Req Number 001U2N
Job Category Information Technology
Reviews and documents security risk and controls surrounding enterprise information technologies, applications and services. Maintains policies, standards and procedures to align with information security frameworks and enterprise strategies. Supports the information security awareness and training program.
Perform application security reviews, vendor/business associate assessments, threat modeling and vulnerability analysis based on the NIST/HITRUST framework.
Oversee corrective action plan development, establish remediation priorities, and track status.
Provide information security subject matter expertise to developers, engineers, and workforce members on information security risk assessments, vulnerability remediation and threat detection techniques.
Maintain Information Security policies, standards and guidelines.
Develop and maintain security awareness and training materials to reinforce required security controls and address gaps noted in assessments.
Write technical reports based on security review findings and · Validates applicable information security design considerations are appropriately included in all new and existing Northwell Health computing environments.
· Develops and documents application/system specific security hardening guidelines.
· Identifies and defines system security requirements. Reviews and validates that network infrastructure and endpoint device configurations comply with the latest industry standards and framework (i.e. HITRUST, NIST, HIPAA and PCI-DSS).
Performs other duties, as required.
• High School Diploma or equivalent, required and minimum of eight (8) years progressively responsible information technology risk management or security experience, required
• Bachelor’s Degree in Information Security or Audit or related field, required AND
• Minimum of five (5) years progressively responsible information security assessment or audit experience, required.
• Thorough knowledge and understanding of current information risk assessment techniques, required.
• Working knowledge of IT standards, federal and state compliance regulations, and security frameworks including HIPAA, HITRUST, NIST, ISO27001, and PCI-DSS, required.
• In-depth technical knowledge of Information Security principles and processes and experience writing/maintaining information security policies, standards and guidelines, required.
• Attention to detail, excellent writing, documentation, communication, presentation, customer service and interpersonal skills, and the ability to work with all levels of management, required.
• Healthcare environment, preferred.
• Certified in at least one of the following: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Security+, Global Information Assurance Certification (GIAC) or related certification, preferred.