The Information Security Engineer will report to the Information Security Operations Manager within the Information Security Office (ISO), with a dotted line to the Information Security Risk Manager.
This security engineer will work with the ISO and departmental IT teams to derive, define and translate high-level architecture designs into comprehensive technical implementations on our IT systems. The individual will coordinate with the risk team on deep dive assessment of IT products which involves a sharper technical focus on security components of the technology.
The engineer will conduct reviews of complex information systems, platforms, and processes in accordance with established regulations and organizational standards. They will provide technical risk findings for use by ISO Risk, Certified IT Groups (CITGs) and executives; provide architectural and technical compensating controls to reduce risk; and establish controls to mitigate loss of data, confidentiality, integrity and availability, while aligning those initiatives to the core organizational mission of Research, Care and Education. In support of the Security Architect role, the position will provide compliance awareness that aligns with the technical design during projects.
They will also serve as a resource for IT security run activity during operational tasks and deployment of managed systems and drive process improvements through the effective use of deployed systems, especially between Information Security Operations and Information Security Risk, Networking, IT Service Desk, IT Stakeholders, and other business process owners.
Review the development and implementation of Information Security systems; report on the security issues, including risks created by integrating into an environment of multiple complex systems 30%
Collaborate and partner with the Risk team to provide accurate guidance on complicated system exploit methods and vulnerabilities, and propose solutions to mitigate those risks under the established risk management strategies 20%
Communicate and drive consensus on IT security technical decisions adopted during projects 10%
Assist IT groups with remediation planning and ensure identified gaps have been appropriately managed and ensure that the requested technology fits with business and technology drivers; 10%
Research and evaluate proposed application solutions for adherence to best practice and designs 5%
Validate the efficacy of defensive mechanisms, as well as, the engineering adherence to security policies 5%
Maintain ongoing awareness of shifts in CUIMC's compliance and threat landscape and recommend appropriate changes to the risk management program to identify and assess new risks. Query, analyze and improve our processes and security posture for IT services 5%
Be an active member of the broader information security risk management community; maintain understanding of current best practices by participating in peer groups, attending or presenting at appropriate industry conferences, and researching literature and security news sources 5%
Ensure that systems comply with the organization's standards for vulnerability assessment scanning 5%
Other duties as required 5%
Requires a bachelor's degree or equivalent in education and experience, plus four years of related experience.
Proficiency in determining the root cause of security issues and a solid understanding of exploits and vulnerabilities
Familiarity with web application security vulnerabilities such as XSS, SQLi, CSRFs
Good understanding of Microsoft enterprise environments and integration to secure applications and cloud systems.
Strong knowledge of security controls on both Windows and Unix-based operating systems
Extensive experience in applying appropriate security principles in a dynamic environment that prevents unauthorized access to the network or parts of the network
Experience coding/scripting with common languages such as Python & Perl, Bash scripting.
Knowledge of cryptography as it relates to application and network security.
Ability to prepare both executive and detailed reports on risk findings and status. Ability to develop remediation plans and guide departments with remediation strategy. Strong service commitment, and verbal, writing, and reporting skills
High level of integrity, and sound judgment concerning security and privacy
Good written and verbal communication skills a must. Technical writer capable of producing technical documentation, incident reports, and risk documentation for non-technical executives
Ability to understand and work with healthcare professionals, educators and researchers.
Ability to work independently with minimal supervision as well as be creative and innovative at conducting a high volume of risk analyses while reporting accurate and relevant risks to the appropriate constituents
Strong background information security practices with significant experience in a complex, multiplatform, higher education or healthcare IT environment
Experience working in a HIPAA/HITECH/OMNIBUS-regulated environment. Functional knowledge of the HITRUST CSF based on practical working experiences and a functional knowledge of security standards such as HIPAA/HITECH, PCI-DSS, ISO 27001/2, NIST
Experience working in an academic medical center or hospital environment a plus
Project planning or management experience
Formal training in Health Information Technology, SDLC management experience
CISA/CISM, or GIAC certified penetration tester (GPEN), or Certified Ethical Hacker (CEH), or any relevant GIAC certifications, CISSP, or CISA
Equal Opportunity Employer / Disability / Veteran
Columbia University is committed to the hiring of qualified local residents.
Internal Number: 500823
About Columbia University
Columbia University is one of the world's most important centers of research and at the same time a distinctive and distinguished learning environment for undergraduates and graduate students in many scholarly and professional fields. The University recognizes the importance of its location in New York City and seeks to link its research and teaching to the vast resources of a great metropolis. It seeks to attract a diverse and international faculty and student body, to support research and teaching on global issues, and to create academic relationships with many countries and regions. It expects all areas of the university to advance knowledge and learning at the highest level and to convey the products of its efforts to the world.