Information Security

Required Work Experience7 years of experience with system Information security, including 3 years at a leadership level5 years of experience with data processing and telecommunications 5 years of project management experience2 years of recent experience with disaster recovery planning or risk analysis / business impact analysis5 years of management or supervisory experienceRequired EducationHigh School Diploma or GED in general field of studyRequired Certifications5 security certifications from the Preferred Certifications listPreferred Work Experience10 years of experience with system security, including 5 years at a leadership level7 years of experience with data processing controls, concepts, and audit principlesPreferred EducationMaster’s Degree in business, computer science or related fieldPreferred CertificationsCertified Information Systems Security Practitioner (CISSP), Certified Information Security Administrator (CISA), Certified Information Security Manager (CISM), ISO Foundation, ISO Practitioner, Certified Computer Forensic Specialist (CCFS), Certified Business Continuity Professional (CBCP), Information Security Fundamentals (GISF), Security Essentials (GSEC), Critical Controls (GCCC), Leadership Essentials (GSLC), SANS CISSP (GISP), Certified Ethical Hacker (CEH), Certified CISO (CCISO), Certified Cloud Security Professional (CCSP) Certificate of Cloud Security Knowledge (CCSK), Certified Common Security Framework Practitioner (CCSFP)ESSENTIAL JOB FUNCTIONS AND RESPONSIBILITIESResponsible for ensuring that information systems comply with governmental security requirements such as those included in the Health Insurance Portability and Accountability Act (HIPAA), and Arizona State insurance privacy lawDirects work of others in ISE on a daily basis; shares information and influences behaviors to be consistent with BCBSAZ’s corporate objectives. Maintains departmental metrics & measures to adequately monitor department performance, help meet IT divisional goals and assist in resource planningEmploy metrics to establish baselines and measure the effectiveness of implemented security controls. Create a scoring tool for measuring the effectiveness of each control.Map critical controls to standards such as NIST 800-53, ISO 27001, and others.Audit each of the critical security controls, with specific, proven templates, checklists, and scripts to facilitate the audit process.Assist the CISO in establishing a minimum standard for security knowledge, skills, and abilities required for each job function, drive awareness and skills training and assessments to ensure the organization meets minimum standards.Assist the CISO in developing strategic security plans and information security policies. In coordination with the CISO, monitor information security trends internal and external and keep Senior Management informed about information security-related issues and activities affecting the corporationResponsible for the implementation and ongoing support of the operational tools used to fulfill oversight and security monitoring and managementPlans for and maintains an annual departmental budgetAssists ISE employees in performance plan documentation, career planning, and skill set enhancementControl access by computer users in all departments that require computer access; Leadership must interface with ISS to obtain access permissions for their employees and external users. Be knowledgeable of the concepts of access controls and the interrelated productsConsult on and help implement procedures for data classification, handling, retention/destruction, etc. Work with other Team Leaders to meet departmental responsibilitiesSupport the CISO and participate in confidential system security related reviewsProvide investigative and incident response functionsKeep current on new developments in healthcare related industries and new technology in systems security and computer technologyAs necessary conduct confidential system security related reviews for leadershipAssist as necessary to investigate security breaches and pursue associated disciplinary and legal mattersParticipate with management in formulating goals for the Information Technology Division.Participate in developing the Information Technologies Strategic Plan with the Chief Information Security Officer.Respond to and provide complete information for system audits and assessments as required by CISO and internal and external sources including SAS 70, Department Of Insurance, and Corporate Audit & Assessment Readiness AuditsProvides guidance to Employee Development on maintenance of an employee information security training programAssist as necessary in both internal and external information security audits, assessments and evaluationsProvide a clear, concise, accurate and timely status report to the Chief Information Officer as required on both strategic and tactical mattersPerform and monitor network security and penetration assessmentsThe position requires a full-time work schedule. Full-time is defined as working at least 40 hours per week, plus any additional hours as requested or as needed to meet business requirementsPosition may require evening, weekend, or on-call schedules, depending on project requirements and/or system status.Perform all other duties as assigned.Required Job SkillsIntermediate skill in use of office equipment, including copiers, fax machines, scanner and telephonesIntermediate PC proficiencyIntermediate proficiency in