Information Security Manager (Hybrid)

Position Summary: The Information Security Manager will serve as San Ysidro Health’s expert on Cybersecurity protection, detection, response, and recovery. This position will provide the vision and hands-on technical expertise required to ensure the Confidentiality, Integrity, and Availability of San Ysidro Health’s information and systems. This role oversees all security-related efforts including the security program, security risk management, vendor management, the Governance, Risk and Compliance (GRC) program and the Information Technology Business Continuity and Disaster Recover policy and procedure.   Essential Functions of the Job: Working with the Information Technology and Application Teams to implement enterprise wide security planning to establish and maintain system controls by developing framework for controls and levels of access Lead risk management activities to ensure risks are prioritized, updated and communicated in accordance with NIST RMF SP 800-37; Recommend and implement improvements to prevent, reduce or mitigate risks; maintain risk register Working with Risk, Compliance and AI team, implement and monitor AI activities in accordance with NIST AI RMF 1.0 Create and update the necessary policies associated with HIPAA-HITECH and PCI DSS requirements; Develops techniques and procedures for conducting IS and cyber security risk assessments and compliance audits, the evaluation and testing of hardware, firmware, and software for possible impact on system security, and the investigation and resolution of security incidents Leads the development of security awareness by providing orientation, educational programs, and on-going communication; Works with stakeholders at all levels of the organization to communicate the state of information security, inform of possible risks, and suggest ways to improve security; Work in conjunction with the compliance team on awareness training utilizing SYH’s education platform Lead working sessions with other members of the Information Technology teams and key business stakeholders to implement safeguards and controls based on known risks, threats, and vulnerabilities Lead efforts to monitor and audit systems, processes, and other controls in order to assess security and risk posture Ensure the completion of operational activities associated to network monitoring and intrusion detection analysis to determine if there have been any attacks on the system; Work with the applicable parties to test mitigation plans Evaluates, tests, recommends, develops, coordinates, monitors, and maintains information systems (IS) and cyber security policies, procedures, and systems, including access management for hardware, firmware, and software, and Business Continuity and Disaster Recovery preparedness, training, and testing Lead incident response management activities; to include incident response drills, training activities, documentation; Develop and refine incident response policy, procedures and standards; Execute bi-annual table top exercises Lead recurring internal IT Security audits and risk assessments in accordance with policies and procedures Ensures that IT and cyber security architecture/designs, plans, controls, processes, standards, policies, and procedures are aligned with IT standards and overall IT and cyber security; Identifies security risks and exposures, determines the causes of security violations, and suggests procedures to halt future incidents and improve security; Facilitate the design and execution of vulnerability assessments, penetration tests Work with external auditors during audits; Prepare documentation, files and information for audits; Work with auditors and internal team on outstanding tasks and findings identified during the audits Work with other members of the IT Department to implement resolutions identified in risk assessments, penetration/vulnerability testing and audits Mentor other IT Security, GRC staff on all facets of IT Security, IT Governance, IT Risk and IT Compliance Responsible for the identification, tracking and management of enterprise risks; This includes performing risk assessments and measuring the success and effectiveness of mitigation efforts; Identifies, evaluates, tests, and implements appropriate security products, tools, and systems to establish and ensure a secure infrastructure Articulates security policies, guidelines and standards to customers and developers; Able to apply theories, concepts, principles, and methodologies to difficult but conventional assignments Works independently within an established framework   Additional Duties and Responsibilities: Stay up-to-date on the latest intelligence and methodologies related to information security in order to identify threats and manage risks; Updates job knowledge and awareness of IT Security developments by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations; attending IT Security conferences; communicate the latest intelligence to key staff to minimize or prevent impact to SY Health Exemplifies and promotes the department’s four key success factors: Positivity, Ownership, Efficiency and Transparency, when working with both internal and external customers Performs other duties as assigned   Job Requirements Experience Required: 5+ years’ experience as an IT Security Analyst 3+ years’ experience leading an IT Security program 2+ years in a healthcare environment, strong understanding of HIPAA-HITECH and PCI-DSS requirements 2+ years supporting or conducting audits within a regulated environment 2+ years conducting forensics to support various departments Experience working with vendors for SOC/MSSP and SRA services Strong understanding of NIST CSF and CSF-AI framework Experience building an enterprise-wide security program Strong understanding of Governance Risk and Compliance programs ITIL best practices   Education Required: High School Diploma or GED Equivalent   Education Preferred: B.S. in Computer Science, B.S. in Information Systems, Computer Science or related field   Verbal and Written Skills Required to Perform the Job: Excellent oral and written communication skills, with focus in technical or instruction-oriented writing and in clearly communicating complicated concepts over the phone, in person and in writing Ability to convey ideas and information to others and receive feedback effectively Ability to communicate and interact successfully with a diverse community and develop and maintain positive professional relationships with colleagues and staff members   Technical Knowledge and Skills Required to Perform the Job: Experience with auditing and monitoring tools including SIEM administration Experience with IDS/IPS and DLP solutions Application Firewall administration Internet access security and content filtering Knowledge of Email encryption systems Vulnerability management system administration HIDS/HIPS and MDR/EDR/XDR protection suites Experience utilizing tools to validate the extent of known attacks Experience working with networking technologies hardwire and wireless networks and protocols Multi-Factor Authentication, VPN and remote access methodology Experience handling, organizing, tracking, and reporting on user support incidents Experience working with Active Directory, DHCP, DNS, and Group Policy Understanding of Change Control Processes and Controls   Equipment Used: Laptop or Personal Computer Software required to perform within the Information Security role   Working Conditions and Physical Requirements: Prolonged, extensive, and considerable standing, sitting, walking, and/or lifting Manual dexterity and mobility Always reaching, stooping bending, kneeling, crouching Good organizational skills and ability to remain focused and concentrate with noise around Ability to handle multiple job task functions simultaneously Ability to work harmoniously with others as a team member May be required to work evenings and/or weekends   Universal Requirements: Pre-employment requirements include I-9, physical, positive background and reference check results, complete application, new hire orientation, pre-employment PPDs. Compliance with all mandated vaccinations and all boosters is a term and condition of employment.