Type: Contract
Duration: 1 year from projected start date
Location: Jackson, MS
50% Onsite Position
The MSDH Office of Health Data, Operations and Research (HDOR) is responsible for the
operation of the agency’s processing systems, payment systems, and all information technology
systems. These systems transmit and maintain sensitive information, including protected health
information (PHI) collected by MSDH in its role both as a provider and public health authority
for the state.
Under 45 CFR §164.308, as a covered entity under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), MSDH is required to identify a Security Officer
responsible for the development and implementation of policies and procedures to ensure the
integrity of electronic Protected Health Information (ePHI) created, transmitted, received and/or
stored by the agency. This individual, designated as the IT Security Officer (ITSO), also is
required by the state Department of Information Technology Services (ITS) under Rule 1.6 of
the ITS Enterprise Security Policy. Under this rule, the ITSO is responsible for:
a. Developing and maintaining agency-specific security plans, policies, and procedures.
b. Interacting with ITS as the primary contact for security related issues.
c. Ensuring MSDH is adhering to the State of Mississippi Enterprise Security Policy.
d. Participating in the state information security listserv.
e. Researching IT industry for security related issues and how it affects MSDH specifically.
f. Monitoring security applications, activity logs, resources and issues within the agency utilizing
approved security software and hardware.
g. Facilitating the State Auditor’s Information Systems Audit and any Third Party
Risk Assessments.
MSDH is in need of a full-time IT Security Officer (ITSO) to perform the above tasks and lead
the development and maturity of the agency’s enterprise-wide cybersecurity posture. The ITSO
will also be responsible for leading and coordinating the security effort among all MSDH’s
vendors, workforce members, and systems. The ITSO will require a combination of technical
skillsets, including an in-depth understanding of architecture, security, and privacy, as well as
proficiency in written and verbal communication abilities. The ITSO must work from the
MSDH central office campus, located in Jackson, MS, at least 50% of the time. The ITSO will
supervise daily activities of the Information Security and Privacy Manager in collaboration
with the MSDH Privacy Officer.
The ITSO must also maintain a strong understanding of risk management and governance
practices and the use of risk management methodologies. Reporting to the Chief of HDOR, the
ITSO is responsible for strengthening and maintaining the MSDH information security program,
including hands-on execution and day-to-day management of the MSDH enterprise network, as
well as responsibility for all aspects of IT security audits. The ITSO must also participate in the
agency Information Security Management Council and Offices of Health Information
Technology Leadership Meetings, and work collaboratively with all Office of Health
Information Technology workforce members.
1.
Refine, strengthen and maintain MSDH’s security program.
1.1. Security Framework, Security Planning, and Regulatory Expertise
1.1.1. Implement a security framework for MSDH that will enable the agency to
maintain compliance with federal and state security regulatory
requirements and security controls.
1.1.2. Map processes, policies, procedures, and appropriate documentation to the
1.1.3.
appropriate security controls within the security framework.
Maintain an in-depth knowledge about the MSDH technical
environment, including ITS governed components,and ensure ongoing security
controls are maintained following regulatory requirements and industry best
practices.
1.1.4. Keep abreast of the ever-changing security technology in computer
systems, network environment, and telecommunication products, including federal
and state security protocols such as: NIST, Information Technology Services (ITS)
Enterprise Security Policy, etc.
1.1.5.
Provide subject matter network and technical expertise in the
implementation, configuration, and management of various security
products including but not limited to GRC system, Managed Security
Services, IDS/IPS, firewalls, email/web filtering devices as well as other
security appliances, hardware, and software.
1.1.6.
Provide subject matter security expertise across all MSDH projects to
ensure security and privacy compliance with state and federal requirements.
1.1.7 Evaluate technical architecture in multiple environments and make
recommendations based on regulatory compliance, best practices, and
experience.
1.1.8 Ensure that MSDH’s information systems enterprise security planning efforts
encompass service interruption avoidance, disaster recovery and business
continuity.
1.1.9 Establish security priorities, in collaboration with appropriate MSDH and
vendor personnel and the MSDH.
1.1.10 Represent Information Security at senior leadership meetings and as a member
of the Information Security Management Council (ISMC).
1.2 Security Policies and Documentation
1.2.1 Conduct annual review of security policies and procedures and update them as
needed.
1.2.2 Analyze and refine existing security policies and procedures as
needed to maintain compliance.
1.2.3 Create additional policies and procedures as necessary to address all the
control families within the security framework.
1.2.4 Create and maintain standard contractual language concerning security
requirements for use in competitive instruments and contracts.
1.2.5
Direct and assure successful preparation and maintenance of reports,
policies, process, procedures, audit logs, and gathering of evidence as necessary to
carry out the information security functions of MSDH.
1.2.6 Prepare and present regular reports for agency, as necessary or
requested, to track strategic goals related to the information security posture of
MSDH.
1.2.7 Review security documentation and deliverables submitted by MSDH
partners and provide guidance and feedback as necessary to protect
MSDH’s confidential information and maintain compliance with state and
federal regulations.
