Mgr- Information Security Engineering
Awarded the Best Place to Work 2021, Blue Cross Blue Shield of Arizona helps to fulfill its mission of improving the quality of life of Arizonans by delivering a variety of health insurance products and services to meet the diverse needs of individuals, families, and small and large businesses as well as providing information and tools to help individuals make better health decisions.
This remote work opportunity requires residency, and work to be performed, within the State of Arizona
Purpose of the job
- Serves as the operational process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of customer, employee, and business information in compliance with organization policies and standards. Also, this position is to help provide protection of corporate assets for the organization and the day to day management of the IS Engineering (ISE) department. This position supports and implements Corporate Information Security direction set forth by the Chief Information Security Officer (CISO) that assures BCBSAZ’s customers that BCBSAZ is a secure company that intends to preserve the privacy and confidentiality of data and will remain their health insurance company.
Required Work Experience
- 7 years of experience with system security, including 3 years at a leadership level
- 5 years of experience with data processing and telecommunications
- 5 years of project management experience
- 2 years of recent experience with disaster recovery planning or risk analysis / business impact analysis
- 5 years of management or supervisory experience
- High School Diploma or GED in general field of study
- 5 security certifications from the Preferred Certifications list
Preferred Work Experience
- 10 years of experience with system security, including 5 years at a leadership level
- 7 years of experience with data processing controls, concepts, and audit principles
- Bachelor’s degree in business, information technology, computer systems, or related field
- Master’s Degree in business, computer science or related field
- Certified Information Systems Security Practitioner (CISSP), Certified Information Security Administrator (CISA), Certified Information Security Manager (CISM), ISO Foundation, ISO Practitioner, Certified Computer Forensic Specialist (CCFS), Certified Business Continuity Professional (CBCP), Information Security Fundamentals (GISF), Security Essentials (GSEC), Critical Controls (GCCC), Leadership Essentials (GSLC), SANS CISSP (GISP), Certified Ethical Hacker (CEH), Certified CISO (CCISO), Certified Cloud Security Professional (CCSP) Certificate of Cloud Security Knowledge (CCSK), Certified Common Security Framework Practitioner (CCSFP)
ESSENTIAL job functions AND RESPONSIBILITIES
- Responsible for ensuring that information systems comply with governmental security requirements such as those included in the Health Insurance Portability and Accountability Act (HIPAA), and Arizona State insurance privacy law
- Directs work of others in ISE on a daily basis; shares information and influences behaviors to be consistent with BCBSAZ’s corporate objectives.
- Maintains departmental metrics & measures to adequately monitor department performance, help meet IT divisional goals and assist in resource planning
- Employ metrics to establish baselines and measure the effectiveness of implemented security controls. Create a scoring tool for measuring the effectiveness of each control.
- Map critical controls to standards such as NIST 800-53, ISO 27001, and others.
- Audit each of the critical security controls, with specific, proven templates, checklists, and scripts to facilitate the audit process.
- Assist the CISO in establishing a minimum standard for security knowledge, skills, and abilities required for each job function, drive awareness and skills training and assessments to ensure the organization meets minimum standards.
- Assist the CISO in developing strategic security plans and information security policies.
- In coordination with the CISO, monitor information security trends internal and external to BCBSAZ and keep BCBSAZ Senior Management informed about information security-related issues and activities affecting the corporation
- Responsible for the implementation and ongoing support of the operational tools used to fulfill oversight and security monitoring and management
- Plans for and maintains an annual departmental budget
- Assists ISE employees in performance plan documentation, career planning, and skill set enhancement
- Control access by computer users in all departments that require computer access; Leadership must interface with ISS to obtain access permissions for their employees and external users. Be knowledgeable of the concepts of access controls and the interrelated products
- Consult on and help implement procedures for data classification, handling, retention/destruction, etc.
- Work with other Team Leaders to meet departmental responsibilities
- Support the CISO and participate in confidential system security related reviews
- Provide investigative and incident response functions
- Keep current on new developments in healthcare related industries and new technology in systems security and computer technology
- As necessary conduct confidential system security related reviews for BCBSAZ leadership
- Assist as necessary to investigate security breaches and pursue associated disciplinary and legal matters
- Participate with management in formulating goals for the Information Technology Division and for BCBSAZ.
- Participate in developing the Information Technologies Strategic Plan with the Chief Information Security Officer.
- Respond to and provide complete information for system audits and assessments as required by CISO and internal and external sources including SAS 70, Department Of Insurance, and Corporate Audit & Assessment Readiness Audits
- Provides guidance to Employee Development on maintenance of an employee information security training program
- Assist as necessary in both internal and external information security audits, assessments and evaluations
- Provide a clear, concise, accurate and timely status report to the Chief Information Officer as required on both strategic and tactical matters
- Perform and monitor network security and penetration assessments
- The position requires a full-time work schedule. Full-time is defined as working at least 40 hours per week, plus any additional hours as requested or as needed to meet business requirements
- Position may require evening, weekend, or on-call schedules, depending on project requirements and/or system status.
