Services department (ITS), the EpicTogether team, and various counterparts at NewYork-Presbyterian Hospital, Cornell University, and other affiliates to ensure security policies and procedures are effectively implemented and managed, and that enterprise system security is closely monitored and managed.
This role is also responsible for working with the Chief Information Security Officer (CISO) to develop and deliver a comprehensive information security and identity management program for WCM. The scope includes information in electronic, print, and other formats. The purposes of this program include: to assure that information created, acquired, or maintained by WCM and its authorized users is used in accordance with its intended purpose; to protect WCM information and its infrastructure from external or internal threats; and, to assure that WCM complies with statutory and regulatory requirements regarding information access, security, and privacy.
Manages and mentors a team of analysts, engineers, and architects responsible for all technical and operational aspects of security and identity management. Assists with recruiting employees; assigns, directs, and evaluates their work.
Works collaboratively with other ITS management to develop program strategy that meets the security, identity management, and business continuity needs of a highly complex medical institution.
Oversees and maintains a vast project portfolio for the implementation or maintenance of new or existing security and identity management technologies. Ensures that project deadlines are met on time, on budget, and of acceptable quality.
Ensures service requests and security-related tickets are resolved in a timely manner within the ticketing management system. Produces metrics on top security incidents, attack vectors, requests, etc.
Assists with capital/operational budgets, including budget planning and design, forecasting, revenue stream development, capacity planning, expertise alignment, and resource optimization. Develops, gathers or maintains divisional/sub-divisional roadmaps.
Develops, implements and ensures continuity across security and privacy practices/procedures.
Provides development guidance and assists in identification, implementation and maintenance of WCM information privacy policies/procedures. Liaises with and offers direction to staff throughout WCM as needed, on information security and compliance matters.
Oversees/allocates resources for incident responses, including electronic discovery efforts, responding to policy violations, or complaints from external parties. Develops, documents and tests security, incident response and forensics policies/procedures.
Assists in fulfilling security and privacy-related internal auditing requirements as requested; works closely with CU Audit Office and external auditors to provide responses to audit requests and follow-up. Tracks and reports on audit status and progress.
Builds ITIL-based processes; provides reporting on status of IS program; develops, negotiates, manages and enforces contracts and service-level agreements for internal and external facing services; and supports/builds upon project management processes.
Assists with oversight of program(s) and related IT initiatives to ensure HIPAA, NIST, PCI, and other applicable regulatory and standards-based compliance.
Performs other related duties as assigned.
Bachelor’s degree in computer science, information systems, management, or relevant field and 5 or more years’ experience as a security professional in a leadership role and a minimum of 10 years’ experience in information technology.
Comprehensive, expert-level understanding of information security and related technologies, such as firewalls, encryption, access controls, SIEM, application security, and authentication and authorization policies, procedures, and technologies.
Experience coordinating and fulfilling requests for internal and external auditors, internal investigations, litigation, and other similar projects.
Experience identifying and creating IT security goals, metrics, and objectives; developing IT security strategies and practices.
Extensive knowledge of risk analysis and the development of security systems and protocols.
Comprehensive working knowledge of HIPAA, HITECH, NIST, FERPA, and PCI.
Information security certifications (e.g., CISSP, CISM, etc.) are a plus.
Extensive knowledge of computer-based patient record system security requirements (particularly Epic and SAP/Business Objects) and various protocols relative to privacy and confidentiality of health information is highly desired.
Familiarity with business continuity, disaster recovery, and business resiliency planning from real-world implementations desired.
Understanding of networking protocols (TCP/IP) and service protocols (HTTP, HTTPS, LDAP, SSL, SSH, SMTP, POP3, DNS, FTP) desired.
Previous experience implementing business impact analysis and security incident response processes and programs helpful.
Technical leadership and managerial experience in an academic or healthcare setting and in-depth knowledge and experience in computer use in medical colleges, universities, and/or other healthcare institutions preferred.
Familiarity with reviewing, writing, and assessing various documents and reports, such as gap analysis reports, SOWs, risk assessments, and security incident reports desired.