Title: Assistant Director, Security & Identity
Org Unit: Security
Work Days: Monday-Friday
Exemption Status: Exempt
Responsible for the security risk management program including building and maintaining roadmaps for initiatives and projects, risk assessments, incident response, operational management, regulatory and policy compliance and ensuring WCM adheres to federal, state and local regulatory controls as they relate to the institution.
This role works closely with leadership and peers within the Information Technologies & Services department (ITS), the EpicTogether team, and various counterparts at NewYork-Presbyterian Hospital, Cornell University, and other affiliates to ensure security policies and procedures are effectively implemented and managed, and that enterprise system security is closely monitored and managed.
This role is also responsible for working with the Chief Information Security Officer (CISO) to develop and deliver a comprehensive information security and identity management program for WCM. The scope includes information in electronic, print, and other formats. The purposes of this program include: to assure that information created, acquired, or maintained by WCM and its authorized users is used in accordance with its intended purpose; to protect WCM information and its infrastructure from external or internal threats; and, to assure that WCM complies with statutory and regulatory requirements regarding information access, security, and privacy.
- Manages and mentors a team of analysts, engineers, and architects responsible for all technical and operational aspects of security and identity management. Assists with recruiting employees; assigns, directs, and evaluates their work.
- Works collaboratively with other ITS management to develop program strategy that meets the security, identity management, and business continuity needs of a highly complex medical institution.
- Oversees and maintains a vast project portfolio for the implementation or maintenance of new or existing security and identity management technologies. Ensures that project deadlines are met on time, on budget, and of acceptable quality.
- Ensures service requests and security-related tickets are resolved in a timely manner within the ticketing management system. Produces metrics on top security incidents, attack vectors, requests, etc.
- Assists with capital/operational budgets, including budget planning and design, forecasting, revenue stream development, capacity planning, expertise alignment, and resource optimization. Develops, gathers or maintains divisional/sub-divisional roadmaps.
- Develops, implements and ensures continuity across security and privacy practices/procedures.
- Provides development guidance and assists in identification, implementation and maintenance of WCM information privacy policies/procedures. Liaises with and offers direction to staff throughout WCM as needed, on information security and compliance matters.
- Oversees/allocates resources for incident responses, including electronic discovery efforts, responding to policy violations, or complaints from external parties. Develops, documents and tests security, incident response and forensics policies/procedures.
- Assists in fulfilling security and privacy-related internal auditing requirements as requested; works closely with CU Audit Office and external auditors to provide responses to audit requests and follow-up. Tracks and reports on audit status and progress.
- Builds ITIL-based processes; provides reporting on status of IS program; develops, negotiates, manages and enforces contracts and service-level agreements for internal and external facing services; and supports/builds upon project management processes.
- Assists with oversight of program(s) and related IT initiatives to ensure HIPAA, NIST, PCI, and other applicable regulatory and standards-based compliance.
- Performs other related duties as assigned.
- Bachelor’s degree in computer science, information systems, management, or relevant field and 5 or more years’ experience as a security professional in a leadership role and a minimum of 10 years’ experience in information technology.
- Comprehensive, expert-level understanding of information security and related technologies, such as firewalls, encryption, access controls, SIEM, application security, and authentication and authorization policies, procedures, and technologies.
- Experience coordinating and fulfilling requests for internal and external auditors, internal investigations, litigation, and other similar projects.
- Experience identifying and creating IT security goals, metrics, and objectives; developing IT security strategies and practices.
- Extensive knowledge of risk analysis and the development of security systems and protocols.
- Comprehensive working knowledge of HIPAA, HITECH, NIST, FERPA, and PCI.
- Information security certifications (e.g., CISSP, CISM, etc.) are a plus.
- Extensive knowledge of computer-based patient record system security requirements (particularly Epic and SAP/Business Objects) and various protocols relative to privacy and confidentiality of health information is highly desired.
