ERT is hiring for a Manager of Security & Risk Management reports to the Chief Information Security Officer (CISO). The role is to lead ERT’s efforts to ensure that it protects the information it collects, maintains, and distributes, electronically or otherwise. This role interacts effectively with ERT’s Data Privacy Officer and team as well with R&D teams supporting all ERT clinical SaaS portfolio. Will have the responsibility to ensure that appropriate security policies, standards, procedures and IT security infrastructure (including cybersecurity platforms, servers, databases, personal computers, 3rd party hosted services, and mobile devices) are designed (“security by design”) and maintained to protect ERT’s information, both clinical data that ERT is a steward of for customers, and internal data. Will contribute to the building of the current information security strategy at ERT, and working with the CISO and departments across ERT to ensure that budget, planning, infrastructure and implementation of information security based initiatives can be managed efficiently. This is a wide-reaching security role, and requires an individual with a strong technical background, a solid understanding of network, host, applications and data security, and a demonstrated knowledge of compliance-related laws and regulations. Will need to be well versed in building information security programs to attain a high level of maturity. This position carries the responsibility to ensure the timely identification, remediation and tracking of technical, procedural and policy-based items that may impact the security, use and stewardship of the ERT’s customers and corporate data and information systems. Writing policies and documentation, communicating complex topics with ERT organizations and training on new policies and procedures are key responsibilities.
The role will work with various ERT departments in assessing, developing, implementing, and maintaining information security standards, communicating policies and procedures related to information security, within ERT data centers, SaaS and Cloud environments.
Finally, this position will implement control frameworks and ensure adherence with ISO 27001, HIPAA/HITECH, 21CFR Part11 and manage security across all IT departments to ensure auditable and documented end-to-end processes for the operation and handling of ERT’s data and systems.
Define policies, procedures, communications and training for the following:
- Define Security Information Management System (i.e., ISO 27001) and associated controls are implemented to ensure “Security of Design”.
- Work seamlessly with ERT Data Privacy Office to ensure “Data Privacy of Design”.
- Information Security Policy - Document governing user access privileges (need to know, least privileges, segregation of duties/responsibilities
- Information Protection Policy – policy defining information classifications and associated protections. Includes a table that lays out ERT's information classifications: Public; Confidential-ERT Internal; Confidential-ERT Restricted; and Confidential-ERT Highly Restricted.
Information Security Risk Assessment and Management Practice – Practice includes defining and documenting the key procedures in performing a risk assessment, including:
- Acceptable Use Policy for Company Resources
- Policy governing ERT personnel's use of ERT computers, systems, and resources.
- Data Export / Import Compliance Management
- Systems and applications password standards and password management
- Internal penetration testing/vulnerability scanning development best practices
- External penetration testing/vulnerability scanning reporting and remediation practice
Logical Access Controls Policy and Privileged Access Management policies
- Describes key user and API access controls that must be implemented to protect ERT’s information assets.
- Access controls that applies to all applications, databases, operating systems, and network devices that store or process ERT information, other than publicly accessible Internet facing ERT System.
Logging and Log Analysis Policy
- Requires system logging, periodic log analysis, issue resolution and log retention.
- Password Policy
- Describes value sets for password controls to be set up for all systems and to be followed by all employees.
Network Security Policy
- Requires a range of controls to secure the data in networks and protect connected services from unauthorized access in hybrid cloud environments
Server Security Policy
- Requires all servers to be physically and logically secured according to their criticality.
- Records Retention Policy
Working with ERT Legal on documenting Internal and External Privacy Policies:
- ERT global policies and procedures to protect individual personally identifiable information (PII) to ensure personal data privacy is safeguarded at local and global levels. Covers collection, processing, security and access
- Third-Party Network Access Agreements
Develop, document and implement a layered security platform and associated processes enabling core cloud operational requirements for:
- Network and Host-based security
- Applications and data security
- Security monitoring & alerting
- Identity and Access management
- Privileged account management
- Partner with ERT Quality & Risk Management ensuring proper Quality Management
- Partner with Development and DevOps teams to ensure layered security for new ERT products and services
- Monitor Microsoft Security Bulletins and Common Vulnerabilities and Exposures (CVE) bulletins
- Assess, plan and communicate plan to remediate security vulnerabilities and exposures across ERT’s Production, Staging, UAT and Development infrastructure network and compute fleet
Lead, document and implement/instrument a cloud security profile, including:
- Service infrastructure and platform security planning requirements
- Security monitoring integration with ERT Operations Support System
- Monitoring and advising and security patching requirements
- Overall ownership and sign-off on security profile readiness for all SaaS, Business Systems, Operational Support Systems and Client Services Systems.
Other Duties and Responsibilities:
Effectively collaborate and communicate with Development, DevOps, Executive Management and Lines of Business to report out security operations status
The duties and responsibilities listed in this job description represent the major responsibilities of
the position. Other duties and responsibilities may be assigned, as required. ERT reserves the
right to amend or change this job description to meet the needs of ERT. This job description and
any attachments do not constitute or represent a contract.
Qualifications and Skills Needed
- Demonstrated technical knowledge of network, host-based, applications and data security methods, required security management technologies and implemented security controls.
- Demonstrated experience of working with Data Privacy teams to achieve a coordinated Security and Privacy of practice.
- Implementation and management of information security management systems (ISMS) and associated security controls in a highly regulated market, with GDPR, CCPA and other regulatory experiences being highly desirable.
- Have defined, documented, implemented and established security policies and procedures in for a software as a service provider.
- Possess one or more advanced professional security certifications related to chosen discipline (CISSP, CCSP)
- Demonstrated understanding of Information Security best practices.
- At least 2-3 years experience managing a Security Operations team.
- At least 5+ years’ experience implementing layered security practices for network, host, applications, data and access to IaaS, PaaS and SaaS services in a hybrid deployment environment.
- Experience in developing and deploying security specific solutions including the automation of repeatable security tasks and controls
- Solid oral and written communication skills.
- Solid collaboration skills.
- Experience implementing and operating security technologies and processes in a hybrid cloud environment, such as AWS or Azure and customer premise
- Have 5+ years of cloud-based security operations management experience
- BS/BA degree in Computer Science, Information Systems or related field
- Experience with software-defined network, compute and storage platforms
- Experience with security vulnerability and penetration tools such as Nessus, BurpSuite, Qualys, Fortify
- Implementation and management experience with hardware and software firewalls, AV, IDS/IPS platforms.
We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.