Share this Job

IT ARCHITECT - SECURITY - 2609

Apply now »

Date: Mar 30, 2019

Location: YONKERS, NY, US

Company: Montefiore Medical Center

Montefiore IT has the team, technology and tools to take your career to a new level! 

 

Montefiore, the University Hospital for Albert Einstein College of Medicine, is one of healthcare’s most wired hospitals, widely recognized by the Hospitals & Health Networks' 15th annual Most Wired Survey for our adoption of technology to support clinical care and patient safety and privacy, infrastructure, business and administrative management, and the continuum of care.

 

Our experts deploy new technologies, define new business processes and provide stakeholders across the institution with the resources needed to meet their most difficult challenges. As a Montefiore IT employee, you’ll have ample opportunities to transform patient care, improve health outcomes and gain insight into the technical workings of one of the nation’s top academic medical centers.

Whether you are implementing clinical or revenue cycle solutions or providing critical infrastructure support, our goal is to guide you and your career to the height of healthcare IT excellence.

The INFORMATION SECURITY ARCHITECT plays an integral role in defining and assessing the organization's security strategy, architecture and practices. The information security architect will be required to effectively translate business objectives and risk management strategies into specific security processes enabled by security technologies and services.

JOB RESPONSIBILITIES:

The information security architect will be responsible for the following activities and functions:

  • Develop and maintain a security architecture process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers
  • Develop security strategy plans and roadmaps based on sound enterprise architecture practices
  • Develop and maintain security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations
  • Track developments and changes in the digital business and threat environments to ensure that they're adequately addressed in security strategy plans and architecture artifacts
  • Participate in application and infrastructure projects to provide security-planning advice
  • Draft security procedures and standards to be reviewed and approved by executive management and/or formally authorized by the CISO
  • Determine baseline security configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM)
  • Develop standards and practices for data encryption and tokenization in the organization, based on the organization's data classification criteria
  • Conduct or facilitate threat modeling of services and applications that tie to the risk and data associated with the service or application
  • Ensure a complete, accurate and valid inventory of all systems, infrastructure and applications that should be logged by the security information and event management (SIEM) or log management tool
  • Establish a taxonomy of indicators of compromise (IOCs) and share this detail with other security colleagues, including the security operations center (SOC), information security managers and analysts, as well as counterparts within the network operations center (NOC)
  • Coordinate with DevOps teams to advocate secure coding practices, and to escalate concerns related to poor coding practices to the CISO
  • Coordinate with the privacy officer or office to document data flows of sensitive information in the organization (e.g., PII or ePHI) and recommend controls to ensure that this data is adequately secured (e.g., encryption and tokenization)
  • Validate IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable
  • Validate security configurations and access to security infrastructure tools, including firewalls, IPSs, WAFs and anti-malware/endpoint protection systems
  • Review network segmentation to ensure least privilege for network access
  • Liaise with the vendor management (VM) team to conduct security assessments of existing and prospective vendors, especially those with which the organization shares intellectual property (IP), as well as regulated or other protected data:
    • Software as a service (SaaS) providers
    • Cloud/infrastructure as a service (IaaS) providers
    • Managed service providers (MSPs)

 

ADDITIONAL RESPONSIBILITIES INCLUDE:

Evaluate the statements of work (SOWs) for these providers to ensure that adequate security protections are in place. Assess the providers' SSAE 16 SOC 1 and SOC 2 audit reports (or alternative sources) for security-related deficiencies and required "user controls" and report any findings to the CISO

  • Liaise with the internal audit (IA) team to review and evaluate the design and operational effectiveness of security-related controls
  • Support the testing and validation of internal security controls, as directed by the CISO
  • Review security technologies, tools and services, and make recommendations to the broader security team for their use, based on security, financial and operational metrics
  • Coordinate with operational and facility management teams to assess the security of operational technology (OT) and Internet of Things (IoT) systems
  • Liaise with other security architects and security practitioners to share best practices and insights
  • Liaise with the business continuity management (BCM) team to validate security practices for BCM testing and operations when a failover occurs

Key Relationship Building

The information security architect liaises with important security and risk management constituencies. Specifically, the enterprise security architect may be expected to work collaboratively with individuals or departments, including:

  • Application and information owners
  • CIOs
  • Chief privacy officer (CPO)
  • Information security manager (ISM)
  • SOC manager and SOC staff
  • NOC manager and NOC staff
  • Enterprise architect
  • Project management office (PMO)
  • Internal audit

Security and Technical Skills

The information security architect should have direct, documented, and verifiable experience with the following:

