SMF Information Security Officer - Full-time / Part-time

Reporting to the Deputy Chief Information Security Officer (CISO), the Affiliate Information Security Officer (ISO) is responsible for establishing and maintaining the information security program at Sutter Health affiliates, including hands-on execution and day-to-day management of the Affiliate Information Security Program. The ISO is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the organization. The ISO enables the organization to achieve its mission of providing world-class health care to its communities and proactively works with business units to evaluate, educate, and implement practices that meet defined policies and standards for information security. The ISO effectively works with affiliate and enterprise leadership to determine acceptable levels of risk for the organization and reports on variance. The ISO maintains a deep knowledge about the business environment and ensures ongoing security controls are maintained. In addition, the ISO advises the appropriate Organizational Unit (OU) DCISO regarding the Information Security Program Strategic Plan and Roadmap, and budget required to maintain the security risk profile as directed by the Sutter Health Board of Directors and senior leadership. The ISO represents Information Security at business executive leadership, steering, governance, and board committees. As the security leader for the assigned area of responsibility, the ISO fosters a culture of security among the Sutter Health workforce within the affiliates and foundations. In addition, the ISO collaborate with affiliate and foundation executives, Compliance, Legal, Privacy, Human Resources, Sutter Health IS management and staff, and other personnel as appropriate in matters relevant to information security. Education / Certificate Associates Degree 15 Years' Experience in Information Security plus Security certifications is required. Computer Science, Information Security, Business, Management, Information Technology or related field is required or equivalent combination of experience. Masters - Computer Science (MCS), Information Security (MSIS), Business (MBA), Healthcare Management (MSHCM), or related field is desired. Certified Information Systems Security Professional (CISSP) is required. Certified Information Security Manager (CISM), Healthcare Certified Information Security HealthCare Information Security and Privacy Practitioner (HCISPP) is desired. Experience * Seasoned leader with proven track record of leading information security initiatives in a healthcare environment as typically acquired during 10 years in a progressively responsible IT and Information Security position * Significant leadership experience implementing and administering information security programs, projects, and initiatives in a clinical provider environment * Demonstrated success in security program transformation initiatives and ability to apply creative and customized security solutions for the business * Extensive experience interpreting and applying industry frameworks such as ISO 27001 and HIPAA Security and Privacy Rule requirements * Proven track record of building productive relationships with key business and IT leaders across the organization * Extensive experience managing information security in a complex technical environment consisting of all levels of hardware platforms, WAN/MAN/LAN, Client-Server and Thin Client applications, Intranet/Extranet/Internet and Web * Solid experience showcasing excellent project management and effective leadership of multidisciplinary teams that successfully defined, developed, and delivered various information security solutions * Comprehensive management experience demonstrating leadership across all of the major functions of security, technology, and interfacing with the business and clinical leaders Knowledge * Through knowledge and experience with Windows, Active Directory, group policy, DNS, encryption, patch management, anti-virus, and system configuration management * Extensive knowledge of LAN, WAN, VPN, routers, firewalls, servers, IDS/IPS, SIEM, DLP and workstation administration * General understanding of relevant legal and regulatory requirements including participating in audit teams/process, such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Meaningful Use, SSAEC-16 Soc 2 and other industry initiatives and regulations * Strong understanding of the business impact of security tools, technologies, and policies * Solid expertise in formal/structured IT security risk assessment methodology, including understanding the implementation challenges and advantages across all levels of hardware platforms and software applications * Broad working knowledge of health care operations and their related data/software/hardware requirements including, but not limited to, hospitals, clinics, medical offices, and their information technology needs * Expert knowledge and understanding of current and emerging digital security trends, risks, threats, countermeasures, vulnerabilities, and mitigations ranging across the technologies required for securing applications, data centers, networks and third-party access to data, applications, and resources * Comprehensive understanding of the compliance and legal requirements for information confidentiality and integrity especially as it relates to patient information in a healthcare environment (electronic health/medical records (EHR/EMR), HIPAA, HITECH, etc.) * Understanding of and experience with Lean or other process improvement philosophies and methodologies desired * Strong knowledge of privacy and information security best practices within the healthcare environment * Maintain current understanding of regulations and guidelines regarding information security, including the continuous professional development of healthcare and information security standards and best practices and maintenance of technological currency in complex healthcare, business, and technology environments Skills * Excellent written and verbal communication skills, including the ability to give presentations and translate complex technical concepts including the digital security viewpoint into business and clinician relatable language * Strong ability to establish and maintain a high level of customer trust and confidence * Demonstrated ability to work under stress in emergencies, and the flexibility to handle simultaneous high pressure demands * Proven ability to drive through obstacles and deliver computing capability across a broad spectrum of technologies and entities * Demonstrated ability to prioritize tasks in order to ensure work is accurately completed in timely manner * Advanced level of competency in Microsoft Office Suite, as well as other relevant software for research and analysis * Proven ability to shift gears midstream and move in different direction when needed * Proven ability to develop information security policies and procedures, as well as successfully executing programs that meet the objectives in a dynamic environment * High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity * Demonstrated ability to interact with all stakeholders and build strong relationships at all levels and across all business units and organizations * Proven ability to translate discrete concepts regarding security best practices, technologies, and controls, into business-friendly terminology * Demonstrated ability to conduct system security vulnerability and threat analyses, gathering of intelligence, risk assessments and mitigation, planning, and implementation