Overview ERT is excited to start searching for a Director, Security & Risk Management. This critical person will report to the Chief Information Officer. The role is to lead ERT’s efforts to ensure that it protects the information it collects, maintains, and distributes, electronically or otherwise. Role has the responsibility to ensure that appropriate security policies, standards, procedures and IT infrastructure (including servers, databases, personal computers, 3rd party hosted services, and mobile devices) are designed and maintained to protect ERT’s information, both clinical data that ERT is a steward of for customers, and internal data. The role will be responsible for building on the current information security strategy at ERT, and working with senior management across ERT to ensure that budget, planning, infrastructure and implementation of information security based initiatives can be managed efficiently. This is a wide reaching security role, and requires an individual with a sufficient technical background, a solid understanding of data security, and a demonstrated knowledge of compliance-related laws and regulations. The role should be well versed in building information security programs to attain a high level of maturity. This position carries the responsibility to ensure the timely identification, remediation and tracking of technical, procedural and policy based items that may impact the security, use and stewardship of the ERT’s customers and corporate data and information systems. Writing policies and documentation, communicating complex topics with ERT organizations and training on new policies and procedures are key responsibilities. The role will work with various ERT departments in assessing, developing, implementing, and maintaining information security standards, communicating policies and procedures related to information security, within ERT data centers, SaaS and Cloud environments. Finally, this position will implement control frameworks and ensure adherence with HIPAA/HITECH, 21CFR Part11 and manage security across all IT departments to ensure auditable and documented end-to-end processes for the operation and handling of ERT’s data and systems. Responsibilities Define policies, procedures, communications and training for the following: Information Security Policy - Document governing user access privileges (need to know, least privileges, segregation of duties/responsibilities Information Protection Policy – policy defining information classifications and associated protections. Includes a table that lays out ERT's information classifications: Public; Confidential-ERT Internal; Confidential-ERT Restricted; and Confidential-ERT Highly Restricted. Information Security Risk Assessment and Management Practice – Practice includes defining and documenting the key procedures in performing a risk assessment, including: Acceptable Use Policy for Company Resources Policy governing ERT personnel's use of ERT computers, systems, and resources. Data Export / Import Compliance Management Systems and applications password standards and password management Internal penetration testing/vulnerability scanning development best practices External penetration testing/vulnerability scanning reporting and remediation practice Logical Access Controls Policy and Privileged Access Management policies Describes key user and API access controls that must be implemented to protect ERT’s information assets. Access controls that applies to all applications, databases, operating systems, and network devices that store or process ERT information, other than publicly accessible Internet facing ERT System. Logging and Log Analysis Policy Requires system logging, periodic log analysis, issue resolution and log retention. Password Policy Describes value sets for password controls to be set up for all systems and to be followed by all employees. Network Security Policy Requires a range of controls to secure the data in networks and protect connected services from unauthorized access in hybrid cloud environments Server Security Policy Requires all servers to be physically and logically secured according to their criticality. Records Retention Policy Working with ERT Legal on documenting Internal and External Privacy Policies: ERT global policies and procedures to protect individual personally identifiable information (PII) to ensure personal data privacy is safeguarded at local and global levels. Covers collection, processing, security and access Third-Party Network Access Agreements Develop, document and implement a layered security platform and associated processes enabling core cloud operational requirements for : Network and Host-based security Applications and data security Security monitoring & alerting Identity and Access management Privileged account management Partner with ERT Quality & Risk Management insuring proper Quality Management Partner with Development and DevOps teams to insure layered security for new ERT products and services Monitor Microsoft Security Bulletins and Common Vulnerabilities and Exposures (CVE) bulletins Assess, plan and communicate plan to remediate security vulnerabilities and exposures across ERT’s Production, Staging, UAT and Development infrastructure network and compute fleet Lead, document and implement/instrument a cloud security profile, including: Service infrastructure and platform security planning requirements Security monitoring integration with ERT Operations Support System Monitoring and advising and security patching requirements Overall ownership and sign-off on security profile readiness for all SaaS, Business Systems, Operational Support Systems and Client Services Systems. Qualifications Qualifications and Skills Needed Have defined, documented, implemented and established security policies and procedures in for a software as a service provider. Possess one or more advanced professional security certifications related to chosen discipline (CISSP, CCSP) Demonstrated understanding of Information Security best practices. At least 5+ years’ experience implementing layered security practices for network, host, applications, data and access to IaaS, PaaS and SaaS services in a hybrid deployment environment. Experience in developing and deploying security specific solutions including the automation of repeatable security tasks and controls Solid oral and written communication skills. Solid collaboration skills. Experience implementing and operating security technologies and processes in a hybrid cloud environment, such as AWS or Azure and customer premise Have 5+ years of cloud-based security operations management experience BS/BA degree in Computer Science, Information Systems or related field Experience with software-defined network, compute and storage platforms Experience with security vulnerability and penetration tools such as Nessus, BurpSuite, Qualys, Fortify Implementation and management experience with hardware and software firewalls, AV, IDS/IPS platforms.