What are the responsibilities and job description for the Regional Information Security Officer position at UnityPoint Health?
Overview:
License(s)/Certification(s):
The Regional Information Security Officer (RISO) is responsible for the execution and oversight of the system-wide information security program at the direction of the Chief Information Security Officer (CISO) as it relates to the RISO’s region, affiliate, or service line. The RISO is responsible for promoting adoption and supporting the enterprise information security initiatives; assessing and managing information security risks; acting as the escalation point for information security issues for the region, affiliate, or service line; and serving as the liaison between the business and System Services to promote, reinforce, and ensure compliance with the UnityPoint Health (UPH) Information Security Program. The RISO will coordinate efforts with the UPH CISO and other RISOs to share knowledge, resources, and information in order to know and understand the information security policies, procedures, guidelines, and standards and how to most appropriately apply them. The RISO is responsible for safeguarding information in all forms and the associated assets within their region, affiliate, or service line, which is accomplished by the performance of regular and on-going risk assessments of administrative, physical, and technical controls and management of the risk mitigation plan(s).
Responsibilities:
Advancement of Information Security Program in Region, Affiliate, or Service Line
- Support projects to create, implement, manage, and enforce information security directives as mandated by federal, state, and local agencies and to appropriately mitigate information risks.
- Support the development and ongoing management of the information security program for UPH including policies, procedures, guidelines, awareness and training plan, overall security infrastructure, and monitoring.
- Ensure the ongoing integration of information security with business strategies and requirements within the region, affiliate, or service line.
- Ensure access control, disaster recovery, business continuity, incident response, risk management, and other information security best practices, are properly addressed in the region, affiliate or service line.
- Support information security awareness and training initiatives to educate workforce about information risks and how to mitigate them.
- Participate in on-going information risk assessments and audits to ensure that information systems are adequately protected and meet all regulations.
- Work with vendors, outside consultants, and other third parties to improve information security within the organization.
- Monitor the effectiveness of the information security program throughout region, affiliate, or service line and provide regular reports to the local Compliance Committee and the CISO.
- Participate on the UPH Privacy and Security Task Team.
- Work closely with the Regional Privacy Officers for ongoing application of technology functionality to protect PHI.
- Stay up-to-date with current and emerging information security threats, reported incidents and new and updated data protection laws and regulations.
Customer Service
- Fulfills the ISO role for the assigned region, affiliate, or service line.
- Advises, communicates, and responds to individuals regarding information security questions and/or concerns.
- Supports the UPH strategic direction and balances it with the specific business and information systems needs of the customers.
- Performs daily monitoring, investigation, and mitigation of security violations.
- Understands system security requirements by business function.
- Communicates with all levels of management and end users concerning the policies, procedures, standards, and guidelines related to information security. Ensures that the communication occurs and is appropriate at each level.
Information Security Standards, Policies, and Compliance
- Oversees risk assessment and risk management processes for their assigned region, affiliate, or service line.
- Assists in the investigation, planning, documentation, implementation, maintenance, and testing of incident response, business continuity, emergency operations, and disaster recovery plans and audit controls.
- Assists in the development of an education program that promotes security planning, awareness, and training throughout the organization.
- Provides expertise to projects to ensure compliance with UPH policy, security and privacy standards, and state and federal laws and regulations
- Reports non-adherence and non-conformity to standards and policies to local governing bodies and the CISO.
Education:
- Bachelor’s degree is required. Equivalent education and work experience will be accepted only if previous experience applies to specific work in the information protection field.
Experience:
- At least five (5) years of experience in information security or healthcare regulations.
License(s)/Certification(s):
-
The following certifications are highly desired:
- (CISM) Certified Information Security Manager
- (CHP) Certified HIPAA Professional
- (CCSA) Certified Cyber Security Architect
Knowledge/Skills/Abilities:
Broad understanding of HIPAA compliance regulations, information protection and technology controls, auditing processes, and disaster recovery/contingency planning.- Excellent communication, planning, and organizational skills.
- Understands computer system functionality, limitations, and architecture of supported applications and platforms.