ScionHealth is recruiting for a Director of Information Security-Governance, Risk & Compliance (GRC) to join our Enterprise Information Technology Team. Remote candidates will be considered for this role.

Job Summary:

Reporting to the CSO, the Director of GRC is responsible for day-to-day oversight and management of the Governance, Risk, and Compliance (GRC) functions of the ScionHealth Enterprise Information Security Program; including the Security Policy Program, Security Awareness Program, Risk Management Program, and compliance with applicable industry security standards, such as Payment Card Industry Data Security Standards (PCI-DSS) and ISO/IEC 27001, and applicable security laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the HITECH act, and the California Consumer Protection Act (CCPA).

Essential Functions:

With minimal supervision and under the direction of the ScionHealth Vice President and Chief Security Officer:

• Works with the 3^rd party security services provider as necessary to ensure that all ScionHealth GRC services covered by the services agreement are delivered.
• Owns 3^rd party vendor relationships required to support the GRC program.
• Manages the ScionHealth Security Risk Management Program, to include:

• References industry standard security frameworks and best practices, such as NIST CSF, ISO 27001, PCI-DSS, CIS, etc., to advise the CSO in the development of ScionHealth security controls and policies.
• Incorporates ScionHealth security controls and standards requirements into the security risk management process to ensure that enterprise security risk management objectives are met;
• Ensuring that Security Risk Assessments are conducted for all 3^rd party vendors and all risk exceptions are managed, working with the CSO, business owners, and other stakeholders;
• Maintaining a security risk register;
• Advising the CSO and business stakeholders of risk treatment plan options and residual risks associated with information technology solutions;
• Tracks open risks and ensures all risks are addressed;

• Manages the ScionHealth Security Awareness Program, to include:

• Ensuring monthly phishing assessments are conducted and the enterprise phishing dashboard is current and up to date.
• Keeping the annual mandatory security awareness training current as required by HIPAA.
• Working with communications to provide regular security awareness communications to the ScionHealth workforce.

• Develops and maintains the GRC metrics necessary to validate that security program and GRC objectives are being met and enable the CSO to develop and recommend security strategy for the ScionHealth Healthcare enterprise.
• Manages the ScionHealth Security Policy Program, to include:

• Ensuring that security policies necessary to meet ScionHealth Security Program objectives are implemented - including proper vetting by key stakeholders, approval by appropriate governance, and effective communication to, and acknowledgement by, the appropriate accountable audience.
• Ensuring that all security policies required by applicable laws and standards are implemented.

• Ensuring that all security policies are reviewed and revised annually, or as appropriate to reflect the security requirements to protect ScionHealth.
• Ensure that compliance with security policy requirements is monitored, as appropriate, to meet security risk objectives.
• Contributes to the development of the Information Security Strategic Plan, develops associated roadmaps, tactical plans, and budgets for the Governance, Risk, and Compliance functions of the Information Security Program;

Knowledge/Skills/Abilities/Expectations:

• Understand ScionHealth's Information Systems strategy and how it supports the business strategy.
• Ability to effectively direct others to achieve a multitude of objectives simultaneously.
• Proven managerial and administration skills to work with all levels of the company.
• Excellent verbal and written communication skills.
• Excellent interpersonal skills.
• Superior organizational & prioritization skills.
• Excellent analytical skills.
• Must have good and regular attendance.
• Approximate percent of time required to travel: 10
• Performs other related duties as assigned.

Education:

• Bachelor's degree in Information Systems or equivalent years of experience.

Licenses/Certification:

Experience:

• 5-10 years experience in Information Systems Security for Healthcare and/or a related industry.

Depending on a candidate's qualifications we may fill this role at a different level.