Advertised Summary Job Description: The Information Security Risk Engineer will report to the Information Security Operations Manager within the Information Security Office (ISO), with a dotted line to the Information Security Risk Manager.
This security engineer will work with the ISO and departmental IT teams to derive, define and translate high-level architecture designs into comprehensive technical implementations on our IT systems. The individual will coordinate with the risk team on deep dive assessment of IT products which involves a sharper technical focus on security components of the technology.
The Engineer will conduct reviews of complex information systems, platforms, and processes in accordance with established regulations and organizational standards. They will provide technical risk findings for use by ISO Risk, Certified IT Groups (CITGs) and executives; provide architectural and technical compensating controls to reduce risk; and establish controls to mitigate loss of data, confidentiality, integrity and availability, while aligning those initiatives to the core organizational mission of Research, Care and Education. In support of the Security Architect role, the position will provide compliance awareness that aligns with the technical design during projects.
They will also serve as a resource for IT security run activity during operational tasks and deployment of managed systems and drive process improvements through the effective use of deployed systems, especially between Information Security Operations and Information Security Risk Assessment, Networking, IT Help Desk, IT Stakeholders, and other business process owners.
Responsibilities include: reviewing the development and implementation of Information Security systems; report on the security issues, including risks created by integrating into an environment of multiple complex systems; collaborating and partnering with the Risk team to provide accurate guidance on complicated system exploit methods and vulnerabilities, and proposing solutions to mitigate those risks under the established risk management strategies; communicating and driving consensus on IT security technical decisions adopted during projects; assisting IT groups with remediation planning and ensuring identified gaps have been appropriately managed and that the requested technology fits with business and technology drivers; researching and evaluating proposed application solutions for adherence to best practice and designs; validating the efficacy of defensive mechanisms, as well as, the engineering adherence to security policies; maintaining ongoing awareness of shifts in CUIMC's compliance and threat landscape and recommending appropriate changes to the risk management program to identify and assess new risks; querying, analyzing and improving our processes and security posture for IT services; being an active member of the broader information security risk management community; maintaining understanding of current best practices by participating in peer groups, attending or presenting at appropriate industry conferences, and researching literature and security news sources; ensuring that systems comply with the organization's standards for vulnerability assessment scanning; other duties as required.
General Minimum Qualifications: Requires a bachelor's degree or equivalent in education and experience, plus four years of related experience.
Additional Specific Minimum Qualifications:
Preferred Qualifications: To be considered a candidate should meet most, or all, of these criteria. ?Proficiency in determining the root cause of security issues and a solid understanding of exploits and vulnerabilities ?Familiarity with web application security vulnerabilities such as XSS, SQLi, CSRFs ?Good understanding of Microsoft enterprise environments and integration to secure applications and cloud systems. ?Strong knowledge of security controls on both Windows and Unix-based operating systems. ?Extensive experience in applying appropriate security principles in a dynamic environment that prevents unauthorized access to the network or parts of the network. ?Experience coding/scripting with common languages such as Python & Perl, Bash scripting. ?Knowledge of cryptography as it relates to application and network security. ?Ability to prepare both executive and detailed reports on risk findings and status. Ability to develop remediation plans and guide departments with remediation strategy. Strong service commitment, and verbal, writing, and reporting skills. ?High level of integrity, and sound judgment concerning security and privacy. ?Good written and verbal communication skills a must. Technical writer capable of producing technical documentation, incident reports, and risk documentation for non-technical executives, ?Ability to understand and work with healthcare professionals, educators and researchers. ?Ability to work independently with minimal supervision as well as be creative and innovative at conducting a high volume of risk analyses while reporting accurate and relevant risks to the appropriate constituents. ?Strong background information security practices with significant experience in a complex, multi-platform, higher education or healthcare IT environment.
While none of these qualifications are required, the more a candidate has under their belt the higher priority their application will be given. ?Experience working in a HIPAA/HITECH/OMNIBUS-regulated environment. Functional knowledge of the HITRUST CSF based on practical working experiences and a functional knowledge of security standards such as HIPAA/HITECH, PCI-DSS, ISO 27001/2, NIST ?Experience working in an academic medical center or hospital environment a plus. ?Project planning or management experience ?Formal training in Health Information Technology, SDLC management experience. ?CISA/CISM, or GIAC certified penetration tester (GPEN), or Certified Ethical Hacker (CEH), or any relevant GIAC certifications, CISSP, or CISA.
As a member of the National Collegiate Athletic Association (NCAA) and the Council of Ivy Group Presidents (Ivy League), it is imperative that members of the Columbia University community, in all matters related to the intercollegiate athletics program, exhibit the highest professional standards and ethical behavior with regard to adherence to NCAA, Conference, University, and Department of Intercollegiate Athletics and Physical Education rules and regulations.
Columbia University is an Equal Opportunity/Affirmative Action employer.
Internal Number: 126_174709
About Columbia University
Columbia University is one of the world's most important centers of research and at the same time a distinctive and distinguished learning environment for undergraduates and graduate students in many scholarly and professional fields. The University recognizes the importance of its location in New York City and seeks to link its research and teaching to the vast resources of a great metropolis. It seeks to attract a diverse and international faculty and student body, to support research and teaching on global issues, and to create academic relationships with many countries and regions. It expects all areas of the university to advance knowledge and learning at the highest level and to convey the products of its efforts to the world.