Chief Information Security Officer - Information Services-Admin (1.0FTE, Days)
1.0 FTE, 8 Hour Day Shift
At Stanford Children’s Health, we know world-renowned care begins with world-class caring. That's why we combine advanced technologies and breakthrough discoveries with family-centered care. It's why we provide our caregivers with continuing education and state-of-the-art facilities, like the newly remodeled Lucile Packard Children's Hospital Stanford. And it's why we need caring, committed people on our team - like you. Join us on our mission to heal humanity, one child and family at a time.
This paragraph summarizes the general nature, level and purpose of the job.
Reporting to the CIO, the Chief Information Security Officer (CISO) is responsible for the development and implementation of information security strategy for the organization and responsible for establishing, implementing, monitoring, and enforcing the information security governance, standards, and policies across the organization. Responsible for aligning information security activities with business risk priorities through prioritization of security risk and mitigation activities. Responsible for the development of information protection policies specific to hospital requirements as enhancements to organizational policies. Responsible for performing an inventory of information assets, maintaining the asset repository, managing the data classification project that includes assignment of business owners and security administrators for the systems and data of the organization. Responsible for conducting training and communications plans and programs for the hospital, which include security awareness programs, security training, and security training compliance. Responsible for organizational compliance in accordance with information security policies, standards and procedures. Responsible for the exception process, authorizing and documenting all exceptions, and maintaining a repository of all exceptions.
The essential functions listed are typical examples of work performed by positions in this job classification. They are not designed to contain or be interpreted as a comprehensive inventory of all duties, tasks, and responsibilities. Employees may also perform other duties as assigned.
Employees must abide by all Joint Commission Requirements including but not limited to sensitivity to cultural diversity, patient care, patient rights and ethical treatment, safety and security of physical environments, emergency management, teamwork, respect for others, participation in ongoing education and training, communication and adherence to safety and quality programs, sustaining compliance with National Patient Safety Goals, and licensure and health screenings.
Must perform all duties and responsibilities in accordance with the hospital’s policies and procedures, including its Service Standards and its Code of Conduct.
• Develops and implements security strategy for the organization. Leads and advises executive leadership on the security vision that is aligned to organizational priorities and enables and facilitates the organization's business objectives.
• Aligns information security activities with business risk priorities through prioritization of security risk and mitigation activities.
• Develops, implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
• Develops information protection policies. Acts as a key advisor to legal and privacy teams for matters of policy violations and manage security events; assist with legal matters associated with such violations as necessary.
• Identifies, evaluates and reports on cybersecurity risk related to assets. Performs an inventory of information assets, maintains the asset repository; manages the data classification project.
• Ensures organizational compliance in accordance with university and divisional information security policies, standards and procedures; responsible for the exception process, authorizes and documents all exceptions, and maintains a repository of all exceptions.
• Acts as a Focal point for all information security related audit work (internal & external). Coordinates with auditors in the execution of audits. Develops a strategy for handling audits and external assessment processes for relevant regulations.
• Provides support and consulting to HIPAA steering committee while staying current on relevant security regulations, laws, and technologies.
• Responsible for oversight compliance with HIPAA Compliance and regulations.
• Responsible for conducting training and communications plans and programs which includes security awareness programs, security training, and security training compliance.
• Provides regular reporting on the current status of the information security program to executive leadership thus supporting business outcomes.
• Provides strategic and tactical security guidance for all IT projects, including the evaluation and recommendation of technical controls.
• Maintain relationships with local, state and federal law enforcement and other related government agencies to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
• Develops a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive levels.
• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
• Facilitate an information security governance structure through the implementation of a hierarchical governance program, in alignment with Enterprise Risk Management Committee.
• Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals.
Any combination of education and experience that would likely provide the required knowledge, skills and abilities as well as possession of any required licenses or certifications is qualifying.
Education: Bachelor's degree in a work-related field/discipline from an accredited college or university.
Experience: Ten (10) years of progressively responsible and directly related work experience.
License/ Certification: None required.
Knowledge, Skills, & Abilities
These are the observable and measurable attributes and skills required to perform successfully the essential functions of the job and are generally demonstrated through qualifying experience, education, or licensure/certification.
• Ability to manage complex projects and resources (people, costs, and time) across multiple departments.
• Ability to provide leadership and influence others.
• Ability to supervise, coach, mentor, train, and evaluate work results.
• Knowledge and understanding of goals and the interdependencies of functional departments and groups (in health care industry) and the ability to lead large-scale complex IT projects in addressing overall business needs.
• Knowledge and ability to direct a staff in integrating informational technology services with the work requirements and deliverables of units and departments.
• Knowledge and depth and/or breadth of expertise in informational technology disciplines e.g., network operations, databases, software application and interfaces, computer operations, production control, quality assurance and systems management.
• Knowledge and understanding of strategies, deliverables and interdependencies with other functional groups e.g., Compliance, Privacy Officer, Chief Legal Counsel, IT management teams and the HIPAA Steering Committee.
• Knowledge of new technologies (in specific field) and maintain and stay abreast of updates and changes.
• Knowledge of principles and practices of organization, administration, fiscal and personnel management.
The Physical Requirements and Working Conditions in which the job is typically performed are available from the Occupational Health Department. Reasonable accommodations will be made to enable individuals with disabilities to perform the essential functions of the job
Equal Opportunity Employer