  • Direct, hands-on experience or strong working knowledge of managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology
  • Verifiable experience reviewing application code for security vulnerabilities
  • Direct, hands-on experience or a strong working knowledge of vulnerability management tools
  • Documented experience and a strong working knowledge of the methodologies to conduct threat-modeling exercises on new applications and services.
  • Full-stack knowledge of IT infrastructure:
    • Applications
    • Databases
    • Operating systems — Windows, Unix and Linux
    • Hypervisors
    • IP networks — WAN and LAN
    • Storage networks — Fiber Channel, iSCSI and NAS
    • Backup networks and media
  • Direct experience designing IAM technologies and services:
    • Active Director
    • Lightweight Directory Access Protocol (LDAP)
    • Amazon Web Service (AWS) IAM
  • Strong working knowledge of IT service management (e.g., ITIL-related disciplines):
    • Change management
    • Configuration management
    • Asset management
    • Incident management
    • Problem management
  • Experience designing the deployment of applications and infrastructure into public cloud services.

Industry and Regulatory Experience:

The information security architect is expected to have documented experience with the following:

Payment Card Industry Data Security Standard (PCI-DSS); HIPAA-HITECH; Validated Systems (e.g., GAMP); Sarbanes-Oxley; General Data Protection Regulation (GDPR); Privacy Practices; ISO 27001/2; 

NIST Cybersecurity Framework (CSF); ITAR

 

Business Related Skills:

The information security architect is expected to contribute his or her insights to colleagues in the security team and the CISO, as well as colleagues within internal audit, risk management and other line-of-business teams. To ensure that security-related matters are adequately conveyed, the following skills are required:

  • The information security architect must interpret business, technology Strategic planning skills —and threat drivers, and develop practical security roadmaps to deal with these drivers.
  • Communication skills — The information security architect will be required to translate complex security-related matters into business terms that are readily understood by colleagues. The enterprise security architect should anticipate presenting analyses in person and in written formats.
  • Financial analysis — As part of the due diligence of security technologies, the information security architect will be expected to evaluate the financial costs of recommended technologies. Specifically, the enterprise security architect will need to quantify purchasing and licensing options, estimate labor costs for a given service or technology, and estimate the total cost of operation (TCO), the ROI, or the payback period for services or technologies replacing existing capabilities.
  • Project management — Security services and technology implementations will require solid project management skills. The information security architect will be expected to draft project plans for security service and technology deployments and coordinate with stakeholders across the organization.

Key Behaviors/Competencies:

Information security architects will be expected to demonstrate the following key behaviors and competencies as they fulfill the core responsibilities of their roles:

  • Adaptability: Demonstrates flexibility within a variety of changing situations, while working with individuals and groups. Changes his or her own ideas or perceptions in response to changing circumstances. Alters standard procedures, when necessary, and multitasks when required.
  • Business Acumen Demonstrates an awareness of internal and external dynamics, and an acute perception of the dimensions of business issues. Conducts research and identifies, collects and analyzes information about markets, economies, technology trends and business operation issues to make informed decisions. Develops approaches and solutions that are clearly linked to the organizational strategies and goals for optimal performance.:
  • Conceptual Thinking Synthesizes facts, theories, trends, inferences, and key issues and/or themes in complex and variable situations. Recognizes abstract patterns and relationships among apparently unrelated entities and situations. Applies appropriate concepts and theories in the development of principles, practices, techniques, tools and solutions.:
  • Openness to Learning Takes personal responsibility for personal growth. Acquires strategies for gaining new knowledge, behaviors and skills. Builds on and applies existing knowledge. Engages in learning from others, inside and outside the organization. Tries new approaches and broadens the scope of work to learn from work assignments.:

 

Industry Market Experience:

Healthcare; Pharmaceutical, Financial services; Government; Military

 

EDUCATION:

Bachelor's or master's degree in computer science, information systems, cybersecurity, or a related field or equivalent experience.

 

REQUIRED CERTIFICATIONS:

The information security architect will evidence his/her knowledge of security and risk management through ongoing continuing professional education. The ideal candidate will maintain one or more of the following certifications: CISSP, CISM, CISA

 

Department: Montefiore Information Technology Bargaining Unit: Non Union Campus: YONKERS  Employment Status: Regular Full-Time Address: 6 Executive Plaza, Yonkers
Shift: N/A Scheduled Hours: 8:30 AM-5 PM Req ID: 91006 

 

Montefiore is an equal employment opportunity employer. Montefiore will recruit, hire, train, transfer, promote, layoff and discharge associates in all job classifications without regard to their race, color, religion, creed, national origin, alienage or citizenship status, age, gender, actual or presumed disability, history of disability, sexual orientation, gender identity, gender expression, genetic predisposition or carrier status, pregnancy, military status, marital status, or partnership status, or any other characteristic protected by law. 

 

LI-KK1-REDIRECT; SF-DICE-MIT 


Nearest Major Market: Yonkers
Nearest Secondary Market: New York City