Job ID: MS-112610 (90091227)3P
Remote Security Analyst with datacenter, encryption, MARS-E, POAM, HIPAA, NIST, DR, and Breach documentation experience
Location: Jackson, MS (Medicaid)
Duration: 36 months
Required Skills/Experience
Provide the minimum required skills and/or experience the contractor must possess to qualify for this position. These requirements will be transferred to the Score Sheet and candidates without these requirements reflected on their resume will NOT be presented to the manager for consideration.
Experience in IT security roles on Information Technology projects (5 yrs)
Experience in IT security roles working with hosted infrastructure/datacenters with multiple vendors (4 yrs) Experience utilizing and implementing security, privacy, network, and datacenter best practices (2 yrs)
Experience in IT security roles working with encryption of data in transit and at rest, preferably using multiple encryption methodologies (2 yrs)
Experience with privacy and security technologies and methodologies (2 yrs)
Experience facilitating and responding to security audits, specifically MARS-E and management of POAM resolution (3 yrs)
Experience ensuring that systems are in compliance with federal IT security regulations (HIPAA, NIST, MARS-E, etc.)
and remediating deficiencies (3 yrs)
Experience with disaster recovery and failover methodologies while adhering to security requirements (1 yr) Project management experience including reporting project status, project milestones, project achievements, and
project risks verbally and in writing to senior leadership (5 yrs)
Verifiable experience developing and giving presentations (2 yrs)
Experience facilitating a variety of different types of project meetings with various stakeholders at multiple levels throughout the agency and its business partners (2 yrs)
Preferred/Not Required
Experience in enforcing the HIPAA Breach Notification Rule, including preparation of a formal response for any HIPAA Breach (Documented experience required (any)
Experience securing PHI/PII data in accordance with Health Insurance Portability and Accountability Act (HIPAA)
regulations (5 yrs)
IT security and data privacy experience in a healthcare environment (2 yrs)
Additional consideration may be given for security and network certifications. Vendor must specify and provide proof of
the certification(s). Examples included but are not limited to: Certified Information Privacy Professional (CIPP),
Certified Information Systems Security Professional (CISSP), etc. (Documented experience required(any)
Experience with Health Information Exchange (HIE) deployments, interfaces, and HIE interoperability projects utilizing
established industry best practices and standards (2 yrs)
Experience documenting requirements and validating the security components of deliverables, RFP evaluation as
needed, etc. (2 yrs)
Refine, strengthen, and maintain DOM’s security program. Security Framework, Security Planning, and Regulatory Expertise
-Implement a security framework for DOM that will enable the agency to maintain compliance with security regulatory requirements and security controls based on the Minimum Acceptable Risk Security and Privacy Controls for Exchanges (MARS-E).
-Map processes, policies, procedures, and appropriate documentation to the appropriate security controls within the security framework.
-Maintain an in-depth knowledge about the DOM technical environment and ensure ongoing security controls are maintained following regulatory requirements and industry best practices.
-Keep abreast of the ever-changing security technology in computer systems, network environment, and telecommunication products, including federal and state security protocols such as: CFR45, NIST, MARS-E, Information Technology Services (ITS) Enterprise Security Policy, etc.
-Provide subject matter network and technical expertise in the acquisition/procurement, implementation, configuration, and management of various security products including but not limited to GRC system, Managed Security Services, IDS/IPS, firewalls, email/web filtering devices as well as other security appliances, hardware, and software.
-Provide subject matter security expertise across all DOM projects to ensure security and privacy compliance with state
and federal requirements.
-Evaluate technical architecture in legacy, cloud, and hybrid data center environments and make recommendations based on regulatory compliance, best practices, and experience.
-Ensure that DOM’s information systems enterprise security planning efforts encompass disaster recovery and business continuity.
-Establish security priorities, in collaboration with appropriate DOM and vendor personnel and the DOM Privacy Officer.
-Represent Information Security at business leadership, steering, governance, and iTECH committee meetings.
Security Policies and Documentation
-Conduct annual review of security policies and update them as needed.
-Analyze and refine existing security policies as needed to maintain compliance.
-Create additional policies as necessary to address all the control families within the security framework.
-Create and maintain standard contractual language concerning security requirements for use in competitive instruments and contracts.
-Direct and participate in the preparation and maintenance of reports, policies, process, procedures, audit logs, and gathering of evidence as necessary to carry out the information security functions of DOM.
-Prepare regular reports for management, as necessary or requested, to track strategic goals related to the information security posture of DOM.
