IS Security Manager
General Statement of Duties
The IS Security Manager is responsible for ensuring that CareOregon’s information security posture is complete and robust in service to our members. This position partners with business leaders across the enterprise to oversee and mature CareOregon’s information systems security policies and processes. The role is also responsible for assessing and monitoring internal IS teams and external technology partners for security risk and compliance.
Essential Position Functions
Information Security Program
Accountable for the design, implementation and oversight of an effective Information Systems Security Program aligned with recognized industry best practices.
Partner with Information Services leaders to ensure information system security objectives are met.
Champion the cause for information security throughout the organization.
Propose improvements and updates to CareOregon’s security policy in alignment with security best practices and any applicable regulations, such as HIPAA/HITRUST and NIST SP 800-53.
Establish the Information Security Roadmap and reporting on its progress to senior IS department leaders and CareOregon’s senior executives.
Provide ongoing oversight of the Information Security Incident Response Plan; coordinate training for participating teams.
Perform formal assessments of security controls against cybersecurity best practices to identify gaps, generate reports on assessment findings and participate in the development and support of required corrective action plans.
Lead the design and execution of periodic testing of the IS Disaster Recovery Plan.
Facilitate information security governance meetings with CareOregon senior leadership and executives; compile management reports, summary analyses and detailed presentations to describe security risk, controls and maturity assessments.
Ensure information security awareness training content is current and comprehensive and all CareOregon staff successfully complete the required annual training.
Provide IS security subject matter expertise to IS and business teams throughout the organization.
Establish and maintain relationships with suitable information security vendors and partners.
Guide and oversee organizational security posture of services transitioning from on-premise to cloud services such as Azure.
Information Security Operations
Assess current and future information security risk; lead remediation efforts.
Lead the audit of applications and system configurations routinely to ensure proper information security is in place.
Identify and report on any systems vulnerabilities; partner with IS teams to implement appropriate countermeasures.
Establish and lead a vulnerability management program, prioritize remediation efforts and work with other teams to document and track program effectiveness.
Assess and ensure CareOregon’s applications, systems and services are in alignment with CareOregon IS security and risk management policies.
Investigate reported security incidents, lead remediation efforts and provide reporting as necessary.
Ensure compliance with internal auditing, HIPAA and other federal regulations.
Develop or participate in business planning, budgeting, performance targets, and policy development.
Define and report on appropriate metrics.
Continuously assess endpoint security control coverage, escalating gaps to appropriate teams for corrective action required.
Audits and Third-Party Oversight
Respond to audits and lead efforts to remediate adverse results.
Monitor partners and third parties for compliance with CareOregon security policies, contracts and government regulations.
Test security controls and validate that the controls are designed appropriately and are effective.
Effectively and efficiently document findings and develop actionable, clear recommendations.
Evaluate the security operations of managed service providers and oversee risk management.
Management and Leadership
Plan, organize, manage and monitor work projects, frequently acting as project manager on projects.
Train, supervise and evaluate performance of assigned staff.
Provide staff with the training, mentoring and resources necessary to carry out their work.
Ensure adherence to department and organizational standards, policies and procedures.
Ensure performance goals, expectations and standards are clearly understood by supervised staff.
Manage team priorities and activities, and ensure deliverables are met.
Evaluate employees’ performance on an ongoing basis and take appropriate corrective action if needed.
Perform human resource functions in collaboration with Human Resources.
Essential Department and Organizational Functions
Propose and implement process improvements.
Meet deadlines for completion of workload.
Maintain agreed upon work schedule.
Demonstrate cooperation and teamwork.
Provide cross-training on specific job responsibilities.
Meet identified business goals that contribute to departmental goals.
Perform other duties as needed.
Knowledge, Skills and Abilities Required
Understanding of information security best practices and design
Experience working in multiple information security domains (e.g. governance risk and compliance), attack surface management, identify and access management, network security, data protection, disaster recovery, security operations, incident response and threat modeling
Understanding of ITIL
Experience managing Intrusion Detection and Prevention systems, such as Rapid7, InsightIDR and Defender ATP
Experience with Data Loss Prevention and Data Classification
Strong understanding and ability to apply managerial concepts and techniques such as project/change management, idea creation and cross-team effectiveness
Ability to foster continuous employee learning, empowerment, engagement and opportunities
Strong oral and written communication skills, including meeting facilitation and presentations
Ability to effectively communicate complex and/or controversial topics and concepts to diverse audiences
Ability to establish an independent view, effectively collaborate in decision-making and motivate others, especially during difficult situations or on challenging organizational issues
Able to propose solutions and communicate business value
Ability to effectively elevate strategic concerns to senior management in a timely, clear and accurate manner
Ability to develop strong working relationships with internal leaders and external partners
Ability to effectively collaborate with coworkers, staff, leaders and executives across all departments
Strong knowledge of cross team calibration
Ability to maintain high degree of professionalism
Ability to maintain a positive attitude
Ability to develop and monitor policies, risks and solutions
Sound judgment and ability to develop, implement and reinforce policy and strategy
Ability to see the big picture beyond a request and takes appropriate holistic action, employing “systems thinking”
Advanced project management skills
Advanced vendor management skills
Advanced budget management skills
Strong analytical and research skills; ability to see patterns in data and draw appropriate conclusions
Understanding of and ability to adhere to governance and process
Physical Skills and Abilities
Lifting/Carrying up to 0 Pounds
Pushing/Pulling up to 0 Pounds
Pinching/Retrieving Small Objects
More than 6 hours/day
More than 6 hours/day
More than 6 hours/day
Cognitive and Other Skills and Abilities
Ability to focus on and comprehend information, learn new skills and abilities, assess a situation and seek or determine appropriate resolution, accept managerial direction and feedback, and tolerate and manage stress.
Education and/or Experience
Minimum 6 years’ experience in information security systems, solutions or related services, including a minimum of 2 years’ supervisory or people management experience. Experience must include most of the following:
Leading teams, including developing and mentoring staff and supporting change management
Leading complex systems projects
Managing vendors and contracts
Developing policy and strategy roadmaps with business partners and aligning work efforts and solutions accordingly
Developing and implementing information or cyber security programs
Environment: This position’s primary responsibilities typically take place in the following environment(s) (check all that apply on a regular basis):
☒ Inside/office ☐ Clinics/health facilities ☐ Member homes
Travel: This position may include occasional required or optional travel outside of the workplace, in which the employee’s personal vehicle, local transit, or other means of transportation may be used.
Equipment: General office equipment and mobile technology
Candidates of color are strongly encouraged to apply. CareOregon is committed to building a linguistically and culturally diverse and inclusive work environment
Veterans are strongly encouraged to apply.
Equal opportunity employer. This company considers all candidates regardless of race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status.Position Description »