- Perform all other duties as assigned.
Required Job Skills
- Intermediate skill in use of office equipment, including copiers, fax machines, scanner and telephones
- Intermediate PC proficiency
- Intermediate proficiency in spreadsheet, database and word processing software
- Advanced Knowledge of hardware, software, telecommunications, operating systems, and applications.
- Knowledge of HIPAA security and privacy standards.
- Knowledge of Microsoft, UNIX, and LINUX operating systems.
Required Professional Competencies
- An understanding of the phases of a system attack, common types of attacks and malicious code, and the strategies used to mitigate those attacks.
- Ability to apply create a security framework that is measurable, scalable, and reliable in stopping attacks and protecting the organizations' important information and systems.
- An understanding of the importance of each security control, how it is compromised if ignored, be able to explain the defesive goals of each, and the tools and systems needed to implement and automate those controls.
- An understanding of the processes and tools used to track/control/prevent/correct security weaknesses in the configurations of hardware and software systems based on a formal configuration management and change control process.
- Ability to relate generally accepted system security practices and procedures into the specific BCBSAZ environments.
- Ability to apply generally accepted business continuity concepts to BCBSAZ’s business units, including identification of critical success factors for effective disaster recovery.
- Ability to develop strategic security plans that incorporate business and organizational drivers.
- Ability to develop and assess information security policy
- Ability to build, maintain, and mature a vulnerability management program for identifying, prioritizing, and remediating both technical and physical system vulnerabilities.
- An understanding of PKI, key management and using symmetric, asymmetric, and hashing algorithms to secure data.
- An understanding of incident response and the business continuity process.
- An understanding of the top threats to application code and the processes and tools used to detect/prevent/correct security weaknesses.
- An understanding of malicious software and the processes and tools used to detect/prevent/correct installation and execution of this software on all devices.
- An understanding of security architecture concepts and the processes and tools used to detect/prevent/correct the flow of information transferring networks of different trust levels.
- Ability to assess an organization's human risks and assist in building a security awareness program that can mature with the organization's security program.
- An understanding of network layer protocols and their relationship to network security and privacy concerns, as well as the ability to identity PII and security controls for protecting network data.
- An understanding of protocols, vulnerabilities, attacks, and security controls at each layer of the OSI model
- An understanding of account monitoring and control, the principal of least privilege and the processes and tools used to track/control/prevent/correct use of system and application accounts.
- An understanding of data classification and the processes and tools used to track/control/prevent/correct data transmission and storage, based on the data's content and classification.
- An understanding of the processes and tools used to simulate attacks against a network to validate the overall security of an organization.
- An understanding of the processes and tools used to track/control/prevent/correct security weaknesses in the configurations in network devices based on formal configuration management and change controls processes.
- An understanding of the processes and tools used to track/control/prevent/correct the secure use of wireless networks.
- Ability to provide organization consultation on major government data security compliance programs
- Ability to lead the department in troubleshooting and technical system support for system security issues
- Ability to train and consult on corporate wide efforts on major system security and business continuity corporate initiatives
- Ability to take appropriate risks, using available data.
- Strong analytical skills to support independent and effective decisions...
- Strong verbal and written communications skills and the ability to interact professionally with a diverse group of executives, managers, and subject matter experts.
- Project management skills, with the ability to manage a team to coordinate all planning and implementation activities in system security and/or business continuity fields
- Strong analytical problem solving and workflow management skills demonstrated in a variety of settings; ability to listen carefully to others’ ideas and points of view before deciding how to proceed
- Excellent communication skills, including writing reports, letters and documents for internal/external publication and presenting to and facilitating groups of individuals
- Ability to see the organization in terms of critical and highly interrelated work processes
Required Leadership Experience and Competencies
- Ability to lead and communicate in a crisis situation
- Ability to develop key working relationships needed to support strategic direction, both internally and external to the department and company
- Ability to set an example for others in the IT organization by working well as a team member
- Provide leadership, promote teamwork, meet objectives and exercise independent judgment
- Experience leading and implementing projects and working collaboratively with other departments levels
- Ability to prioritize tasks and work with multiple priorities, sometimes under limited time constraints.
Preferred Job Skills
Preferred Professional Competencies
Preferred Leadership Experience and Competencies
BCBSAZ does not discriminate in hiring or employment on the basis of race, ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status or any other protected group.
Thank you for your interest in Blue Cross Blue Shield of Arizona. For more information on our company, see azblue.com. If interested in this position, please apply.