security strategies and overseeing the execution of plans reporting to the Chief Information Officer and dotted line to the Chief Compliance
Officer. The CISO is responsible to educate and advise Intermountain’s Executive Security and Privacy Committee on risk and all ongoing
activities related to the privacy, security, availability, integrity and confidentiality of patient, provider, employee, and business
information in compliance with Intermountain Healthcare’s security policies and procedures, regulations and law. This position plays a
collaborative role in proposing security capabilities in support of business strategic roadmaps and creating a supporting security strategy
including managing and executing solutions that are strategically focused on maintaining the reliability and functionality that is essential
to both internal and external constituents.
The CISO oversees the creation and maintenance of information security policy, leads
the on-going Company-wide security risk assessment, status, mitigation and risk reporting efforts, within the context of the Company’s risk
tolerance as set by senior management and the Executive Security and Privacy Committee. The CISO is also responsible for the security
posture, e-discovery and forensics, and for the creation and roll-out of security awareness and training programs Company-wide. The CISO
position requires a visionary leader with sound knowledge of Healthcare, business management and a working knowledge of information security
practices and technologies. The CISO will proactively work with other I.S. teams and users to implement practices that meet defined policies
and standards for information security. The CISO must be highly knowledgeable about the business environment and ensure that information
systems are maintained in a fully functional, secure mode. He/she will also oversee a variety of I.S.-related risk management activities.
This position reports to the Chief Information Officer with a dotted line to the Chief Compliance Officer and provides
oversight for 50 or more highly skilled information security employees. The position manages a budget of $10 million or more to meet
organizational information security objectives. This position requires direct and continuous interface with all levels of leadership,
vendors, strategic partners and key members of the community. The CISO is responsible for establishing and maintaining a corporate wide
information security management program to ensure that information assets are adequately protected. This position is responsible for
identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and
aligns with and supports the risk posture of Intermountain Healthcare. The CISO serves as the process owner of all assurance activities
related to the privacy, security, availability, integrity and confidentiality of patient, business partner, employee and business
information in compliance with Intermountain Healthcare’s information security policies. A key element of the CISO’s role is working with
executive management to determine acceptable levels of risk for the organization. The position oversees human resource management and
training of directors/managers/employees.
- Develops and maintains an inventory of all
data, medical devices, applications and systems enterprise wide.
- Develops implements and monitors a strategic, comprehensive
enterprise information security and IS risk management program to ensure that the privacy, security, integrity, confidentiality and
availability of information is owned, controlled or processed by the organization.
- Anticipates business needs and plays a
collaborative role in proposing information security capabilities in support of business strategic roadmaps and creating a supporting
information security strategy.
- Facilitates information security governance through the implementation of a hierarchical governance
program, including the formation of an information security steering committee or advisory board.
- Develops, maintains, and
publishes up-to-date information security policies, standards and guidelines. Oversees the approval and dissemination of security policies
- Functions as primary resource to I.S. staff in development of world-class security architectures. Designs and
provides secure system architectures based on proven technologies and methodologies in accordance with industry best practices and federal
and state regulations.
- Creates, communicates and implements a risk-based process for vendor risk management, include the assessment
and treatment for risks that may result from partners, consultants, and other service providers.
- Creates and manages information
security and risk management awareness training programs for all employees, contractors and approved system users.
- Works directly
with the business units to facilitate I.S. risk assessment and risk management processes, and works with stakeholders throughout
Intermountain Healthcare on identifying acceptable levels of residual risk.
- Provides regular reporting on the current status of the
information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise
risk management program.
- Creates a framework for roles and responsibilities with regard to information ownership, classification,
accountability and protection.
- Develops and enhances an information security management framework based on industry accepted
practices (e.g., ISO 27001, NIST, COBIT)
- Creates and manages a unified flexible control framework to integrate and normalize the
wide variety and ever-changing requirements resulting from global laws, standards and regulations.
- Ensures that security programs
are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
- Serves as a
liaison with corporate compliance, privacy, audit, legal, and HR management.
- Defines and facilitates the information security risk
assessment process, including the reporting and oversight of treatment efforts to address negative findings.
- Manages security
incidents and events to protect corporate I.S. assets, including intellectual property, regulated date and Intermountain Health’s
- Leads a team that monitors the external threat environment for emerging threats, and advises relevant stakeholders on
the appropriate courses of action.
- Serves as the liaison to the appropriate community parties to ensure that Intermountain
Healthcare maintains a strong security posture.
- Coordinates working with vendors and partners involved with the I.S. security
- Facilitates a metrics and reporting to measure the efficiency and effectiveness of the program, facilitates
appropriate resource allocation and increases the maturity of the security.
- Understands and interacts with related disciplines
through committees to ensure the consistent application of policies and standards across all technology projects, systems and services,
including privacy, risk management, compliance and business continuity management.
- Creates a security roadmap in support of lines
of business in conjunction with Intermountain Healthcare’s strategic initiatives.
- Keeps abreast of industry standards, practices
and new technologies to enhance key stakeholder satisfaction with I.S. Acts as a subject matter expert and resource to others.
- Recruits, provides training & education, leads, manages and retains a high performing team of technology professionals responsible
for the Security program. Responsible for development, performance management, and coaching of direct reports.
Master’s Degree and ten (10) years’ of experience working in information security and risk management.
Degree must be obtained through an accredited institution. Education or experience is verified.
Experience and proven track
record in developing information security policies and procedures, as well as successfully executing programs that meet the objectives for
– and –
Knowledge and understanding of relevant legal and regulatory requirements, such as
Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard.
– and –
Experience in a role requiring budget responsibility of $4 Million or more with line management accountability.
Experience in systems application development, driving best-of-breed and best practices, standards, measurement, and service oriented
– and –
Experience with healthcare provider delivery practices and norms in an Information security
– and –
Experience with complex healthcare integration and challenges, and operational challenges.
– and –
Demonstrated effectiveness as a thought leader and business partner to senior operating leaders.
– and –
effectiveness as a leader for staff management, development and mentorship.
– and –
Demonstrated Information security background
with program management, project management, and execution and delivery oversight, with attention to detail around metrics, accountability,
and operational excellence
– and –
Demonstrated success influencing a company’s overall business strategy and processes.
Collaborative but decisive personal style; highly effective communicator and problem solver.
- Master’s degree in computer science, engineering, information management or other technical field
- Certification in CICISO, CISSP, CISM or CISA
- Experience with complex healthcare integration and challenges, and operational
- Experience performing information security related merger and acquisition due diligence and integration work in high
growth, enterprise level settings.
Interact with others requiring the employee
to communicate information.
– and –
Operate computers and other IT equipment requiring the ability to move fingers and hands.
– and –
See and read computer monitors and documents.
– and –
Remain sitting or standing for long periods of time to
perform work on a computer, telephone, or other equipment.
© Copyright 2020 Internet Employment Linkage, Inc.