-Review security documentation and deliverables submitted by DOM’s business partners and DOM Project Managers and provide guidance and feedback as necessary to protect DOM’s confidential information and maintain compliance with state and federal regulations.
-Coordinate with DOM vendors and staff in response to writing security related documentation/reports for other state and federal entities including Advanced Planning Documents, Plans of Actions and Milestones (POA&Ms) reports to
governmental agencies, Safeguard Security Reports, and System Design Plans.
-Update and maintain the System Security Plans (SSP) and coordinate other Vendors’ updates to SSPs for each system.
Data Classification / Access Control
-Establish/maintain system inventories and data classification protection profiles and assign control element settings for each category of data for which DOM is responsible.
-Ensure access to confidential information within the DOM enterprise systems follows meaningful use, regulatory compliance, and that access is immediately terminated upon the departure of staff members.
-Perform periodic review and analysis of active users in DOM systems to the terminated and new hire employee lists provided by Human Resources to ensure users have the minimal access necessary to perform their job duties and that terminated employees are removed from systems in a timely manner.
Workforce Security Training and Collaboration with DOM Offices and DOM’s Business Partners
-Establish and maintain a security awareness program for DOM’s workforce to include roles with access to Personal
Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI).
-Manage DOM’s security training efforts.
-Foster a culture of security among DOM’s workforce.
-Promote the ongoing goal of increasing the overall security and privacy posture of DOM’s enterprise on premise and vendor-hosted and managed systems.
-Coordinate security activities between other business units within DOM, vendors, partners, state, and federal agencies.
-Establish and manage a security/compliance committee comprised of a good representative cross-section of DOM
stakeholders.
-Collaborate with Compliance, Legal, Privacy, Human Resources, iTECH management and staff, and other personnel as appropriate in matters relevant to information security.
-Coordinate and collaborate extensively with the DOM Privacy Officer.
Refine, strengthen, and maintain a security governance risk management and compliance program encompassing operational, procedural, technical, architectural and physical access components.
Risk Management
-Ensure DOM, partners, and vendors meet or exceed all DOM security and privacy requirements and contractual obligations related to information security and that any risks or deficiencies are documented, and a corrective action plan is agreed upon and followed.
-Evaluate technical systems, generate written reports documenting vulnerabilities and configuration deficiencies, design defects, or other risks to the security of DOM information systems environments and engagement findings.
-Biannually conduct risk analyses of all systems involved in the administration of federal Health and Human Services
(HHS) Programs in compliance with federal regulation 45 CFR 95.621 to identify and implement necessary safeguards.
-Perform and coordinate risk analysis tasks related to the security and privacy of DOM’s enterprise IT environment, including risk mitigation plans, risk prioritization, and the elimination or minimization of risks.
-Manage DOM’s Security Risk Strategy.
Compliance
-Monitor and advise DOM iTECH and business partners in the creation of the contractual requirements of partner and vendor security and privacy requirements for federal, state, and iTECH policy, regulatory, and legal compliance.
-Perform network-based infrastructure scans, database scans, web application scans, and penetrations tests when necessary to determine that DOM’s technical environment meets security control requirements.
-Identify security vulnerabilities and ensure DOM’s compliance with the major security guidelines such as MARS-E, NIST, HIPAA and other applicable security safeguards.
-Regularly assess threat levels and recommend needed adjustments to existing security policies. Work with appropriate
DOM vendor personnel and DOM to prioritize and schedule remediation tasks necessary to address audit findings timely.
-Test firewalls/routers/systems/database configurations and access control rules to ensure compliance with required standards and documented standards and policies.
-Implement, manage, and administer a GRC solution once it has been procured.
-Evaluate security-related tasks to be outsourced and provide subject matter expertise for procuring Managed Security
Services (MSS).
-Provide oversight and administration of DOM’s managed security service provider(s) once procured.
Audits
-Lead ongoing audit or assessment activities by managing and responding to all IT audits (regular and ad-hoc) involving technology and security matters by facilitating, gathering, and supplying documentation when required, reviewing findings, and developing and managing to completion remediation plans for those findings. These audits by state and federal entities include but are not limited to Mississippi Office of the State Auditor, Internal Auditors, IRS, CMS, Office of the Inspector General (OIG), Social Security Administration (SSA), MARS-E, etc.
-Participate in each audit entry and exit meeting and work with auditor to establish their requirements.
-Consolidate DOM’s responses into a cohesive and understandable response to the auditor’s requests for information.
