Reporting to the Chief Information Officer, the Chief Information Security Officer (CISO) is responsible for the overall organizational security strategy, security program oversight and security architecture development for the organization. The scope of this role covers all utilized security technologies and services, including protection services, perimeter defenses, physical and logical access control, and user profile management of all employees, contractors and visitors. As the organization's senior security officer, this person also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and organizational awareness. The CISO will work closely with the designated Privacy officer and Legal to ensure that technological and physical access controls effectuate the organization's data privacy policies. The incumbent will work with business, risk management, and technical stakeholders in the development and implementation of a security strategy designed to provide a high level of security over physical facilities and data processing while preserving and enhancing facility and system usability. The incumbent must be able to develop and implement flexible security solutions, dictated by the needs of a hybrid and rapidly evolving business environment.
IT Security Program
Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets
Proactive and innovative approaches are investigated and implemented appropriately ensuring security program adequately safeguards the organization against advanced threats
Provide leadership through strong working relationships and collaboration to develop strategic goals for information security compliance and risk mediation.
Liaise with external agencies as necessary to ensure the organization maintains a strong security posture against relevant threats and advancing threat landscape.
Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and to continuously increase the maturity of information security program
Leads the internal Information Security Committee
Policies, Procedures, Standards, and Guidelines
Lead and coordinate the development and maintenance of information systems security policies, procedures, standards, and guidelines, ensuring compliance with federal and state laws and regulations.
Analyze new federal and state statutory requirements, and other security initiatives to determine changes necessary for adoption/compliance and makes appropriate recommendations.
Establish security framework and ensure policies, procedures, standards, processes and controls adhere to framework requirements
Establish monitoring and assessment processes to ensure compliance and adherence to established security policies, procedures, and standards
Develop and maintain the Incident Management Plan and escalates possible incidents to the Security Incident Response Team (SIRT).
Ensure monitoring of security-related information sources for security alerts and assess security breaches/ events, oversee appropriate corrective actions, inform the campus community, and identify needed changes based on new security technologies or threats.
Serve as the liaison with external agencies and organizations, including law enforcement, as needed for incident response and planning.
Threat and Risk Management
Ensures threat and vulnerability resources and technology are proactively monitoring 24X7 potential threats and vulnerabilities and protection controls are implemented timely and appropriately to safeguard and maintain business operations
Identifies and assesses risks in implementing business innovations. Provides assessment of those risks to business stakeholders.
Design and execute penetration tests and security audits.
Support continuous monitoring activities, vulnerability scans, policy and procedure updates, configuration/incident management, and training.
Coordinate response to security audit requests from participant organizations and institutions and ensures any identified remediation activities are implemented within committed timeframes
Creates a risk-based process for the assessment and mitigation of any information security risk associated but not limited to supply chain partners, vendors, customers, and other third parties
Monitors compliance with the organization's information security policies and procedures among employees, contractors, alliances, and other third parties.
Facilitate and support the development of asset inventories, including information assets in cloud services and other parties included as part of the organization's technology environment
Develop, motivate and provide leadership and direction to all staff.
Interview and select qualified candidates for job opening in compliance with applicable employment laws.
Monitor employee performance and provide on-going formal and informal feedback. Draft and administer staff performance evaluations in a timely manner.
Conduct weekly staff meetings to ensure all staff are informed of any company and/or departmental changes and updates.
Reward employees using formal and informal methods. Approve staff leave requests and timesheets and resolve employee attendance and performance concerns.
Oversight of project teams dealing with IT security issues, optimizing the contribution of people involved.
Communications, Training, and Outreach
Oversee the development and implementation of training programs and communications to make systems, network, and data users aware of and understand security policies and procedures.
Facilitate monthly Information Security council meetings
Work with legal, risk and compliance staff to ensure all information owned, collected, and controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other regulatory requirements
Collaborate and liaise with privacy officer to ensure that data privacy requirements are included in the security program
Research and Analysis
Lead or conduct special projects or studies related to information systems security.
Stay well-informed of best practices in the IT security field, coordinate and/or evaluates new and emerging security practices and technologies, and recommends and promotes adoption as appropriate.
Provides expert advice related to information and systems security to CIO and other executives and serves as an internal consulting resource on information security issues.
Serve as a member of the CIO's Executive Leadership Team
Represent the organization with federal, state, local, and professional organizations in the area of IT security.
Internal Number: 35866BR
About Inova Health System
Inova is a global leader in personalized health, which leverages precision medicine to predict, prevent and treat disease, enabling individuals to live longer, healthier lives. At Inova, we serve more than two million people each year from throughout the Washington, DC, metro area and beyond. Inova's mission is to improve the health of the diverse community it serves through excellence in patient care, education and research. At Inova, more than 16,000 employees demonstrate their commitment every day to providing the community with expert, world-class, compassionate patient care.