Contribute to the overall work activities of the Information Security Governance Team
Stay current on industry trends, emerging risks, legal and regulatory changes, and participate in industry forums (ex. ISACA, ISSA, ISC2, HITRUST, etc..).
Contribute to the creation and maintenance of policies, standards, and guidelines for the Information Security Department.
Contribute to GRC activities in the compliance and risk management modules.
Assist in the creation of reports and metrics on governance activities using the GRC solution and manually where necessary
Conduct policy exception activities.
Consult with information technology and solution owners on the interpretation and application of controls.
Conduct internal and external audit activities for governance controls.
Conduct network security reviews for governance controls.
Cross-train with the manager of the Risk Assessment team and conduct hospital and other facility Risk Assessments both onsite and virtual.
KNOWLEDGE AND SKILLS REQUIRED:
Experience working with the HITRUST Common Security Framework or similar framework
Knowledge of the following areas: HIPAA Security and Privacy Rule, Red Flags Rule, Healthcare IT Standards (HITSP), NIST 800-53 and PCI.
Knowledge of information technology and the application of information security controls in IT environments
Knowledge of regulatory requirements and emerging trends and issues
Understanding of enterprise security systems (e.g., Firewalls, VPN, IDPS, SIEM), security threats and related risks
Demonstrated communication skills
Ability to write, edit and maintain a large volume of professional documentation including policies and procedures in a high pressure and time sensitive document development cycle
Knowledge with creation of metrics
Experience working in a policy and procedure management solution(s) (e.g. PolicyMedical, NAVEX PolicyTech, PolicyStat)
Experience working in a Governance, Risk and Compliance (GRC) solution(s) (e.g. Keylight, Archer, RSAM)
Microsoft suite of applications (Word, Excel, PowerPoint, Visio etc.)
Excellent written and verbal communication skills
Have soft skills, such as multi-tasking, self-starter, prioritization, time management, teamwork, communication and strong interpersonal skills
Team player and a quick learner with strong communication and presentation skills
KNOWLEDGE AND SKILLS PREFERRED:
Strong background in IT, information security
Ability to assess the organization’s information security needs and then design controls that align with an information security framework as well as the organizations IT and business goals
Strong technical background in information security requirements and standards (e.g. HIPAA, HITRUST, HITECH, NIST, ISO 27001/2, ITIL, and PCI)
5 or more years experience maintaining information security controls in an IT environment
Working knowledge of asset management, pen-testing, vulnerability management, access management, configuration management, encryption techniques, secure development lifecycle (SDLC), cloud security, and 3rd party security.
Sound understanding of Payment Card Industry (PCI) standards and requirements
Knowledge of digital forensics, software programming, and application security
EDUCATION AND EXPERIENCE REQUIRED:
Bachelor’s degree in computer science, information systems, cyber security, a related field or an equivalent five years of related work experience
Five or more years of experience in risk assessments and risk-based information security programs.
At least five years of experience with information security frameworks (NIST, ISO, or HITRUST).
EDUCATION AND EXPERIENCE PREFERRED:
Master’s in computer science, information systems/technology, cybersecurity or business administration from an accredited university.
Three or more years of work experience in security risk management in healthcare industry.
LICENSURE, CERTIFICATION OR REGISTRATION REQUIRED:
Certified Information Systems Auditor (CISA) and/or
Certified Information Systems Security Professional (CISSP) or willing to complete CISSP within 12 months
The Senior Information Security Specialist, as part of the risk management team, will safeguard information system assets by analyzing the security requirements of AdventHealth, all of its entities, and its information systems to identify and solve potential and actual security issues. This function will perform regular and ad-hoc risk assessments and follow up on remediation activities to update risk posture on implemented security controls. This position will also be responsible for assisting with designing, planning, implementing and maintaining the information security risk management program and related tools. Some of the other key activities include reviewing existing information security policies, ensuring that risk management procedures are implemented in accordance with information security policy and standards, and that security metrics are being measured to provide snapshot of overall information security governance and risk posture for the organization. Senior Information Security Specialists in our team must analyze security requirements, measures and concerns to help the business and operational teams in developing effective strategies for mitigating security risks. This person should also have the knowledge of industry best practices for supporting the security of information systems and related techniques in order to handle the confidentiality, integrity and availability of the sensitive information. Strong interpersonal and communication skills, critical-thinking, analytical and problem-solving skills are required to avoid checkbox mentality and tackle unexpected challenges by coming up with intelligent ways of providing information security through best practices and compensating controls. This specialist must have an excellent understanding of current security standards, protocols, up-to-date knowledge of security threats and risks, related mitigation skills along with project management experience. He/she should be able to work well under pressure, independently, and be seen as a leader when participating in a team setting to achieve organizational goals.
AdventHealth Greater Orlando (formerly Florida Hospital) is one of the largest faith-based health care providers in the United States. For 150 years, we have carried on a tradition of providing whole-person care that not only addresses patients' physical ailments, but also supports their emotional and spiritual well-being. We demonstrate the same level of compassion and care for our employees as well, doing all that we can to help them realize their full potential – both personally and professionally.