IS Information Security Engineer Details

IS Information Security Engineer

Children's Hospital of Philadelphia - Philadelphia, PA

Employment Type : Full-Time

Location: LOC_1300_MKT-Wanamaker Building Req ID: 190853 Shift: Days Employment Status: Regular - Full Time About Us
We’re seeking breakthrough makers! Children’s Hospital of Philadelphia was built on the belief that we can change lives. Today, in every role throughout our hospital, research institute and care network, the 22,000 members of our workforce are finding new ways – big and small – to make a difference for the patients and families we serve. If you are ready to challenge yourself, be inspired and grow – no matter what your role – you just may be the kind of breakthrough maker who will thrive at CHOP. CHOP is proud to share that we are ranked No. 1 on Forbes' 2022 list of America's Best Large Employers! Job Summary

• Exhibits proven technical knowledge in multiple information security disciplines (access control, monitoring, GRC), and industry standards frameworks, and security operations models.

• Exhibits proven technical knowledge in multiple security engineering disciplines and understands different firewall architectures.

• Demonstrates proficient skills in designing, implementing information security solutions, risk management platforms, and providing input on information security strategic plans.

• Provide leadership support to IS teams around security initiatives.

• Proven knowledge of security applications such as intrusion detection systems and forensics packages.

• Assists with budget planning, provide input on CHOP information security strategic planning, GRC, technology and engineering standards and practices.

• Co-facilitates cross-functional work teams and exhibits ability to clearly articulate problems, issues, and potential solutions to team members and clients (written & verbal) across multiple levels within the enterprise.

• Exhibits the ability to manage multiple concurrent projects, manage, mentor, and coach staff and client expectations.

• Exhibits extensive knowledge of related best practices and advocates their use throughout CHOP.

• Performs analysis and fulfills requests of eDiscovery & forensics investigations independently.

• Participates in functional team members in activities related to incident response, change management, business continuity, and escalation planning.

Job Responsibilities An Information Security Specialist III is a senior contributor with similar responsibilities as the Information Security Specialist II, but with a great degree of complexity. An Information Security Specialist III may be involved in some leadership activities. An Information Security Specialist III also:

• Defines and documents information security principles and processes to assist enterprise solution architects in security decisions for the enterprise, including access control, security information and event monitoring, and data loss prevention, perimeter (e.g., firewalls, IPS, web filtering) and network security (host-based firewalls, anti-virus, disk encryption).
• Develops, builds, tests deployment strategies for information security solutions for application development as part of the organizations System Development Life Cycle (SDLC) methodologies.
• Defines and documents system security and compliance requirements in support of approved PMO projects, existing operational activities, trace all system security and compliance requirements, validates that requirements are addressed, including validation of the final detailed security design specifications to support PMO life cycle activities.
• Performs analysis and fulfills requests of eDiscovery & forensics investigations independently by collecting evidence and maintaining chain of custody of records.
• Participates as a member of the Hospital CERT team and performs various security information and event management procedures to support security investigations.
• Participates on related InfoSec standards for business continuity and change management activities (e.g., table tops and change review board) and educates IS Hospital management on security issues (e.g., PCI, Identity and Access Management (IAM), Role Based Access Control (RBAC) models
• Reviews periodic risk analysis and risk assessment activities in support of regulatory requirements (e.g., HIPAA Security & Privacy Rules, PCI DSS, and Joint Commission) utilizing established Governance Risk Compliance (GRC) technology or customized solutions.
• Facilitates analysis of information security issues and recommends solutions for remediation.
• Meets with clinical and business units to determine specific security requirements for application development & validate that requirements, documentation, design, and build are complete and accurate for application level development projects.
• Supports CHOP IS capital budget planning process.

Job Responsibilities (Continued) This department works 80% remotely and 20% on site in our Philadelphia offices. Required Licenses, Certifications, Registrations Other relevant healthcare IS certs Required Education and Experience

• Industry security certification required such as HealthCare Information Security and Privacy Practitioner (HCISPP)
• Bachelor’s degree in Computer Science, Information Systems, or related field required.
• 5 – 12 years related work experience; 4+ years of experience with information security, regulatory compliance and risk management concepts
• 3 years of security architecture/engineering required
• Comprehensive understanding of InfoSec risk management concepts, security engineering principles & practices, (e.g., COBIT or NIST).
• Demonstrates a basic knowledge and understanding of Information security principles, System Development Life Cycle (SDLC), general and IT controls, security engineering principles, and related information security policies and procedures.
• Exhibits knowledge of industry regulatory standards and accreditation requirements (HIPAA, PCI, and Joint Commission).

Preferred Education, Experience & Cert/Lic Certified Internal Auditor (CIA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC) or other industry related certification Additional Technical Requirements 1. Comprehensive know of information security regulations, standards and leading practices, including understanding of EHR application access controls.
2. Good knowledge of basic database query techniques & data mining to analyze data (e.g., Excel, SQL, Quickbase, Business Objects) or other related database functionality.
3. Knowledge of MS Active Directory, UNIX, and Clinical Applications a plus.
4. Experience implementing application level security in clinical and financial systems (e.g., Epic, Lawson). ERP experience a plus (PeopleSoft, SAP).
5. Understands different firewall architectures (packet filter, application firewalls, application proxy, and VPN) and brands (Checkpoint, Cisco)
6. General understanding of networking and communication techniques including WANs, LANs, Internet, Intranet, protocols, such as TCP/IP and their impact on security.
7. Some knowledge of security applications such as intrusion detection systems and forensics packages (EnCASE), ArcSight, Foundstone
8. Understands differences in perimeter and DMZ architectures & experience with industry standards with system architectures including various UNIX and Microsoft Windows server and desktop platforms.
9. Has experience with application layer formats, usage and characteristics (HTTP, FTP, SSH, DNS, SMTP). Has knowledge of system architecture and design.
10. Microsoft, UNIX, Lawson, and Clinical Applications (e.g., Epic).
11. Experience with industry standard SDLC methodologies; hands-on experience in Project Server methodologies, PMO project management skills, including use of MS productivity tools (Access, Word, PowerPoint, Visio, Project).
12. Experience with risk management frameworks. Information Security Requirements
1. Understand and comply with all enterprise and IS departmental information security policies, procedures and standards.
2. Support the integration of information security in the development, design, and implementation of Hospital Technology Resources that process, transmit, or store CHOP information.
3. Support all compliance activities related to state, federal regulatory requirements, healthcare accreditation standards, and all other applicable regulations that govern the use and disclosure of patient, financial, or other confidential information.
To carry out its mission, it is of critical importance for the Children’s Hospital of Philadelphia (CHOP) to keep our patients, families and workforce safe and healthy and to support the health of our global community. In keeping with this, CHOP has mandated all workforce members on site at any CHOP location for any portion of their time be vaccinated for COVID-19 as a condition of employment. This mandate also applies to workforce members performing work for CHOP at non-CHOP locations. Additionally, all workforce members based in or regularly scheduled to work at any New Jersey location are mandated to be both vaccinated and boosted for COVID-19, with booster timing consistent with applicable guidelines. The CHOP COVID-19 vaccine mandate is in alignment with applicable local, state and federal mandates. CHOP also requires all workforce members who work in patient care buildings or who provide patient care to receive an annual influenza vaccine. Employees may request exemption consideration for CHOP vaccine requirements for valid religious and medical reasons. Please note start dates may be delayed until candidates are fully immunized or valid exemption requests are reviewed. In addition, candidates other than those in positions with regularly scheduled hours in New Jersey, must attest to not using tobacco products.
EEO / VEVRAA Federal Contractor