spreadsheet, database and word processing softwareAdvanced Knowledge of hardware, software, telecommunications, operating systems, and applications. Knowledge of HIPAA security and privacy standards.Knowledge of Microsoft, UNIX, and LINUX operating systems.Required Professional CompetenciesAn understanding of the phases of a system attack, common types of attacks and malicious code, and the strategies used to mitigate those attacks.Ability to apply create a security framework that is measurable, scalable, and reliable in stopping attacks and protecting the organizations' important information and systems.An understanding of the importance of each security control, how it is compromised if ignored, be able to explain the defesive goals of each, and the tools and systems needed to implement and automate those controls.An understanding of the processes and tools used to track/control/prevent/correct security weaknesses in the configurations of hardware and software systems based on a formal configuration management and change control process. Ability to relate generally accepted system security practices and procedures into the specific BCBSAZ environments.Ability to apply generally accepted business continuity concepts to BCBSAZ’s business units, including identification of critical success factors for effective disaster recovery.Ability to develop strategic security plans that incorporate business and organizational drivers.Ability to develop and assess information security policyAbility to build, maintain, and mature a vulnerability management program for identifying, prioritizing, and remediating both technical and physical system vulnerabilities.An understanding of PKI, key management and using symmetric, asymmetric, and hashing algorithms to secure data.An understanding of incident response and the business continuity process.An understanding of the top threats to application code and the processes and tools used to detect/prevent/correct security weaknesses.An understanding of malicious software and the processes and tools used to detect/prevent/correct installation and execution of this software on all devices. An understanding of security architecture concepts and the processes and tools used to detect/prevent/correct the flow of information transferring networks of different trust levels.Ability to assess an organization's human risks and assist in building a security awareness program that can mature with the organization's security program.An understanding of network layer protocols and their relationship to network security and privacy concerns, as well as the ability to identity PII and security controls for protecting network data.An understanding of protocols, vulnerabilities, attacks, and security controls at each layer of the OSI modelAn understanding of account monitoring and control, the principal of least privilege and the processes and tools used to track/control/prevent/correct use of system and application accounts. An understanding of data classification and the processes and tools used to track/control/prevent/correct data transmission and storage, based on the data's content and classification.An understanding of the processes and tools used to simulate attacks against a network to validate the overall security of an organization. An understanding of the processes and tools used to track/control/prevent/correct security weaknesses in the configurations in network devices based on formal configuration management and change controls processes. An understanding of the processes and tools used to track/control/prevent/correct the secure use of wireless networks.Ability to provide organization consultation on major government data security compliance programsAbility to lead the department in troubleshooting and technical system support for system security issuesAbility to train and consult on corporate wide efforts on major system security and business continuity corporate initiativesAbility to take appropriate risks, using available data.Strong analytical skills to support independent and effective decisionsStrong verbal and written communications skills and the ability to interact professionally with a diverse group of executives, managers, and subject matter experts.Project management skills, with the ability to manage a team to coordinate all planning and implementation activities in system security and/or business continuity fieldsStrong analytical problem solving and workflow management skills demonstrated in a variety of settings; ability to listen carefully to others’ ideas and points of view before deciding how to proceedExcellent communication skills, including writing reports, letters and documents for internal/external publication and presenting to and facilitating groups of individualsAbility to see the organization in terms of critical and highly interrelated work processesRequired Leadership Experience and CompetenciesAbility to lead and communicate in a crisis situationAbility to develop key working relationships needed to support strategic direction, both internally and external to the department and companyAbility to set an example for others in the IT organization by working well as a team memberProvide leadership, promote teamwork, meet objectives and exercise independent judgmentExperience leading and implementing projects and working collaboratively with other departments levelsAbility to prioritize tasks and work with multiple priorities, sometimes under limited time contstraints.