Chief Information Security Officer

This position reports to the CIO and has overall responsibility for ensuring that appropriate policies, standards, procedures and automated mechanisms, designed to appropriately protect the security of information are documented and followed across the Institutions (University of Utah and University of Utah Hospital and Clinics). Sensitive or protected information may include information related to patients, employees, students, and faculty, as well as information protected by state, federal, or industry policy ( FERPA , HIPAA , FISMA , PCI , etc.). This information may exist in either electronic or paper form.

The Chief Information Security Officer ( CISO ) has management responsibility over the Information Security Office, including the hiring, evaluating, training, performance management, salary administration, mentorship, development and retention of staff.

The position works closely with the General Counsel of both the University and Hospital and Clinics, those areas within Information Technology with responsibility for system and network security, access control, physical security, application development and/or application product selection and procurement, as well as all relevant academic and administrative Schools and Departments throughout the Institutions.

This position also interfaces with other Utah higher education institutions, as well as other private and governmental agencies.

The CISO will work with relevant government and regulatory agencies to interpret regulations related to the protection of information owned or trusted to the control of one of the University of Utah institutions.

The CISO will provide advice and counsel related to the development of policies, procedures and electronic safeguards designed to meet the needs of government regulations. The CISO must help the Institutions identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of information; evaluate the effectiveness of the current safeguards for controlling these risks; design and implement safeguard programs, and regularly monitor and test those programs. The CISO will work with appropriate senior leadership to determine methods for dealing with infractions of policies associated with privacy and security, and will identify individuals or groups where inappropriate behavior exists. The CISO will be responsible for development of procedures related to internal reaction to a security event.

Additionally, the CISO will take a leadership role in coordinating activities related to a security event and will act as a focal point for the distribution of security information including alerts, notices of significant intrusions, etc. They will also develop and conduct regularly scheduled security and privacy awareness programs.

Responsibilities

• Development of security and privacy policies (in conjunction with IT governance and other policy development groups) that embody industry best practices. Areas of oversight include, but are not limited to, EMR system, ERP system, data warehouses, information systems, email, identity and access management, software evaluation, cloud storage and systems, infrastructure for accessing systems, security systems used to monitor activities, and business systems.

• Perform management functions associated with leadership of the Information Security Office, including the hiring, evaluating, training, performance management, salary administration, mentorship, development and retention of staff in a complex multi-billion dollar organization.

• Coordinate responses to security events or violations of the confidentiality of information. This includes coordination of activities related to containment, forensics, management notification, interaction with Marketing and Communications and General Counsel, etc.

• Review and oversee critical notification processes for security incidents. Ensure that processes to identify and appropriately announce security incidents as well as internal procedures outlining responses to security related problems appropriately reflect widely practiced processes found at other national research universities as well as other major academic medical centers and adhere to all regulatory requirements.

• Coordinate planning activities related to responses to security events. Planning activities are to include cross departmental and cross campus procedures, as well as coordination with outside law enforcement or partner agencies.

• Work with regulatory bodies and the Legal offices to interpret regulations, laws, grant stipulations, etc. and develop policies, processes and standards that ensure compliance with these regulations.

• Develop a formal process to review, on a quarterly basis, procedures, incidents, and responses associated with the security of information and report to senior management all relevant materials. Also facilitate a metrics and reporting framework for measuring the efficiency and effectiveness of the security program.

• Participate in the evaluation of vendors, and weigh in on activities and capabilities that relate to business continuity, disaster recovery, and enterprise architecture.

• Prepare and present training activities, materials, and awareness programs that encourage proper security practices and prepare the organization for security events.

• Validate that activities and controls related to the prevention of security incidents are in place and being followed and improved. This includes a review of physical access controls where secure information is contained, review of software programs and operating systems to ensure that updates and patches are being applied, review of security procedures to ensure compliance, review of adherence to policies and standards governing the use and management of systems, involvement in testing of disaster recovery and business continuity plans and validation of results, etc.

• Ensure that risk assessments are conducted as they relate to the appropriate protection of electronic resources. In conjunction with other departments within the Institutions, conduct regular risk assessments.

• Ensure that appropriate controls related to the access of secure information are documented and are being followed (this may include access control lists, passwords or other access controls, authentication and authorization mechanisms, etc.).

• Evaluate gaps in security and identify solutions to mitigate risk, including business process, technical controls, or policy improvements.

• Work with other groups and offices within the Institutions to assess the level of risk associated with the maintenance of paper records, management of information contained in non-electronic form, use of electronic signatures, use of identifying information (patient identifier, Social Security Number, etc.), use of identification cards including smart card technology. Assist with the development of policies and processes designed to protect information and reduce the risk of exposing this information.

• Assess the Institutions compliance with policies and report the results of these assessments to executive management.

• Develop guidelines for disciplinary actions that would apply to persons/groups found to be violation of policies

• Build collaborative internal relationships with research, clinical and administrative groups as well as external relationships with regulatory bodies, other hospitals, universities, especially other academic medical centers as well as local and national security groups (i.e. SAN , CERT , etc.).

• This job description is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.

This job description is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.

Minimum Qualifications

Requires a bachelor's degree in a related area or equivalency (one year of education can be substituted for two years of related work experience) with at least 10 years of progressively more responsible management experience; and no less than 4 of those years in IS related capacity and demonstrated leadership, human relations and effective communications skills required. Master's degree related area preferred.

Applicants must demonstrate the potential ability to perform the essential functions of the job as outlined in the position description.

Preferences

Preference will be given to applicants with the following qualifications:

Four-year degree in a related technical, audit, law or security field, in combination with a minimum of 10 years of experience in a business environment (health care or higher education preferred) with a track record of progressive responsibilities and at least five years in a management capacity. A combination of work experience and specialized technical training may be substituted for college degree.

Candidate should have a minimum of four years of experience in an IS related capacity that includes a general understanding of application programming and design, data base design, networking components (switching, routing, wireless technologies, etc.), security components (firewalls, intrusion detection engines, etc.), computer operations, and operating system maintenance.

It is essential that the individual have an understanding of privacy and security regulations as they apply to FERPA , HIPAA , FISMA , and PCI - DDS .

Ideal candidates also should have:

• At least one industry accepted certification, such as CISSP , CISM , or CISA .

• A general understanding of the research environment . click apply for full job details