Director, Information Security

Director, Information Security

We are seeking a strategic Director of Information Security to provide leadership and direction towards enhancing cybersecurity and sustainability within Fraser Health (FH). The director will be accountable for establishing and advising on authority wide governance and industry best practices while overseeing the evaluation and implementation of information security tools.

This is an exciting and important opportunity to lead and advance information security within healthcare by assessing security threats and risks associated with Fraser Health’s continuing operations. Additionally, the director will provide guidance and leadership to staff when responding to security compliance audits conducted by third parties and regulators such as Accreditation Canada, BC Office of the Auditor General and Ministry of Health.

Detailed Overview:

Supporting the Vision, Values, Purpose and Commitments of Fraser Health including service delivery that is centered around patients/clients/residents and families:

Provides leadership and management for Fraser Health's (FH) enterprise information security and data stewardship program, working closely with multiple partners and stakeholders. The role combines responsibilities for both information security and data stewardship, recognizing and building upon the need to both manage and protect data as a key enterprise asset.

The scope of responsibilities includes establishing strategic directions for FH; providing advisory services including training and education; establishing authority wide governance structures, policies and practices; and operating ongoing program services - working closely with internal stakeholders and partner organizations.

For security, the role includes establishing and maintaining the information security program to protect information assets and associated technology, applications, systems, infrastructure and processes. The role includes responsibility for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets. In addition, the position is responsible for coordinating with the security operations and incident response services provided by partner organizations.

For data stewardship, the role includes overall accountability for a framework to support the responsible management of enterprise data assets. This role requires focus on data strategy, execution and support for projects, programs, and applications.

Responsibilities:

Information Security

• Develops and executes an enterprise wide information security program, strategy and roadmap ensuring the continued management and protection of FH data and technology assets, working with the Provincial Health Services Authority (PHSA) Technology Services and other key stakeholders.
• Establishes policies, procedures, standards, definitions and guidelines that enable the organizational information security strategy and promote compliance with legal and regulatory requirements. Supports the governance of the security strategy, to promote appropriate organizational engagement and oversight.
• Develops and maintains a program that informs executive, business unit and functional group leadership of the top security risks and overall security health of the organization. Works with executive management to determine acceptable levels of risk for the organization.
• Establishes, implements and delivers communications and training initiatives to increase information security, cybersecurity awareness as well as support and promote the adoption of safe computing practices.
• Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Negotiates service contracts and agreements with vendors such as application vendors and third party security services.
• Collaborates and liaises with the data privacy officer to support the inclusion of data privacy requirements, where applicable.
• Participates in the development, implementation and ongoing compliance monitoring of information security requirements; ensures FH's continued alignment with regulatory information security requirement.
• Provides leadership and direction to staff in conducting organizational Security Threat and Risk Assessments (STRAs).
• Identifies and assesses security threats, vulnerabilities and risks associated with FH's ongoing operations; establishes and maintains detection, containment and incident response capabilities to identify and mitigate cyber-attacks; oversees the evaluation, selection and implementation of information security tools. Works in partnership with PHSA Technology Services and others to coordinate all security related issues.
• Working with the architecture function in FH, PHSA Technology Services and others, promote the understanding of information security requirements within architectures.
• Works to embed security in the project delivery process by providing the appropriate information security policies, practices and guidelines.
• Provides leadership and direction to staff in evaluating and responding to security compliance audits conducted by third parties and regulators such as Lower Mainland Internal Audit, Accreditation Canada, BC Office of the Auditor General, BC Office of the Information and Privacy Commissioner, and the Ministry of Health Services.
• Participates in the formation and execution of business continuity planning, and disaster recovery planning.

Data Stewardship

• Develops and executes an enterprise wide data stewardship program, strategy and roadmap.
• Supports the governance of the data stewardship strategy, to promote appropriate organisational engagement and oversight.
• Develops policies, practices, standards and definitions to guide data stewardship, including for data collection, capture, classification, storage, and retention.
• Evaluates and affects changes to improve data and information quality and promote compliance with internal and provincial reporting requirements.
• Communicates awareness and understanding of data management and stewardship needs, objectives, and direction to appropriate stakeholders, data stewards, and data owners throughout FH.
• Oversees the provision of data management awareness training, information and education to employees, healthcare providers and partners.

Program Management and Partnership

• Communicates and collaborates extensively with executive, clinical program leadership, business managers, informatics leaders, physicians, and staff; works collaboratively with PHSA Information Security and Technical Services areas, other Health Authorities, the Ministry of Health, Divisions of Family Practice, and other partners of Fraser Health with regard to implementation of projects.
• Selects and manages the staff including supervision and delegation of work assignments, evaluating performance, coaching, discipline or discharge of staff as required.
• Manages resources through the development of operating and capital budgets, review of expenses and the development of action plans for the portfolio.

Qualifications:

Education and Experience

A level of education, training and experience equivalent to a Master's degree in Information Security or related field. Ten (10) to fifteen (15) years' experience in progressively more responsible information security leadership/management roles, including five (5) years' experience in a health services systems environment with a specific focus on in Cybersecurity.

Active Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or similar security certification.

Competencies

LEADS Capabilities:

Demonstrates the leadership practices of the Fraser Health Leadership Framework of Clear, Caring and Courageous and creates the conditions for people to succeed.

Professional/Technical Capabilities:

• Comprehensive knowledge of security technologies such as Cloud Security, Risk Assessment, Security Incident and Event Management (SIEM) and Vulnerability Scanners.
• Comprehensive knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.
• Comprehensive knowledge of applicable privacy regulations, legislation, industry standards, and best practices and a solid understanding of issues related to health information protection.
• Ability to define, lead, plan, direct, manage, and implement complex business processes and measurements.
• Ability to develop and implement strategic and project plans, policies, procedures and standards.
• Ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
• Strong presentation, facilitation, coaching, conflict management, planning, project management, and interpersonal skills.
• Ability to work independently and effectively under time pressure to meet deadlines, balance work priorities and resolve issues.
• Demonstrated ability to be effective in an environment subject to continuous change.