- Familiarity with business continuity, disaster recovery, and business resiliency planning from real-world implementations desired.
- Understanding of networking protocols (TCP/IP) and service protocols (HTTP, HTTPS, LDAP, SSL, SSH, SMTP, POP3, DNS, FTP) desired.
- Previous experience implementing business impact analysis and security incident response processes and programs helpful.
- Technical leadership and managerial experience in an academic or healthcare setting and in-depth knowledge and experience in computer use in medical colleges, universities, and/or other healthcare institutions preferred.
- Familiarity with reviewing, writing, and assessing various documents and reports, such as gap analysis reports, SOWs, risk assessments, and security incident reports desired.
Knowledge, Skills and Abilities
- Strong, demonstrated ability to establish rapport, trust, and confidence in relationships with cross-functional teams.
- Excellent written and verbal communication skills to provide technical and educational leadership to all staff. Must be able to communicate effectively the capabilities and limitations of information technologies.
- Exceptional persuasion and public speaking skill.
- Excellent understanding of network concepts, ports, protocols, OSI model, etc.
- Ability to handle sensitive and difficult situations in a professional and responsive manner; ability to exercise own judgment.
- Ability to participate with upper management in a decision support mode through the development of appropriate management information.
- Ability to promote and maintain a favorable and positive work environment to assist in the overall mission of WCM and NYP. Ability to advocate for projects assigned and the business and strategic goals they are intended to meet.
- Ability to maintain a customer-centered service ethic.
Licenses and Certifications
Working Conditions/Physical Demands
- Position requires working in an office environment where some physical discomforts such as dust, dirt, noise, and the like are present. Ability to work off-hours and weekends, as well as travel between office locations, primarily within NYC and Ithaca, New York, is required. Occasional meetings or clinical staff interactions in typical patient care areas may be required, though direct patient exposure is not expected.
- As a senior technology manager, you will have exposure and/or access to protected health information (“PHI”) and personally identifiable information (“PII”) as part of your normal duties. Access to data within systems that contain significant portions of confidential medical records will be necessary to do your job; however, viewing of that information in individual detail is generally incidental.
With regard to HIPAA and related regulations protecting student, staff, and patient privacy, it is the responsibility of each Weill Cornell Medicine employee to limit viewing of PHI and PII to the absolute minimum as necessary to perform the job function. As an IT leader, the Assistant Director will be held to a higher standard and is expected to help lead development and enforcement of relevant security and privacy policies.
Weill Cornell Medicine is a comprehensive academic medical center that’s committed to excellence in patient care, scientific discovery, and the education of future physicians in New York City and around the world. Our doctors and scientists-faculty from Weill Cornell Medical College, Weill Cornell Graduate School of Medical Sciences, and the Weill Cornell Physician Organization-are engaged in world-class clinical care and cutting-edge research that connect patients to the latest treatment innovations and prevention strategies. Located in the heart of the Upper East Side’s scientific corridor, Weill Cornell Medicine’s powerful network of collaborators extends to its parent university Cornell University; to Qatar, where an international campus offers a U.S. medical degree; and to programs in Tanzania, Haiti, Brazil, Austria and Turkey. Our medical practices serve communities throughout New York City, and our faculty provide comprehensive care at NewYork-Presbyterian Hospital/Weill Cornell Medical Center, NewYork-Presbyterian/Lower Manhattan Hospital, and NewYork-Presbyterian/Queens. At Weill Cornell Medicine, we work together to treat each individual, not just their conditions or illnesses, as we strive to deliver the finest possible care for our patients – the center of everything we do. Weill Cornell Medicine is an Equal Employment Opportunity Employer. Weill Cornell Medicine provides equal employment opportunities to all qualified applicants without regard to race, sex, sexual orientation, gender identity, national origin, color, age, religion, protected veteran or disability status, or genetic information.
Weill Cornell Medical College is an equal opportunity, affirmative action educator and employer.
© Copyright 2020 Internet Employment Linkage, Inc.