/

Health Care ISO Job Description

Health Care ISO Job Description

Owned by Marina Arseniev (Unlicensed)

Sept 30, 2013

http://www.wvdhhr.org/han/security/rolesresponsibilitiesinfosec.pdf

Roles and Responsibilities of an

Information Security Officer

Purpose: On behalf of the _____________ County Hea

lth Department, the Security Officer (SO)

will serve as the focal point for security comp

liance related act

ivities and res

ponsibilities as

listed below. The SO is generally responsi

ble for obtaining or developing the Health

Departments policies and procedures for

submission to the Board of Health for

approval/adoption. The SO is also responsible for

maintaining the health department policies and

procedures, reviewing the conduct

of those assigned to specific

security duties, as well as

administering the reviews relating

to the over all secur

ity program. The SO is

also responsible

for ensuring that educational programs are conducte

d to enhance the general security awareness.

The SO serves as a resource regarding matte

rs of information secu

rity and reports the

status of ongoing information security ac

tivities to the desi

gnated person(s).

Responsibilities:

1. Lead in the development/adoption and enfo

rcement of Information Security policies,

procedures and standards. Conduct and co

mplete an annual review of required HIPAA

regulations and reports.

2. Maintain the Agency’s Security Policies. Th

ese are formal policies that detail and document

actual mechanisms and controls and s

hould include at least the following:

•

Administrative: Risk analysis and ma

nagement, documentation management and

controls, information access controls and sanctions for failure to comply.

•

Personnel Security: Personnel only have access

to the sensitive information for which

they have appropriate

authority and clearance.

•

Physical Safeguards: Assign security res

ponsibilities, control access to media and the

controls in place against unauthorized access

to workstations and related equipment.

•

Technical Security: Set the acc

ess and authorization controls

for everyday operations as

well as emergency procedures for data.

•

Transmission security: Set the standards for

access controls, audit trails, event reporting,

encryption and integrity controls.

3. Maintain the

Agency’s

Security Procedures that include:

•

Evaluation and compliance with security measures.

•

Disaster Recovery and Emer

gency operating procedures.

•

Security Incident Response and process pr

otocols including Inci

dent Reporting and

Sanctions.

•

Testing of security procedur

es, mechanisms and measures.

4. Maintain appropriate

security measures and mechanisms to

guard against unauthorized access

to electronically stored and /or transmitted patient data and protect against reasonably anticipated

threats and hazards.

5. Oversee and/or assist in performing on-going

security monitoring of organization information

systems including:

•

Assess information security risk periodically.

•

Conduct functionality and gap analyses to de

termine the extent to which key business

areas and infrastructure comply with

statutory and regulat

ory requirements.

•

Evaluate and recommend new information se

curity technologies and counter-measures

against threats to information or privacy.

6. Ensure compliance through adeq

uate training programs and peri

odic security

audits. These

audits should be both intern

al and external in nature.