Browse Open Jobs
Search Open Jobs
Edit Your Profile
View Submitted Applications
Chief Information Security Officer
Buffalo, Rochester, Syracuse
Under the direction of the VP & CTO the Corp Dir Chief Information Security Officer is responsible for development, implementation and administration of information and data classification guidelines, security standards, policies, procedures and supporting technologies required to protect information assets processed by or stored in all information systems. Manages the Information Security staff within the Corporate Data Security function and provides leadership in the development of information security strategies and architectures. Evaluates risks and threats to systems and assets and implement security policies/controls to mitigate the company's exposure to the identified risks/threats. Identifies and addresses exposures to accidental or intentional destruction, disclosure, modification, or interruption of information. Understands the HIPAA security framework and leads the development and operation of enterprise-wide information security compliance and reporting program. Advises and consults with all levels of management in the mission of protecting computer resources and information assets against accidental or unauthorized modification, destruction or disclosure. The Director provides leadership and strategic IT direction for a governance framework recognizing the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. This position is responsible for alignment of our Corporate and Divisional Strategies as they relate to IT Security and Risk Management, in support of developing the department strategic plan.
• Develops, implements, and administers information security standards, policies, procedures and guidelines to ensure security policies and standards are up-to-date, in terms of security trends and anticipated threats.
• Establishes and maintains procedures in compliance with State and Federal regulations (including HIPAA).
• Establishes risk management policies, standards and guidelines.
• Develops and promotes network security policies and "best practices."
• Establishes a governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
• Monitors and reports on the progress of the resolution of high impact problems according to established standards. Handles those expectations that relate to schedules, working methods, resources, staff matters, skills assessment or technical difficulties. Passes decisions clearly outside scope upward, including proposed solutions whenever appropriate.
• Provides leadership to Security staff, CIO staff, & CIO on Security Issues, strategy & direction
• Ensures IT Vision, Mission & strategy. Guides Security decisions, activities and priorities.
• Oversees the development and delivery of information security and services throughout the Lifetime Healthcare Companies.
• Functions as an internal consulting resource on information security issues.
• Interacts with cross-functional departments to define data security goals and objectives.
• Manages a team that is responsible for creating and implementing new security processes and procedures; developing an effective security awareness program; and overseeing the design and implementation of an Information Security Program.
• Performs day-to-day management of an Information Security department.
• Balances defined business objectives with regulatory compliance.
• Provides effective, budget management for the unit.
• Provides coordination and support of other internal/external IT functions where there are security issues.
• Manages the information security function in accordance with the established policies and guidelines.
• Manages all IT Governance, Risk, and Compliance related work projects with impacts to any area within the Information Technology (IT) division.
Risk Assessment and Quality Assurance
• Conducts the information security risk assessment program.
• Provides coordination information security efforts with the Internal Audit department.
• Leads cross-functional teams to analyze networked systems for technical security controls to detect critical vulnerabilities and recommend safeguards.
• Develops security certification test procedures, performs security certification testing, and record the test results.
• Ensures all departments comply with policies and standards.
• Works with Internal Audit and external auditors during scheduled and non-scheduled IT audits.
• Leads risk “Trade-offs” resolutions and ensure proper management team is brought in where needed
• Coordinates security orientation and security awareness programs that provide training in data security to ensure that there is an appropriate awareness of information security requirements.
• Prepares project security solution reports and designs, including risk assessment.
• Conducts research on current and emerging technologies, as well as security exploitation techniques.
• Directs the development and ongoing reporting of information security data such as access rights violations and unusual activity.
• Provides monthly security report. Reports significant violations to senior management.
• Utilizes software or tools required to monitor and report security related violations, problems or discrepancies.
• Prepares governance and compliance reports for IT as well as the Corporate Compliance, Audit and Legal divisions.
• Prepares responses for Audit findings.
Security Research (Architecture)
• Other duties include facilitating strategy and planning between network security administrators, system security administrators and department security administrators.
• Leads cross-organizational efforts to formulate network security strategies.
• Designs and builds network security mechanisms (e.g. firewalls, VPNs, Intrusion Detection Systems) and works with developers to select and integrate security tools into new and existing systems.
• Provides security architecture and design alternatives for third party access utilizing security risk assessment and analysis techniques.
• Implements encryption, public/private key technologies.
• Formulates, implements, and maintains technical network security strategies and architectures.
• Interacts heavily with the Networking, Internet Development and Web Development groups.
• Consults with development, engineering and operations on the design, implementation and operation of new and existing systems relative to network security.
• Ensures key network security strategic initiatives are in conformance with industry and internal architectural goals.
• Provides high-level information security-related services to internal and external customers.
• Provides consultation regarding the establishment of complex systems and application security.
• Investigates network security incidents as required.
• Participates in enterprise-wide computer security response team when significant network, Internet, or related security incidents occur.
• Oversight of vulnerability analysis, monitoring, intrusion detection/incident response, secure application and host design, security assessments and security consulting.
• Dotted line reporting relation to SVP & Chief Information Officer and Corp VP & Chief Compliance Officer
• Consistently supports regulatory compliance and the Lifetime Healthcare Companies code of conduct by maintaining the privacy and confidentiality of information, protecting the assets of the organization, acting with ethics and integrity, reporting non compliance, and adhering to applicable federal, state and local laws and regulations.
• Collaborates with Legal, Audit and Compliance as well as internal IT in regards to Audit findings and remediation efforts.
• Develops and coordinates internal test plans and facilitate testing of internal controls as documented.
• Plans and implements the execution of the IT internal control documentation for the IT division’s impacted areas.
• Ensures remediation actions are completed in a timely manner for all noted control deficiencies. This includes working with all levels of the organization to champion required actions, and requires strong negotiation skills and comfortable operating with senior executives, as well as front line staff.
• Conducts governance, risk and compliance assessments (including risk modeling and analysis) and coordinates risk mitigation plans
• Supports the implementation of IT GRC tools within IT GRC projects
• Understands the HIPAA security framework and leads the development and operation of enterprise-wide information security compliance and reporting program.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies’ mission and values and adhering to the Corporate Code of Conduct.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Maintains knowledge of all relevant legislative and regulatory mandates and ensures that all activities are in compliance with these requirements.
• Conducts periodic staff meetings to include timely distribution and education related to departmental and Ethics/Compliance information
• Regular reliable attendance is expected and required
• Performs other functions as assigned by management.
• B.S. in Computer Science/MIS/Telecommunications or related field required. CISSP Certification preferred.
• Minimum of ten years computer science experience, at least seven of which are in a managerial role.
• Project management experience leading large, complex projects and the ability to manage multiple priorities.
• Planning and organizational skills. Excellent communication/people skills to interact with executive management, technical and administrative associates in verbal, written and presentation formats.
• Ability to document application security policies and procedures to effectively communicate security standards to all levels of management and staff.
• Basic knowledge of multi-platform operating systems, programming languages, databases and security structures.
• Basic knowledge of mainframe/client server platforms/ telecommunications/ Internet/data center operations.
• Basic knowledge of mainframe/midrange access control systems, NT/Internet security, firewalls encryption, and virus detection. Specialized security training or security certification desirable.
In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.
Equal Opportunity Employer
Send This Job to a Friend