Vice President, Information Security Officer

POSITION SUMMARY

Support ECRIs 50-year mission of advancing effective evidence-based healthcare worldwide. Ensure the sensitive information of ECRIs 500+ global staff, partners, affiliates, subsidiaries, many thousands of active daily members and hundreds of thousands of annual visitors to our public websites worldwide is protected as required by law and in support of our member contracts and business relationships.

This position is for an ECRI-wide leader, responsible for auditing (as well as clarifying or refining as needed) IT and business operations, security controls and compliance, incident response, and core software platform infrastructure security controls enabling ECRI to deliver content and services globally.

Work closely with the ECRI leadership team to evolve the organization fulfilling its mission of advancing evidence-based and effective healthcare globally. Collaborate with those leaders to report on program, product & project level status to the ECRI executive team and business leaders, in support of Information Security.

Create and maintain policies that deliver vision and guidance across ECRI to strengthen and support security initiatives and compliance. Monitor compliance of enterprise IT system, business operation, and facility defenses with these policies. Where gaps are identified, track formally as risks, create remediation plans, and retest. Escalate gaps as needed to ECRI leadership.

Create, maintain, and annually retest ECRIs policies and procedures such as:

• HIPAA and related annual training, including for our Patient Safety Organization (PSO)
• Business Continuity and Disaster Recovery
• Internet, Email, Data Encryption, Password and Removeable Media
• Asset Classification Policies including Controlled Unclassified Information (CUI) and Patient Safety Work Product (PSWP)
• New policies and procedures as needed to keep our member and staff sensitive information safe and secure and to comply with law

Develop, maintain and drive a robust Governance, Risk & Compliance (GRC) program within ECRI. The Vice President, Information Security Officer with support as needed from across ECRI and the former acting Vice President, Information Security Officer will take the following steps to build ECRIs GRC program:

1. Determine ECRIs required frameworks
2. Scope the relevant programs selected
3. Identify control activities needed or already in place at ECRI to support these scoped programs within IT, HR, Legal, Finance and Board Governance
4. Conduct internal audits and assessment on a regular basis to identify nonconformities and create remediation plans where needed
5. Ensure ongoing remediation by working with ECRI leaders to fix gaps and then regularly retesting

More specifically, the Vice President, Information Security Officer responsibilities include:

• Identify, scope, track and provide direction to ensure ECRI complies with in context frameworks including but not limited to:
  
  
  
  • SOC 2
  • NIST CSF & Special Publications
  • HIPAA
  • GDPR & CCPA
  
  
  
  
• Choose an ideal common control set based on ECRIs business context and multiple compliance programs, and track it in ZenGRC
• Respond in a timely fashion to customer assessments and questionnaires (several a month)
• Engage third parties in audits and risk assessments, including penetration tests and HIPAA focused risk assessments (at least annually)
• Maintain standing with SOC 2 and any other frameworks ECRI supports in the future
• Work closely with the Chief Information Officer, HR, Finance and Legal to ensure ECRIs policies and procedures are kept appropriately up to date, enforced and audited as needed

The Vice President, Information Security Officer creates, maintains, and audits adherence to policies and procedures meant to ensure ECRI remains a trusted guardian of its member and employees sensitive information, as well as ensure our business relationships are maintained and laws complied with. This is achieved by providing policy based oversight and guidance to business, legal, finance, HR and IT leadership across Information Security domains

including:

• CyberSecurity: planning, implementation, operations, and auditing of enterprise IT systems, including our member facing websites and applications
• Physical Security: ensure appropriate levels of facility defense are in place at ECRI HQ and its two data centers to protect the sensitive information assets stored within
• Work from home protections: ensure that our almost entirely work from home staff are adequately protected with proper security controls mandated by our policies
• Software Development Life Cycle best practices: ensure security first principles and audit checklists are maintained by the Product Development organization at ECRI and processes enforced to ensure ECRIs websites and applications are secure against unauthorized intrusion or tampering

Advise, prescribe and audit Technology Operational staff, Business System and Product Development Engineers and their leadership to ensure they:

• Lead real time incident and war-room style responses to emerging global security incidents and vulnerabilities, including targeted attacks and phishing exploits against ECRIs on-prem and cloud hosted infrastructure and staff as needed.
• Maintain a strong and ever-vigilant security posture with up-to-date vendor patches for software and hardware, best-practice encryption and authorization/authentication controls, configurations of firewalls, networking, and audited role-based controls for all administrative access and actions.
• Secure and maintain all of ECRIs business systems, both on-prem, SaaS and public-cloud hosted, including Microsoft 365, Office, Teams, Exchange/Outlook, Azure AD, Azure cloud, Dynamics 365, and ECRIs mobile device management platforms Jamf Pro and Microsoft InTune.
• Secure and maintain ECRI headquarters video conferencing systems, projectors, audio visual equipment, badge systems, firewalls, video security and more onsite as needed in Plymouth Meeting, PA.
• Provide disaster recovery and high availability for ECRIs production systems, both internal and externally facing, as well as facilitate business continuity planning and preparation.
• Secure and maintain internally facing business process automation and software, especially for Dynamics CRM and related systems and processes.

ESSENTIAL FUNCTIONS

Reasonable Accommodations Statement

To accomplish this job successfully, an individual must be able to perform, with or without reasonable accommodation, each essential function satisfactorily. Reasonable accommodations may be made to help enable qualified individuals with disabilities to perform the essential functions.

