Support ECRIs 50-year mission of advancing effective evidence-based healthcare worldwide. Ensure the sensitive information of ECRIs 500+ global staff, partners, affiliates, subsidiaries, many thousands of active daily members and hundreds of thousands of annual visitors to our public websites worldwide is protected as required by law and in support of our member contracts and business relationships.
Work from home or onsite at ECRIs scenic suburban world headquarters in Plymouth Meeting, PA. Sleep well knowing you are helping achieve a world where safe, high-quality healthcare is accessible to everyone.
This position is for an ECRI-wide leader, responsible for auditing (as well as clarifying or refining as needed) IT and business operations, security controls and compliance, incident response, and core software platform infrastructure security controls enabling ECRI to deliver content and services globally.
Work closely with the ECRI leadership team to evolve the organization fulfilling its mission of advancing evidence-based and effective healthcare globally. Collaborate with those leaders to report on program, product & project level status to the ECRI executive team and business leaders, in support of Information Security.
Create and maintain policies that deliver vision and guidance across ECRI to strengthen and support security initiatives and compliance. Monitor compliance of enterprise IT system, business operation, and facility defenses with these policies. Where gaps are identified, track formally as risks, create remediation plans, and retest. Escalate gaps as needed to ECRI leadership.
Create, maintain, and annually retest ECRIs policies and procedures such as:
- HIPAA and related annual training, including for our Patient Safety Organization (PSO)
- Business Continuity and Disaster Recovery
- Internet, Email, Data Encryption, Password and Removeable Media
- Asset Classification Policies including Controlled Unclassified Information (CUI) and Patient Safety Work Product (PSWP)
- New policies and procedures as needed to keep our member and staff sensitive information safe and secure and to comply with law
Develop, maintain and drive a robust Governance, Risk & Compliance (GRC) program within ECRI. The Vice President, Information Security Officer with support as needed from across ECRI and the former acting Vice President, Information Security Officer will take the following steps to build ECRIs GRC program:
- Determine ECRIs required frameworks
- Scope the relevant programs selected
- Identify control activities needed or already in place at ECRI to support these scoped programs within IT, HR, Legal, Finance and Board Governance
- Conduct internal audits and assessment on a regular basis to identify nonconformities and create remediation plans where needed
- Ensure ongoing remediation by working with ECRI leaders to fix gaps and then regularly retesting
More specifically, the Vice President, Information Security Officer responsibilities include:
- Identify, scope, track and provide direction to ensure ECRI complies with in context frameworks including but not limited to:
- SOC 2
- NIST CSF & Special Publications
- GDPR & CCPA
- Choose an ideal common control set based on ECRIs business context and multiple compliance programs, and track it in ZenGRC
- Respond in a timely fashion to customer assessments and questionnaires (several a month)
- Engage third parties in audits and risk assessments, including penetration tests and HIPAA focused risk assessments (at least annually)
- Maintain standing with SOC 2 and any other frameworks ECRI supports in the future
- Work closely with the Chief Information Officer, HR, Finance and Legal to ensure ECRIs policies and procedures are kept appropriately up to date, enforced and audited as needed
The Vice President, Information Security Officer creates, maintains, and audits adherence to policies and procedures meant to ensure ECRI remains a trusted guardian of its member and employees sensitive information, as well as ensure our business relationships are maintained and laws complied with. This is achieved by providing policy based oversight and guidance to business, legal, finance, HR and IT leadership across Information Security domains
- CyberSecurity: planning, implementation, operations, and auditing of enterprise IT systems, including our member facing websites and applications
- Physical Security: ensure appropriate levels of facility defense are in place at ECRI HQ and its two data centers to protect the sensitive information assets stored within
- Work from home protections: ensure that our almost entirely work from home staff are adequately protected with proper security controls mandated by our policies
- Software Development Life Cycle best practices: ensure security first principles and audit checklists are maintained by the Product Development organization at ECRI and processes enforced to ensure ECRIs websites and applications are secure against unauthorized intrusion or tampering
Advise, prescribe and audit Technology Operational staff, Business System and Product Development Engineers and their leadership to ensure they:
- Lead real time incident and war-room style responses to emerging global security incidents and vulnerabilities, including targeted attacks and phishing exploits against ECRIs on-prem and cloud hosted infrastructure and staff as needed.
- Maintain a strong and ever-vigilant security posture with up-to-date vendor patches for software and hardware, best-practice encryption and authorization/authentication controls, configurations of firewalls, networking, and audited role-based controls for all administrative access and actions.
- Secure and maintain all of ECRIs business systems, both on-prem, SaaS and public-cloud hosted, including Microsoft 365, Office, Teams, Exchange/Outlook, Azure AD, Azure cloud, Dynamics 365, and ECRIs mobile device management platforms Jamf Pro and Microsoft InTune.
- Secure and maintain ECRI headquarters video conferencing systems, projectors, audio visual equipment, badge systems, firewalls, video security and more onsite as needed in Plymouth Meeting, PA.
- Provide disaster recovery and high availability for ECRIs production systems, both internal and externally facing, as well as facilitate business continuity planning and preparation.
- Secure and maintain internally facing business process automation and software, especially for Dynamics CRM and related systems and processes.
Reasonable Accommodations Statement
To accomplish this job successfully, an individual must be able to perform, with or without reasonable accommodation, each essential function satisfactorily. Reasonable accommodations may be made to help enable qualified individuals with disabilities to perform the essential functions.
Essential Functions Statements(s)
Security Strategy, Planning and Operational Management
- Provide governance of ECRIs security strategies.
- Lead the design, implementation, audit and regular testing of robust and actionable disaster and business continuity plans, procedures and enhancements (including quarantine, recovery, public communications, mandated reporting, financial, physical safety and other critical considerations) in collaboration with other ECRI departments.
- Help achieve business goals by prioritizing data, application/product security and coordinating the evaluation, and deployment of current and future security technologies.
- Build strong relationships with stakeholders across the enterprise in order to enhance appropriate security controls to protect the enterprise and product, making sure data security remains a top priority. Promote and instill security best practices to the corporate level, individual contributors, and customers using technical, business, and leadership skills.
- Develop, implement, maintain and oversee enforcement of policies, procedures and associated plans for system security administration and user system access based on industry-standard best practices.
- Audit the security controls of all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems, cryptography systems, and anti-theft measures.
- Recommend and implement changes in security policies and practices in accordance with changes in local or federal law.
- Collaborate with CTO, Information Privacy Officer, legal counsel and human resources to establish and maintain a system for ensuring that security and privacy policies are met.
- As primary point of contact, promote and oversee strategic security relationships between ECRI and external entities, including governments, members and partner organizations,
- Government relationships should include applicable offices of:
- Homeland Security;
- Cybersecurity and Infrastructure Security Agency;
- U.S. Department of Justices Ransomware and Digital Extortion Task Force; and
- State and local law enforcements.
- Corporate relationships may include:
- Security organizations (e.g., Mandiant and similar groups);
- Hardware providers; and
- Software providers.
- Remain focused on trends and issues in the security industry, including current and emerging technologies and prices. Advise, counsel, and educate executive and management teams on their relative importance and financial impact.
- Creates engaging, informative organizational wide communications in email, intranet posts and in person presentations regarding security best practices and important announcements to help protect, inform and empower ECRIs workforce.
- Understands how to communicate difficult/sensitive information tactfully and in a timely manner.
Project and Technical Management
- Develops lasting relationships with business unit personnel that foster trust and realistic expectations.