Community Health Systems Director IT Security in Brentwood, Tennessee

Description:

This role is responsible for supporting Legacy vendorsecurity processes and maintaining current and future security processes.

DUTIES AND RESPONSIBILITIES:

  • Monitor Performance Access Process

  • Conduct regular reviews of security access work queues todetermine typical turn-around time by category of work requests.

  • Assess performance and identify areas generating themajority of escalations.

  • Identify patterns common to areas causing escalations.

  • Prepare recommendations as to process, forms, and approvalsthat could be changed to improve overall performance.

  • Prepare summary of findings with recommendations by area.

  • Present findings with recommendations during Securitymonthly meeting.

  • Track resolutions and performance improvements on a monthlybasis.

  • Quorum Health business partners regularly have issues withdelays in security access being granted.

  • Assist corporate business partners with resolving securityescalation issues by reviewing content of security requests submitted, reviseas needed, educate on correct workflow, ensure proper submission of reviseddata and track resolution with vendor security.

  • Summarize repeated errors in security request submissionprocess and prepare lessons learned with additional documentation for corporatebusiness partners.

  • If security requests submitted correctly and business needwarrants, coordinate with vendor security escalations with tracking ofresolution.

  • Assist Quorum Health Hospital Based Staff

  • Ensure any security escalations have been processed by localIT directors.

  • Validate process and forms to ensure security informationhas been properly submitted to security.

  • Revise submissions as needed. Focus should be on new CEO,CFO, and CNOs needing multiple approval levels to complete security process.

  • Escalate with Security management as business needs andprocesses warrant.

  • Ensure Regulatory and Internal Audit Compliance

  • Conduct regular conference calls with IT directors to assistthem in completing MU Security Risk Assessment, Disaster Recovery Planning,Server patching, and SOX quarterly audits.

  • Conduct training sessions as needed with new IT directors toensure all are properly prepared to perform all regulatory complianceactivities at the hospitals.

  • Conduct spot checks of submitted information and assistInternal Audit in completing their reviews.

  • Ensure hospital IT directors perform all remediation actionsidentified in review of submitted regulatory material.

  • These activities will continue after transition toData security control.

  • Responsible for Assisting in Migration off of vendor sSecurity

  • Inventory Current Usage and Access

  • Through use of SOX audit process, document hospital andcorporate staff required to have access to GL, AP, Materials, and Fixed Assets.

  • Prepare documentation by site, by role, and by staff personso future financial system can be setup to provide proper access to financialdata.

  • Conduct similar process for each of the systems used bycorporate, centralized, or business office staff.

  • Coordinate Transition ofSecurity Policies to Vendor.

  • Conduct review of Quorum Health security policies andcompare withbest security practices.

  • Identify where Quorum Health security policies need to bemodified to comply withpractices.

  • Summarize recommended changes for management review andapproval.

  • Make approved changes, develop training program to educateQuorum Health staff on revised policies.

  • Implement revised policies and prepare annual review forrevisions.

  • Responsible for MonitoringSecurity

  • Post migration, establish metrics, dashboards, and reportsto provide management summary ofsecurity performance.

  • Validateisconducting all aspects of threat protection, penetration testing, virusprotection, and proper controls on any external access to network.

  • Ensure proper review is conducted through Vendor SecurityRisk Assessment (VSRA) form review to determine need for cyber insurance andacceptance of insurance liability in either an Information Security Agreement(ISA) or expanded BAA.

  • Extend security education to more business partner ownershipwith on-line classes and periodic testing with fake phishing emails. Trackoffenders to ensure enrollment in remedial security classes. If repeatedfailures, report to management.

  • Coordinate application security with new vendors asapplications are replaced from current portfolio.

  • Establish method for monitoring security compliance atapplication level.

  • Conduct periodic tests for SOX compliance through useraccess review.

  • Conduct regular rounding meetings with corporate businesspartners to identify any issues withperformance, escalation issues needing attention, plans for additionalsoftware, and security education needed. Monitoring / rounding report to beprovided to CIO on quarterly basis.

  • Conduct regular rounding calls with hospital IT directors toensure compliance with policies, progress on annual audits, escalations andsecurity education as needed. Report hospital rounding status to CIO onquarterly basis.

Security Project Schedules

  • Security projects must have schedules, interim milestones,deliverables, and deadlines.

  • Security projects schedules must be realistic but aggressiveto be comparable with external security companies.

  • Change of scope or deliverables must be approved through amanagement review process and not used as a method for meeting a deadline bydropping project components from.

  • Any reductions in project scope will require managementreview and approval before the change will be allowed.

  • Responsible for Following Quorum Health Project ExecutionMethodology

Project Intake Methodology for new projects

  • Submit at the idea stage to Quorum Health IT Oversight Team(Quorum Health ITOT) for approval to proceed with planning.

  • Develop detail project plans to include resources, cost,timing, vendors, and customer responsibilities and dependencies. Obtain 3rdparty vendor estimates for each component.

  • Obtain needed business line approvals for scope, impact,benefits, and deliverables prior to Quorum Health ITOT.

