Information Security Manager (Hybrid)

Job Description Position Summary: The Information Security Manager will serve as San Ysidro Health’s expert on Cybersecurity protection, detection, response, and recovery. This position will provide the vision and hands‑on technical expertise required to ensure the Confidentiality, Integrity, and Availability of San Ysidro Health’s information and systems. This role oversees all security‑related efforts including the security program, security risk management, vendor management, the Governance, Risk and Compliance (GRC) program and the Information Technology Business Continuity and Disaster Recovery policy and procedure. Essential Functions of the Job: Working with the Information Technology and Application Teams to implement enterprise‑wide security planning to establish and maintain system controls by developing framework for controls and levels of access Lead risk management activities to ensure risks are prioritized, updated and communicated in accordance with NIST RMF SP 800‑37; recommend and implement improvements to prevent, reduce or mitigate risks; maintain risk register Working with Risk, Compliance and AI team, implement and monitor AI activities in accordance with NIST AI RMF 1.0 Create and update the necessary policies associated with HIPAA‑HITECH and PCI DSS requirements; develop techniques and procedures for conducting IS and cyber security risk assessments and compliance audits, the evaluation and testing of hardware, firmware, and software for possible impact on system security, and the investigation and resolution of security incidents Lead the development of security awareness by providing orientation, educational programs, and on‑going communication; work with stakeholders at all levels of the organization to communicate the state of information security, inform of possible risks, and suggest ways to improve security; work in conjunction with the compliance team on awareness training utilizing SYH’s education platform Lead working sessions with other members of the Information Technology teams and key business stakeholders to implement safeguards and controls based on known risks, threats, and vulnerabilities Lead efforts to monitor and audit systems, processes, and other controls in order to assess security and risk posture Ensure the completion of operational activities associated to network monitoring and intrusion detection analysis to determine if there have been any attacks on the system; work with the applicable parties to test mitigation plans Evaluate, test, recommend, develop, coordinate, monitor, and maintain information systems (IS) and cyber security policies, procedures, and systems, including access management for hardware, firmware, and software, and Business Continuity and Disaster Recovery preparedness, training, and testing Lead incident response management activities; to include incident response drills, training activities, documentation; develop and refine incident response policy, procedures and standards; execute bi‑annual table‑top exercises Lead recurring internal IT Security audits and risk assessments in accordance with policies and procedures Ensure that IT and cyber security architecture/designs, plans, controls, processes, standards, policies, and procedures are aligned with IT standards and overall IT and cyber security; identify security risks and exposures, determine the causes of security violations, and suggest procedures to halt future incidents and improve security; facilitate the design and execution of vulnerability assessments, penetration tests Work with external auditors during audits; prepare documentation, files and information for audits; work with auditors and internal team on outstanding tasks and findings identified during the audits Work with other members of the IT Department to implement resolutions identified in risk assessments, penetration/vulnerability testing and audits Mentor other IT Security, GRC staff on all facets of IT Security, IT Governance, IT Risk and IT Compliance Responsible for the identification, tracking and management of enterprise risks; this includes performing risk assessments and measuring the success and effectiveness of mitigation efforts; identify, evaluate, test, and implement appropriate security products, tools, and systems to establish and ensure a secure infrastructure Articulate security policies, guidelines and standards to customers and developers; apply theories, concepts, principles, and methodologies to difficult but conventional assignments Work independently within an established framework Additional Duties and Responsibilities: Stay up‑to‑date on the latest intelligence and methodologies related to information security in order to identify threats and manage risks; update job knowledge and awareness of IT Security developments by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations; attending IT Security conferences; communicate the latest intelligence to key staff to minimize or prevent impact to SY Health Exemplify and promote the department’s four key success factors: Positivity, Ownership, Efficiency and Transparency, when working with both internal and external customers Perform other duties as assigned Job Requirements Experience Required: 5+ years’ experience as an IT Security Analyst 3+ years’ experience leading an IT Security program 2+ years in a healthcare environment, strong understanding of HIPAA‑HITECH and PCI‑DSS requirements 2+ years supporting or conducting audits within a regulated environment 2+ years conducting forensics to support various departments Experience working with vendors for SOC/MSSP and SRA services Strong understanding of NIST CSF and CSF‑AI framework Experience building an enterprise‑wide security program Strong understanding of Governance Risk and Compliance programs Education Required: High School Diploma or GED Equivalent Education Preferred: B.S. in Computer Science, B.S. in Information Systems, Computer Science or related field Verbal and Written Skills Required to Perform the Job: Excellent oral and written communication skills, with focus in technical or instruction‑oriented writing and in clearly communicating complicated concepts over the phone, in person and in writing Ability to convey ideas and information to others and receive feedback effectively Ability to communicate and interact successfully with a diverse community and develop and maintain positive professional relationships with colleagues and staff members Technical Knowledge and Skills Required to Perform the Job: Experience with auditing and monitoring tools including SIEM administration Experience with IDS/IPS and DLP solutions Application Firewall administration Internet access security and content filtering Knowledge of Email encryption systems Vulnerability management system administration HIDS/HIPS and MDR/EDR/XDR protection suites Experience utilizing tools to validate the extent of known attacks Experience working with networking technologies hardwire and wireless networks and protocols Multi‑Factor Authentication, VPN and remote access methodology Experience handling, organizing, tracking, and reporting on user support incidents Experience working with Active Directory, DHCP, DNS, and Group Policy Understanding of Change Control Processes and Controls Equipment Used: Laptop or Personal Computer Software required to perform within the Information Security role Working Conditions and Physical Requirements: Prolonged, extensive, and considerable standing, sitting, walking, and/or lifting Manual dexterity and mobility Always reaching, stooping bending, kneeling, crouching Good organizational skills and ability to remain focused and concentrate with noise around Ability to handle multiple job task functions simultaneously Ability to work harmoniously with others as a team member May be required to work evenings and/or weekends Universal Requirements: Pre‑employment requirements include I‑9, physical, positive background and reference check results, complete application, new hire orientation, pre‑employment PPDs. Compliance with all mandated vaccinations and all boosters is a term and condition of employment. San Ysidro Health has a long‑standing commitment to equal employment opportunity for all applicants for employment. Employment decisions including, but not limited to, those such as employee selection, performance evaluation, administration of benefits, working conditions, employee programs, transfers, position changes, training, disciplinary action, compensation, and separations are made without regard to race, color, religion (including religious dress and grooming), creed, national origin, nationality, citizenship status, domestic partnership status, ancestry, gender, affectional or sexual orientation, gender identity or expression, marital status, civil union status, family status, age, mental or physical disability (including AIDS or HIV‑related status), atypical heredity cellular or blood trait of an individual, genetic information or refusal to submit to a genetic test or make available the results of a genetic test, military status, veteran status, or any other characteristic protected by applicable federal, state, or local laws. #J-18808-Ljbffr