Information Security Manager

SUMMARY

The ISM is responsible for establishing and maintaining a corporate wide information security management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating, managing, responding to and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of Red Rock and security best practices. The ISM position requires a working knowledge of information security technologies. The ISM will proactively work with IT staff and other Red Rock departments to implement best practices that meet defined policies and standards for information security. He or she will also oversee and participate in a variety of IT-related risk management activities. A key element of the ISM's role is working with the CIO and Management Team to determine acceptable levels of risk for the organization. The ISM must be able to translate the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as report on ongoing performance. The ISM coordinates with the IT organization's technical activities to recommend, implement and manage security infrastructure, and to provide regular status reports to the CIO. The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes. While the ISM is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of Red Rock’s activities. It cannot be undertaken at the expense of the Red Rock's ability to deliver on its mission.

The ISM's job is composed of a variety of activities, including tactical, operational and strategic activities, such as:

• Strategic support
• Security liaison
• Architecture/engineering support
• Operational support

ESSENTIAL FUNCTIONS AND RESPONSIBILITIES

• Manages organization’s information security program
• Ensures information security strategy is aligned with organizational goals and objectives
• Develops and maintains information security policies, procedures and standards
• Identifies and manages existing and emerging risks to the organization
• Promotes information security awareness within team and across the organization
• Assists in the development of organization’s disaster recovery plan/business continuity planning
• Develop effective disaster recovery policies and standards to align with business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
• Work directly with other departments to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout Red Rock on identifying acceptable levels of residual risk
• Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls
• Continual monitoring of security policies and technical controls
• Assists IT Systems, EMR and Support managers in developing and maintaining security policies and processes
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements
• Monitor and ensure audit trails, system logs and other data sources are reviewed periodically and comply with policies and audit requirements
• Assist resource owners and IT staff in understanding and responding to security audit failures and mitigate indications of risks or threats
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide the administration of security tools such as Penetration testing, Vulnerability scans, WAF, Data Loss Prevention, etc.
• Works in liaison with IT, Facilities, and Management to ensure projects are deployed securely
• Ensures Incident Response Plan/Incident Management Process is followed for security incidents and Plan/Process is reviewed and updated as needed
• Manage and coordinate operational components of incident management, including detection, response and reporting and participate in problem and change management
• Ensure timely reporting and adequate participation in investigation for security incidents.
• Manage the day-to-day activities of threat and vulnerability monitoring, management, identify risk tolerances, recommend response and remediation plans and communicate information about residual risk
• Monitor the external threat environment for emerging threats, and advise relevant IT staff and stakeholders on the appropriate courses of action.
• Serve as organization’s HIPAA Security Officer
• Responsible for annual HIPAA Risk Assessment and ongoing Risk Management to ensure Red Rock meets HIPAA requirements
• Works with CIO and other IT staff to develop and test Disaster Recovery Plan
• Assists with other special projects and tasks as required
• Cross-trains and assists in other areas of IT as required
• Maintains core competencies in relation to working with co-occurring disorders through continuing education and implementing skills into all aspects of treatment
• Attends staff meetings, workshops and seminars to learn agency policy, rules, regulations and procedures; participates in ongoing in-service training as well as pertinent external training
• Ability to work in pressure situations to meet required deadlines; flexibility in work schedule
• Technical writing skills and ability to train all levels of users

QUALIFICATIONS

• Relevant Associate or Bachelor’s degree preferred
• Seven years relevant experience
• Technical writing skills
• Excellent verbal communication skills
• Must be able to manage and schedule multiple projects in an ongoing basis with ability to prioritize and work as a team member and independently
• Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies
• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans
• Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
• Knowledge of healthcare environment preferred
• Extensive experience in an Active Directory environment
• Extensive experience in a Microsoft 365 Admin/Compliance environment
• Extensive experience in EDR software such as SentinelOne, Crowdstrike, Cylance, Carbon Black
• Extensive experience in email security solutions such as MimeCast, Proofpoint, Barracuda
• Extensive experience in MDR software such as Blackpoint, Arctic Wolf, Red Canary
• Certifications for information security professionals (CISM, CISSP, CISA, etc.)
• An understanding of operating system internals and network protocols.
• Experience in coordinating and managing system technology security testing (vulnerability scanning and penetration testing)
• Familiarity in application technology security testing (white box, black box and code review)
• Commitment to the mission of Red Rock BHS

BENEFITS (Full-Time Staff Only)

• 95% Employer Paid Health Insurance Plan
• Dental Insurance
• Vision Insurance
• Some Positions Qualify for NHSC Student Loan Repayment
• 403B Retirement Plan with 5% Employer Contribution
• 3 Weeks Paid Time-off
• Employer Paid Life Insurance and Long Term Disability

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

Red Rock Behavioral Health Services does not discriminate based on race, color, national origin, religion, gender, gender identity, age, marital/familial status, sexual orientation, or disability.