  • Document business justification for project either ROI,market share increase, quality improvement, cost reductions, safetyimprovements, or required maintenance.

  • Submission to Quorum Health ITOT for funding and approval toproceed with execution of project.

Project Activation Methodology

  • Obtain final quotes from vendors, contracts, BAA, securityforms (VSRA), staffing time estimates, customer requirements, hardware andsoftware purchase quotes.

  • Prepare CER and submit through approval process.

  • Obtain signatures for all components of project withconfirmation that costs are still within estimates approved to Quorum HealthITOT.

  • Obtain approval from resource leaders (business lines,customers, vendors, and contractors) that resources are ready to start project.

Project Execution Methodology

  • Define project task, milestone, and deliverable trackingapproach to include resource requirements, dependencies, durations, andexpected outcomes by project phase.

  • Follow Quorum Health resource reporting cadence and forms /methodology.

  • Follow Quorum Health method for weekly executive statusreporting including metrics, dashboards, planned deliverables, misseddeliverables and visual representation of project progress.

  • Follow Quorum Health approach to tracking spend versusbudget on a bi-weekly basis with reporting that explain variances as to timing,cost, or approved scope changes.

  • Follow Quorum Health method for inter-team, crossdiscipline, and business line reporting of project status, barriers,escalations, and management decisions needed.

  • Follow Quorum Health method for issue escalation andmanagement decision process.

  • Follow Quorum Health method for project phase / milestonevalidation and sign-off by appropriate management.

  • Follow Quorum Health method for change control for scope,content, resource, or deliverables that occur during project.

Define Project Closure Methodology

  • Obtain final sign-off from business lines.

  • Document and define follow up steps for any remaining itemsnot signed off or signed off with comments requiring resolution.

  • Execute remediation of any outstanding items for theproject.

  • Complete any needed documentation for process, payment,expected benefits based on original ROI submitted to the Quorum HealthITOT.Document cost versus budget andactual time to original project schedule.

  • Prepare summary report to Quorum Health ITOT on projectexecution, deliverables obtained, and ROI proven.

  • Communicate to Quorum Health ITOT project performanceincluding time, cost, and deliverables as compared with original proposal withlessons learned to be applied to next project.

  • Conduct any turn over needed to ensure project deliverablesare maintained through regular business processes.

  • Close out all financial components of the project includingCER closure, payment of any remaining invoices, and setup of regularmaintenance cost and expected savings to be included in future budgets.

Responsible for Quorum Health IT Security Management:

  • Establish technical and personal development plans forannual targets and CPEs.

  • Contract staff must have pre-defined deliverables per week.Each must have a stated term, interim deliverables, time line, and metrics toshow performance against plan.

  • Follow Quorum Health dashboard reporting system that showsindividual performance and project performance against plans. Budget versusactual spend is needed by project and for Security at least two times permonth.

  • Monitor and approveData security invoices prior to CIO approval.

  • Meet regularly, at least bi-weekly, with CIO to reviewstrategic direction, progress against plan, barriers, escalations, resourceassignments, needs, and risks.

  • Prepare issue and action plans to address each area not onplan. Key discussion will be on any projects at risk for meeting on time and onbudget with pre-approve functionality.

  • Interim updates are needed to CIO on any project goingoff-track to provide IT management sufficient time to address.

  • Communicate with CIO any risk areas that may result in achange control review for any projects.

  • Prepare Security Update for the bi-weekly Quorum Health ITOTmeetings including dashboards, executive summaries of projects, status,barriers, escalations and decisions needed.

The scope of responsibilities falls into three areas.

  • Maintain existing legacy vendor security controls

  • Assist in transition from vendor security tosecurity

  • Monitorsecurityperformance after transition

  • A key success factor for this position is the ability todevelop strong collaboration between Quorum Health business lines, QuorumHealth Hospitals, Quorum Health consultants () and Quorum Health IT staff.

Qualifications

KNOWLEDGE, SKILLS AND ABILITIES:

  • Proven ability to resolve conflict, facilitate collaborationbetween groups and refocus on solutions rather than barriers.

  • Proven ability to deliver projects with full functionality,on time and on budget.

  • Ability to lead simultaneous security projects in each ofthe major security areas.

  • Lead and work with Corporate Governance Committee to gainapproval, provide transparency to projects and develop trust for future budgetsand projects.

  • Ability to design, implement and maintain project leveldashboards, controls and metrics.

WORK EXPERIENCE, EDUCATION AND CERTIFICATIONS:

4 years experience implementing and monitoring securityphysical controls including:

  • Closed-circuit surveillance cameras

  • Motion or thermal alarm systems

  • Security guards

  • Picture IDs

Bachelor s degree.

4 years experience implementing and monitoring securitytechnical controls including:

  • Encryption

  • Smart cards

  • Network authentication

  • Access control lists (ACLs)

  • File integrity auditing software

  • 4 years experience implementing and monitoring securityadministrative controls including:

  • Training and awareness

  • Disaster preparedness and recovery plans

  • Personnel recruitment and separation strategies

  • Personnel registration and accounting

Job: Corporate Positions

Organization: QHC

Location: TN-Brentwood

Requisition ID: 1822173