Description
Title: Director, Information Security Governance, Risk and Compliance
Job Type:
Regular Company: Roswell Park Cancer Institute Department: Information Security Time Type: Full time Weekly Hours: 40 FTE: 1 Shift: First Shift (United States of America) Summary: Oversees the processes and personnel involved in the Governance, Risk and Compliance (GRC) functions of the Information Security Department. Leads a team with a hands-on approach; ensures that risk assessments, security training and awareness, third party risk management, and other risk functions are performed in a consistent and thorough manner aligned with industry best practices and recognized security frameworks. Works with internal and external auditors to assess the maturity of the Information Security program. Furthers the maturity of the GRC program through the adoption and refinement of tools, standards, and processes in order to assist the overall Information Security Department to communicate and prioritize risk, and develop a risk-informed strategy for addressing current gaps and future threats.Starting salary for this position is $161,676 annually which includes a comprehensive benefits package.
Primary Duties Include:
• Oversees and participates in creation of and updating organizational policies aligned to the cybersecurity needs of the organization, best practices, and regulatory requirements such as HIPAA and PCI.
• Monitors compliance with organizational Information Security polices and regulatory requirements through appropriate training and tracking.
• Leads information security awareness and training initiatives to educate workforce about information risks.
• Develops new training programs to increase adoption of a culture of information security.
• Partners with Internal and External audit groups (including state and federal agencies) with the assessment of internal controls and remediation of identified risks.
• Reviews alignment with applicable cybersecurity frameworks and regulations, identifies gaps, and assists with development of remediation plans.
• Identifies and develops metrics to track performance and maturity of the Information Security Program.
• Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable.
• Coordinates assessments of internal and third-party systems, assessing the environments for risks.
• Participates with Legal for appropriate contract language.
• Maintains Risk Register.
• Responsible for Risk Acceptance process.
• Performs enterprise information security risk assessment to ensure alignment with all applicable regulations and best practices.
• Manages policy exception process with appropriate stakeholders.
• Develops and oversees Third Party Risk Management function.
• Outlines goals, training and performance metrics for members of the GRC team.
• Oversees development of GRC team members skills to improve processes and performance.
• Coaches GRC team members for performance improvement.
• Takes action on matters of discipline, promotion, salary, and other matters related to GRC team members, as needed and with assistance from the CISO.
• Performs training to internal and external staff as needed.
• Maintains established departmental policies and procedures, objectives, quality assurance programs, safety and compliance standards.
• Enhances professional growth and development by participating in educational programs, reading current literature, and participating in in-service meetings and workshops.
• Demonstrated knowledge and experience of Risk Management principles.
• Experience with Risk Management Frameworks, such as NIST CSF, NIST 800-53, HITRUST, ISO27001 and others.
• Possesses knowledge of the HIPAA Security Rule and additional government technology laws.
• Experienced in the management of physical and logical information security systems.
• Excellent technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.) Qualifications: Required Education and Experience
Certification Requirement
Current Cybersecurity certification, such as, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified Risk and Information Systems Control (CRISC), Global Information Assurance Certification (GIAC), or equivalent information security certification.
Education and Experience
1. Master's degree in Computer Science, Information Systems or a related field and the equivalent of eight (8) years of full-time experience in information security related hardware, software and processes; or
2. Bachelor's degree in Computer Science, Information Systems or a related field and the equivalent of ten (10) years of full-time experience in information security related hardware, software, and processes; or
3. Associate's degree in Computer Science, Information Systems or a related field and the equivalent of twelve (12) years of full-time experience in information security related hardware, software, and processes; or
4. High School Diploma or High School Equivalency Diploma and the equivalent of fourteen (14) years of full-time experience in information security related hardware, software and processes.
NOTE: Required degrees must have been granted by an accredited school, college or university or one recognized by Roswell Park Comprehensive Cancer Center as following acceptable educational practices.
Preferred Qualifications:
The preferred candidate will be Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials. they will also have prior HIPAA experience, prior management experience, and GRC tool experience.
Equal Employment Opportunity Statement
Roswell Park Cancer Institute Corporation (RPCIC) and Health Research Inc. (HRI) Roswell Park Division believe that all persons are entitled to equal employment opportunities, and we do not discriminate against our employees, applicants or job seekers because of their race, color, religion, sex, sexual orientation, gender identity or expression, national origin, creed, age, disability, pregnancy-related condition, military or veteran status, marital or familial status, domestic violence victim status, citizenship status, genetic information, individual's relationship or association with a member of a protected category or any other protected group status as defined by law.
Reasonable Accommodation Request
RPCIC and HRI are committed to working with and providing reasonable accommodation to individuals with disabilities. If, because of a medical condition or disability, you need a reasonable accommodation for any part of the employment process, please email HR-PayAndBenefits@RoswellPark.org and let us know the nature of your request and your contact information.
Our Core Values
RPCIC and HRI are committed to providing an environment where patients, families, employees and community are treated with courtesy and respect. We support an inclusive environment that nurtures the talents, skills and abilities of each individual to embody and reflect our core values: Innovation, Integrity, Teamwork, Commitment, Compassion and Respect.
Historical Compensation Information Statement
Pursuant to Executive Order 161, no State entity, as defined by the Executive Order, is permitted to ask, or mandate, in any form, that an applicant for employment provide his or her current compensation, or any prior compensation history, until such time as the applicant is extended a conditional offer of employment with compensation. If such information has been requested from you before such time, please contact the Governor's Office of Employee Relations at (518) 474-6988 or via email at info@goer.ny.gov.
Apply on company website
Find Connections via Linkedin