Essential Functions Statements(s)

Security Strategy, Planning and Operational Management

• Provide governance of ECRIs security strategies.
• Lead the design, implementation, audit and regular testing of robust and actionable disaster and business continuity plans, procedures and enhancements (including quarantine, recovery, public communications, mandated reporting, financial, physical safety and other critical considerations) in collaboration with other ECRI departments.
• Help achieve business goals by prioritizing data, application/product security and coordinating the evaluation, and deployment of current and future security technologies.
• Build strong relationships with stakeholders across the enterprise in order to enhance appropriate security controls to protect the enterprise and product, making sure data security remains a top priority. Promote and instill security best practices to the corporate level, individual contributors, and customers using technical, business, and leadership skills.
• Develop, implement, maintain and oversee enforcement of policies, procedures and associated plans for system security administration and user system access based on industry-standard best practices.
• Audit the security controls of all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems, cryptography systems, and anti-theft measures.
• Recommend and implement changes in security policies and practices in accordance with changes in local or federal law.
• Collaborate with CTO, Information Privacy Officer, legal counsel and human resources to establish and maintain a system for ensuring that security and privacy policies are met.
• As primary point of contact, promote and oversee strategic security relationships between ECRI and external entities, including governments, members and partner organizations,
  
  
  
  • Government relationships should include applicable offices of:
    
    
    
    • Homeland Security;
    • FBI
    • Cybersecurity and Infrastructure Security Agency;
    • U.S. Department of Justices Ransomware and Digital Extortion Task Force; and
    • State and local law enforcements.
    
    
    
    
  • Corporate relationships may include:
    
    
    
    • Security organizations (e.g., Mandiant and similar groups);
    • Insurers;
    • Hardware providers; and
    • Software providers.
    
    
    
    
  
  
  
  
• Remain focused on trends and issues in the security industry, including current and emerging technologies and prices. Advise, counsel, and educate executive and management teams on their relative importance and financial impact.

Communication

• Creates engaging, informative organizational wide communications in email, intranet posts and in person presentations regarding security best practices and important announcements to help protect, inform and empower ECRIs workforce.
• Understands how to communicate difficult/sensitive information tactfully and in a timely manner.

Project and Technical Management

• Develops lasting relationships with business unit personnel that foster trust and realistic expectations.

POSITION QUALIFICATIONS

Experience:

• 10+ years of experience managing and/or directing an IT and/or security operation.
• 5+ years of experience working in the Healthcare industry.
• Proven experience in planning, organizing, and developing IT security and facility security system
  
  technologies.
• Demonstrated understanding and experience working cross-functionally with other business unites including finance, HR, and compliance.
• Experience in planning and executing security policies and standards development.
• Excellent knowledge of technology environments, including information security, building security, and defense solutions.
• Considerable knowledge of business theory, business processes, management, budgeting, and business office operations.
• Substantial exposure to data processing, hardware platforms, enterprise software applications, and outsourced systems, including Dynamics 365, Microsoft 365 and Azure.
• Good understanding of computer systems characteristics, features, and integration capabilities.
• Experience with systems design and development from business requirements analysis through to day-today management.
• Excellent understanding of project management principles.
• Superior understanding of the organizations goals and objectives.
• Demonstrated ability to apply IT in solving security problems.
• In-depth knowledge of applicable laws and regulations as they relate to security.
• Proven leadership ability.
• Excellent written and verbal communication skills with the ability to communicate security and risk-related concepts clearly and concisely to both technical and non-technical audiences.
• Ability to work cooperatively and collaboratively with all levels of staff as part of a team.

Education:

• University degree in the field of computer science or business administration.
• Masters or PhD. degree in one these fields or Information Security preferred.

Certifications & Licenses:

• Related Certifications

POSITION COMPENSATION

The salary range for new employees in this position is $215,286.43 - $247,197.24, based on background, experience, and skills. In addition, new employees in this position are eligible for all of our benefit offerings, including, but not limited to, health and welfare benefits, 403(B) retirement savings, and paid time off (PTO), as well as variable compensation.

PHYSICAL DEMANDS

This position operates in a remote environment and requires the individual to remain in a stationary position, whether sitting or standing, before a desk or other fixed workspace, most of their workday. In addition, this position requires the individual to occasionally move about their workspace to access and inspect work-related materials, such as file cabinets with physical files and standard office equipment. This position requires the ability to operate standard office equipment, including, but not limited to, a laptop, keyboard, mouse, webcam, and phone, as well as effectively communicate information and ideas to a wide variety of audiences in written and oral form.

ADA STATEMENT

ECRI is committed to providing equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, genetics, sexual orientation, gender identity, or veteran status. We value diversity and believe that a diverse workforce enhances our ability to succeed. ECRI complies with applicable federal, state, and local laws governing nondiscrimination in employment and prohibits any form of discrimination or harassment based on these protected characteristics.

EEO STATEMENT

ECRI is committed to providing equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, genetics, sexual orientation, gender identity, or veteran status. We value diversity and believe that a diverse workforce enhances our ability to succeed. ECRI complies with applicable federal, state, and local laws governing nondiscrimination in employment and prohibits any form of discrimination or harassment based on these protected characteristics.