• Reporting to Director of DevOps and Security, advise the organization on Information Security best practices and standards.• Manage risk assessments and penetration tests for the organization. Evaluate vendors, schedule HITRUST and SOC 2 Type II risk assessments and external penetration tests. Lead effort to remediate HITRUST CAPs and gaps.• Conducted business impact assessment, business continuity and disaster recover exercise and incident response exercise. Revised BC and DR planning documents according to NIST, composed After Action Reports that included recommendations for change, follow up to remediate recommendations.• Formalize process for intake of client security questionnaires, establish metrics, consult with IT, enterprise architecture and application directors to drive completion.• Automated enrollment of new employees into onboarding training in KnowBe4 by working closely with HR and IT to improve provisioning of personnel through ADP, Hire2Retire and Microsoft Entra. Setup recurring phishing simulations in Knowbe4.• Establish vulnerability management process for application, endpoint and web app vulnerabilities, and Azure misconfigurations. Setup cadence with IT, DevOps and application teams to prioritize and remediate vulnerabilities in Tenable One.• Harden M365 environment using Microsoft Compliance manager to make changes to Entra, Intune, Defender, SharePoint and Exchange. Coordinate with IT to make changes that conform to culture.• Coordinate incident response with manage security service provider (MSSP), tuning Microsoft Sentinel SIEM, and handing off or handling incidents as appropriate.• Review and revise organizational policies and procedures, setup policy governance committee, condense and rationalize policies.• Hands on administration of KnowBe4 and Tenable One.

• Manage and coach information security team, identifying opportunities for professional growth and cross-training. Advise Chief Compliance Officer and Executive Leadership Team on information security best practices. Develop information security strategy and update information security program.• Guide organization towards achieving HITRUST certification; conduct gap analysis and assist IT and other departments in closing gaps, documenting exceptions; calculate HITRUST scoring impact of exceptions.• Lead annual HIPAA and SOC 2 Type II assessments; and disaster recovery, business continuity, incident response, and penetration tests; gather, review, and submit evidence, then drive remediation of gaps.• Respond to information security risk assessments and audits from current and prospective clients; represent information security on client meetings; drive remediation of corrective action plans from client information security audits.• Advise IT on security best practices, recommend and push changes to systems that minimize operational impact. Coordinate with IT for remediation of security vulnerabilities on endpoints, web applications, and cloud resources. Provide security architecture guidance for Microsoft Azure and Google Cloud Platform.• Advocate for Secure Software Development Lifecycle and DevSecOps practices including SAST, DAST and secure code development training.• Hands on administration of Mimecast Secure Email Gateway, Tenable One, KnowBe4 Phishing Training, and OneTrust Third Party Risk Management platforms.• Manage lifecycle for information security policies and procedures, acceptable use policy, and general security guidance, ensuring they align with HITRUST requirements.• Promote security awareness through company Slack announcements, phishing tests and remedial training, and annual training.• Manage information security department expenses, investigate new security systems and vendors, craft business justification and anticipated ROI.

• Offer strategic guidance on emergent IT and IT Security technologies that enable researchers to achieve the institutional mission to produce knowledge to cure disease.• Conduct risk assessments for research studies and systems regulated by HIPAA, GDPR, CCPA and other international, federal, and state laws. Perform vendor risk assessments of services used by research. Perform gap analysis and present findings to leadership. Lead remediation for vulnerability management.• Oversee implementation of IT security controls and processes in Microsoft Azure for cloud deployment of applications and systems. Research Azure governance and security concepts, and maintain knowledge as Microsoft releases new Azure features and makes changes to existing resources.• Provide indirect leadership to Research IT: assist with oversight and prioritization of projects; communicate and ensure implementation of IT security, policy, and regulatory requirements; share security, infrastructure and networking knowledge; investigate and collaborate on design solutions.• Lead and deeply involved in major projects for large file transfers using Accellion Kiteworks, 21 CFR Part 11 assessment for REDCap research system enabling in house clinical trials and electronic consent, scalable multi-petabyte storage system, and procurement of custom research computers.• Supported successful completion of OCR Corrective Action Plan due to 2012 breach. Served as point of contact for risk assessors; scheduled facility walkthroughs and personnel interviews; ensure stakeholders produce artifacts; present risk assessment report to leadership; follow up on findings in risk register.• Serve as liaison between the research community and corporate IT Security department to ensure research projects and studies meet deadlines. Advocate strongly for researchers, and challenge corporate IT to implement solutions that meet both researcher timelines and IT security requirements.

• Draft new, and review and revise information security policies, processes, procedures and standards. Provide guidance to other IT teams of information security best practices aligned with business strategy.• Lead HIPAA risk assessments for the organization, including facility walkthroughs. Overall project management including coordinating with corporate compliance, timely communication of deadlines, follow-up for deliverables from other teams, tracking evidence collection, ensuring delivery to third party risk assessors, review of draft reports, and explanation of findings to stakeholders. • System administrator for the organization’s GRC tool, Rsam. Quickly learned technical aspects of this complex relational database system without formal training. Setup dev environment, redesigned workflow, learned MS SQL to develop custom stored procedures for system, maintain user manual, host training sessions, provide tier 3 support. Produce reports for management including Top 10 Risks.• Serve as information security liaison for several hospitals, communicating to facility executive leadership upcoming security initiatives, ongoing project status, and promoting security awareness. Gather business stakeholder feedback and work with IT leadership to resolve issues.• Work closely with the Office of Corporate Compliance on HIPAA breach investigations, and advise on HIPAA Security Rule.

• Spearheaded implementation of vulnerability management program. Served as system administrator for Core Insight vulnerability management solution, with Nessus performing vulnerability scans. Worked closely with IT support staff and clinical departments to remediate vulnerabilities. Provided regular reports to management.• Researched, tested, and deployed Winmagic SecureDoc Enterprise full-disk encryption and managed Symantec Endpoint Protection solutions. Composed concise documentation for IT staff and end-users.• Subject matter expert for HIPAA, FERPA and PCI DSS regulations.• Liaise with General Counsel and Human Resources; oversee IT litigation hold process, coordinate with IT divisions, and gather forensic evidence for e-discovery. Established and promulgated chain of custody process. IT point of contact for personnel investigations.• Handle daily operations of the Information Security Office. Monitor network events and SEIM alerts, coordinate incident response, and provide reports to executive management.• Draft IT Information Security policies, procedures and standards according to industry best practices.• Provide security guidelines for University, translating technical terms and concepts to layman for broad adoption of security principles. Host Information Security Awareness training and orientation sessions.• Serve as IT Change Manager; ensure requests are properly classified and documented, engage stakeholders, lead Change Approval Board meetings, and guide changes through approval process. Mentor and train IT divisions as the change management process expands.