-Respond to audit findings/questions and manage all remediation efforts.
-Develop and manage an enterprise-wide approach and process for managing security remediation tasks from all audit findings which includes the analysis and inspection of DOM’s enterprise technical environment.
Manage and be accountable for responses to breaches/security incidents.
-Immediately review any security events including any potential incident or breach.
-Provide reports when necessary, on security events.
-Escalate security events to DOM leadership, Office of General Counsel, and follow-up on suspected or actual violations/intrusions that affect the confidentiality, integrity, and availability of DOM’s enterprise information systems.
-Work alongside the Privacy Officer (PO) to assess potential HIPAA breaches and respond accordingly.
-Upon report of an incident, work with the DOM Privacy Officer and DOM and vendor personnel to gather and validate the facts.
-Evaluate the facts surrounding an incident and weigh to assess whether a breach has occurred.
-Work with the PO and DOM Leadership to follow security protocols for reporting the incident/breach to the appropriate authorities, as necessary.
Major Challenges
-Keeping abreast of the ever-changing security technology in computer systems, network environments, and telecommunication products.
-Acquiring and maintaining subject matter expertise in all federal (CFR45), NIST, MARS-E, and other security controls that the Division of Medicaid is required to meet.
-Ensuring that security policies, processes, and system restrictions implemented do not unduly overburden users.
Decision-Making Requirements
Decisions Made by You:All policy, procedure, risk management, and compliance decisions that are necessary to adequately maintain and improve DOM’s information technology security posture.
Decisions Made in conjunction with Others: Decisions which require approval and authorization of expenditures (purchase of security hardware, software, and services). Decisions that involve both privacy and security are made in conjunction with DOM’s Privacy Officer.
Decisions Recommended: Decisions that have an agency-wide impact may require a recommendation from the DOM Security Officer to a DOM Security/Compliance Committee for a final decision. The decisions made by the Security Officer have the potential to impact technology functionality and can make it difficult for users to perform their job functions. The Security Officer must achieve a balance between securing DOM’s technical environment while minimizing the impact to business operations and functionality.
Typical Projects
-Assessing HIPAA incidents for potential breaches.
-Performing risk assessments.
-Reviewing and modifying security policies.
-Performing regular security vulnerability scans on the DOM enterprise.
-Managing and updating the status of risk mitigations and remediations.
-Reviewing and providing security subject matter expertise to DOM’s third party contracts and other deliverable documents to ensure that adequate security controls are in place to protect DOM’s data.
-Managing all audits involving technology and security matters, including facilitating, gathering and suppling documentation.
-Subject matter expert in the procurement of various security products including but not limited to: Governance, risk management and compliance (GRC) solution, managed security services (MSS) including: Threat Management, Vulnerability Threat and Risk Management IDS/IPS, and firewalls management.
-Management and administration of GRC and MSS.
Complexity of Work
-Very complex to understand, apply, and keep up with security controls and requirements, including but not limited to
NIST 800-53, 45 CFR regulations, Minimum Acceptable Risk Standards for Exchanges (MARS-E 2.0).
-Work requires competency with security issues and the ability to understand how hackers access multiple operating systems and different types of computer hardware and software as well as multiple architectures (on premise, hybrid, and cloud-based).
-Ability to use tools and diagnostics to evaluate the security threats to DOM’s network.
-Typical Team Size: While the security function at DOM for now only consists of this one position, DOM plans to procure Managed Security Services for tasks that the Security Officer recommends outsourcing. Additionally, the Security Officer is expected to assess DOM’s environment and current security posture and make recommendations for additional staff or services deemed necessary to fulfill federal and state regulatory requirements for security. The Security Officer will work collaboratively with the Privacy Officer, the iTECH Help Desk and Network Teams, and other DOM staff as necessary to fulfill the requirements of this position.
Work Environment
-DOM will be responsible for providing awarded candidate access to all documentation, system environments, technical infrastructure, and software as necessary to perform this role, subject to budgetary constraints.
-If needed, DOM will provide the awarded candidate office space, computing equipment, phone, network/internet access, printing capability, and access to meetings rooms with projectors.
-Vendor must comply with all DOM security and physical access rules.
-Any work products created as part of these job duties are the property of DOM. The vendor/awarded candidate is not to remove any work products from DOM’s site without DOM’s prior authorization.
Applicants who do not meet ALL of the required skills/experience minimums may not be considered further.
Location-Requirement-and-R2R-2-1-1.docx