Develop an in-depth picture of the organization’s information security posture through risk assessments including but not limited to interviewing stakeholders, management and other executives, reviewing compliance with security policies and standards, documentation, following up and validate remediation, and analyze the security and governance infrastructure.
Lead risk management program activities and report findings to upper management.
Perform risk assessments, risk analysis and report on security controls enterprise-wide.
Document all risk management work consistently using department developed best practices and an enterprise Governance, Risk and Compliance (GRC) solution.
Support AHS workforce members at the highest levels in the implementation, remediation, monitoring, and maintenance of information security policies, standards and security corrective actions across the organization, leveraging sound technical knowledge and information security concepts.
Minimize information security threats by examining governance, infrastructure, applications, systems, devices and facilities to identify security flaws, using risk analysis and follow up on corrective action plan.
Present findings in a professional manner, recommending corrective actions, mitigations either via new technology, alternative compensating controls or policy modifications for improving overall security posture.
Support information security training and awareness program by providing ideas and contents to the training teams as well as conducting presentations on hot security topics for the stakeholders, as needed.
Engage and work with a variety of internal departments and external organizations, including but not limited to legal firms, law enforcement agencies and all other levels of government.
Participate in the routine administrative work of the information security department.
KNOWLEDGE AND SKILLS REQUIRED:
Knowledge of three or more of the following areas: HIPAA Security and Privacy Rule, Red Flags Rule, Healthcare IT Standards (HITSP), HITECH, Meaningful Use (MU), COBIT, PCI, and HITRUST.
Working knowledge of information security risk management and risk assessment methodologies.
Well versed in project management procedures and concepts.
Knowledge of infrastructure and clinical applications commonly found in a large healthcare system.
Skilled at logging, monitoring, and reporting key performance indicators (KPI) and development of continuous improvement plans.
Ability to analyze and manage security risks due to joint ventures, acquisitions, contract management processes, and business impact analysis (BIA).
Ability to negotiate and work with third-party consultants as necessary.
Have soft skills, such as multi-tasking, self-starter, prioritization, time management, decision making, teamwork, presentation, communication and strong interpersonal skills.
Microsoft suite of applications (Word, Excel, PowerPoint, Project, etc.).
KNOWLEDGE AND SKILLS PREFERRED:
Strong background in IT, information security, and enterprise architecture.
Ability to develop a comprehensive picture of an organization’s technology and information needs, and then assess the security structures and controls designed to protect them.
Strong technical background in information security requirements and standards (e.g., HITRUST, HITECH, NIST, ISO 27001/2, ITIL, and COBIT).
Comprehensive understanding of enterprise architecture designs related to data protection, healthcare applications, and cybersecurity.
Understanding of enterprise security systems (e.g., Firewalls, VPN, IDPS, SEIM), security threats and related risks, malware protection, and virtual networks.
Working knowledge of asset management, pen-testing, vulnerability management, access management, configuration management, encryption techniques, secure development lifecycle (SDLC), cloud security, and third-party security.
Sound understanding of Payment Card Industry (PCI) standards and requirements for PCI risk assessments.
Knowledge of digital forensics, software programming and application security.
Knowledge and skills in implementing privacy, audit and compliance.
Team player and a quick learner with strong communication and presentation skills.
EDUCATION AND EXPERIENCE REQUIRED:
Bachelor’s degree in computer science, information systems, cyber security, a related field or an equivalent five years of related work experience
Five or more years of experience in risk assessments and risk-based information security programs.
At least five years of experience with information security frameworks (NIST, ISO, or HITRUST).
EDUCATION AND EXPERIENCE PREFERRED:
Master’s in computer science, information systems/technology, cybersecurity or business administration from an accredited university.
Three or more years of work experience in security risk management in healthcare industry.
LICENSURE, CERTIFICATION OR REGISTRATION REQUIRED:
Certified Information Systems Auditor (CISA) and/or
Certified Information Systems Security Professional (CISSP) or willing to complete CISSP within 12 months
The Senior Information Security Specialist, as part of the risk management team, will safeguard information system assets by analyzing the security requirements of AdventHealth, all of its entities, and its information systems to identify and solve potential and actual security issues. This function will perform regular and ad-hoc risk assessments and follow up on remediation activities to update risk posture on implemented security controls. This position will also be responsible for assisting with designing, planning, implementing and maintaining the information security risk management program and related tools. Some of the other key activities include reviewing existing information security policies, ensuring that risk management procedures are implemented in accordance with information security policy and standards, and that security metrics are being measured to provide snapshot of overall information security governance and risk posture for the organization. Senior Information Security Specialists in our team must analyze security requirements, measures and concerns to help the business and operational teams in developing effective strategies for mitigating security risks. This person should also have the knowledge of industry best practices for supporting the security of information systems and related techniques in order to handle the confidentiality, integrity and availability of the sensitive information. Strong interpersonal and communication skills, critical-thinking, analytical and problem-solving skills are required to avoid checkbox mentality and tackle unexpected challenges by coming up with intelligent ways of providing information security through best practices and compensating controls. This specialist must have an excellent understanding of current security standards, protocols, up-to-date knowledge of security threats and risks, related mitigation skills along with project management experience. He/she should be able to work well under pressure, independently, and be seen as a leader when participating in a team setting to achieve organizational goals.
Internal Number: 21000535
AdventHealth Greater Orlando (formerly Florida Hospital) is one of the largest faith-based health care providers in the United States. For 150 years, we have carried on a tradition of providing whole-person care that not only addresses patients' physical ailments, but also supports their emotional and spiritual well-being. We demonstrate the same level of compassion and care for our employees as well, doing all that we can to help them realize their full potential – both personally and professionally.