Information Security & Privacy Manager
About Carrot:
Carrot Fertility is the leading global fertility benefits provider for employers and health plans, built to support employees through their lifelong fertility healthcare journey. Companies use Carrot to customize a fertility benefit that provides employees financial, medical, and emotional support as they pursue parenthood, reducing healthcare costs and resulting in better clinical outcomes.
Responsibilities:
Carrot is seeking a results-oriented Information Security & Privacy Manager for a cloud based service provider in the healthcare industry. The role requires knowledge of security and privacy best practices, industry security standards, and a broad understanding of SaaS and PaaS technology. The Manager will report to the Director of Information Security and Privacy and support the security department.
Position Summary:
Information Security & Compliance Manager will play a key role in assessing and enhancing the organization's capabilities with regulatory compliance, cyber security, and privacy. You will be responsible for coordinating and managing compliance assessments and their activities, developing remediation strategies, and assessing controls. You will also assist with responding to cyber questionnaires and customer requests regarding pen testing and more. You will also be instrumental in helping select and implement technology to uplift and support the organization from a security perspective.
Essential Job Functions:
Lead // Own
- Own and manage organizational IT policies, standards, and procedures (Information Security Management System - ISMS) to identify control points that would assist in mitigating risk to the business and to keep company policies up to date.
- Cyber Security Incident Response - Lead the maturity and development of the Incident Response Model; be the spokesperson across the departments; represent at the executive level
- Third Party Vendor Management - manage and implement third party Vendor Management in support of Information Security and compliance obligations; liaison with contacts at third party vendors to monitor and maintain security posture; conduct initial and annual security assessment in compliance with Carrot policy
- Document security exceptions and manage remediation, run weekly exceptions meetings with IT & Security teams
- ISO 27001 - Plan and prepare for certification; conduct gap analysis; remediation and preparation for external review.
- Acquire third and fourth-parties internal security controls documentation, including but not limited to SIG (LITE/FULL), SOC audit reports, ISO certifications, internal policies and procedures, dataflow charts, vulnerability and penetration testing, BCP test, privacy policies, etc. for review stakeholders to establish plans for sustainable resolution
Manage
- Vulnerability & Threat Management - respond and research vulnerabilities in the Carrot universe and determine applicability and coordinate communications and responses
- Manage annual penetration testing and remediation efforts
- Review test results or interpret evidence to address vulnerabilities, gaps, or control deficiencies;
- Manage response to Security Questionnaires/Annual Security Assessments from Clients
Support
- Support Global Privacy initiatives, including:
- Data Retention
- Data Mapping
- Privacy Impact Assessments
- Privacy by Design
- Data Subject Access Requests
- Assist with ongoing PCI DSS Compliance
- Acquire third and fourth-parties internal security controls documentation, including but not limited to SIG (LITE/FULL), SOC audit reports, ISO certifications, internal policies and procedures, dataflow charts, vulnerability and penetration testing, BCP test, privacy policies, etc. for review stakeholders to establish plans for sustainable resolution
- Cloud Security Strategy - Support department efforts with regard to best practices and efforts
- Research security enhancements and make recommendations to management.
- Perform other tasks as necessary to ensure that the compliance meets its commitments to stakeholders.
Position Requirements:
- Advanced knowledge of cyber/information security management policies and procedures, HIPAA/HITECH, information systems, and network security
- Advanced knowledge of risk management techniques, technological trends, and developments in cyber/information security, systems/software development, engineering, integration, testing and evaluation, and operating systems.
- Knowledge of and experience with obtaining and maintaining PCI – DSS, SOC2, HIPAA, HITRUST
- Advanced working knowledge of applicable and accepted security standards and frameworks (ISO, NIST, CSF, etc.).
- Advanced knowledge and understanding of healthcare regulatory and compliance requirements such as HIPAA, HITECH, PCI, ISO, GDPR, CCPA,
- Advanced knowledge and skill-set to develop and implement sustaining cybersecurity solutions (tools, process, controls, etc.) to reduce risk across the entire landscape of the company, vulnerability testing tools such as Intruder.
- Experience with project management, including defining scope, goals, and deliverables while working across an organization to implement timely results
- Working knowledge of Office 365, Slack, G-suite
Education:
Bachelor's Degree in Computer Science, Healthcare Information Technology, or relevant field or equivalent knowledge and skills obtained through a combination of education, training, and experience required.
Experience / Training:
- Minimum of 4 years of experience in IT of which at least 3 years' experience in information security is required.
- Healthcare experience preferred, information security, cyber risk management, compliance, or a related field required.
Certification:
One or more relevant information security and privacy-related certifications preferred. Examples include CISSP, CISA, HCISPP, CCSP, CRISC, CISM, CGIH, GCFA, GNFA, GPEN, GSEC, QSA, and CEH, CIPP-EU, SIPP-US, CIPT, CIPM, FIP, or CDPSE.
Why Carrot?
Founded in 2016, Carrot now supports 400+ companies in more than 60 countries across North America, Asia, Europe, South America, and the Middle East. Carrot has been honored by CB Insights as one of the world’s most promising private digital health companies, named to Fierce Healthcare's Fierce 15 list highlighting the most promising healthcare companies, and recognized by Fast Company as a World Changing Ideas honoree, which spotlights companies that are tackling society's biggest problems.