1.2.8 Coordinate with MSDH workforce member and vendors personnel in
response to writing security related documentation/reports for other state and federal
entities including Advanced Planning Documents, Plans of Actions and Milestones
(POAMs) reports to governmental agencies, Safeguard Security Reports, and
System Design Plans.
1.2.9 Update and maintain the System Security Plans (SSP) and coordinate
other Vendors’ updates to SSPs for each system.
1.2.10 Operationalize security policies and procedures in collaboration with
MSDH workforce members and vendor personnel.
1.3 Data Classification / Access Control
1.3.1
Establish/maintain system inventories and data classification protection
profiles and assign control element settings for each category of data for which
MSDH is responsible.
1.3.2 Ensure access to confidential information within the MSDH enterprise
systems follows regulatory compliance, and that access is immediately terminated
upon the departure of staff members.
1.3.3 Perform periodic review and analysis of active users in MSDH systems to
the terminated and new hire employee lists provided by Human Resources
to ensure users have the minimal access necessary to perform their job
duties and that terminated employees are removed from systems in a
timely manner.
1.4 Workforce Security Training and Collaboration with MSDH Offices and
MSDH’s Business Partners
1.4.1
Establish and maintain a security awareness program for MSDH’s
workforce to include roles with access to PHI, Personal Identifiable Information (PII)
and Federal Tax Information (FTI) and as required by ITS
1.4.2 Manage MSDH’s security training efforts.
1.4.3
Foster a culture of security among MSDH’s workforce.
1.4.4 Promote the ongoing goal of increasing the overall security and privacy
posture of MSDH’s enterprise on premise and vendor-hosted and managed systems.
1.4.5 Coordinate security activities between offices within MSDH, vendors,
partners, state, and federal agencies.
1.4.6
Establish and manage a security/compliance committee comprised of a
good representative cross-section of MSDH stakeholders.
1.4.7 Collaborate with Legal, Privacy, Human Resources, OHIT leadership
and workforce members, and other personnel as appropriate in matters relevant to
information security.
2 Refine, strengthen, and maintain a security governance risk management and
compliance program encompassing operational, procedural, technical, architectural
and physical access components.
2.1 Risk Management
2.1.1 Ensure MSDH, partners, and vendors meet or exceed all MSDH security
and privacy requirements and contractual obligations related to information security
and that any risks or deficiencies are documented, and a corrective action plan is
agreed upon and followed.
2.1.2 Evaluate technical systems, generate written reports documenting
vulnerabilities and configuration deficiencies, design defects, or other
risks to the security of MSDH information systems environments and
engage MSDH workforce members on activities resulting from
findings.
2.1.3 Biannually conduct risk analyses of all systems involved in compliance
with federal regulations to identify and implement necessary safeguards.
2.1.4
Direct, perform and coordinate risk analysis tasks related to the security
and privacy of MSDH’s enterprise IT environment, including risk mitigation plans,
risk prioritization, and the elimination or minimization of risks.
2.1.5 Manage MSDH’s Security Risk Strategy.
2.2 Compliance
2.2.1 Monitor and advise OHIT and the Office of Data Governance in the
creation of the contractual requirements of partner and vendor security and privacy
requirements for federal, state, and OHIT policy, regulatory, and legal compliance.
2.2.2 Perform network-based infrastructure scans, database scans, web
application scans, and penetrations tests when necessary to determine that MSDH’s
technical environment meets security control requirements and report actionable
findings to OHIT leadership.
2.2.3
Identify security vulnerabilities, report findings to OHIT and ISMC
leaders, and work with MSDH to ensure compliance with the major security
guidelines such as NIST, and other applicable security safeguards.
2.2.4 Regularly assess threat levels and recommend needed adjustments to
existing security policies. Work with appropriate MSDH vendor personnel and
MSDH to prioritize and schedule remediation tasks necessary to address audit
findings timely.
2.2.5 Test firewalls/routers/systems/database configurations and access control
rules to ensure compliance with required standards and documented standards and
policies. Coordinate required changes with appropriate OHIT workforce members.
2.3 Audits
2.3.1 Lead ongoing audit or assessment activities by managing and
responding to all IT audits (regular and ad-hoc) involving technology and
security matters by facilitating, gathering, and supplying documentation
when required, reviewing findings, and developing and managing to
completion remediation plans for those findings. These audits by state and
federal entities include but are not limited to Mississippi Office of the
State Auditor, Internal Auditors, IRS, Office of the Inspector General
(OIG), etc.
2.3.2
Participate in each audit entry and exit meeting and work with auditor to
establish their requirements. Participate in audit meetings as required
by Chief HDOR.
2.3.3 Consolidate MSDH’s responses into a cohesive and understandable
response to the auditor’s requests for information.
2.3.4 Respond to audit findings/questions and manage all remediation efforts.
2.3.5 Develop and manage an enterprise-wide approach and process for
managing security remediation tasks from all audit findings which includes the
analysis and inspection of MSDH’s enterprise technical environment.
3 Manage and be accountable for responses to breaches/security incidents with the
MSDH Incident Response Team/Information Security Management Council:
3.1 Alongside the Incident Response Team, immediately review any security events
including any potential incident or breach.
3.2 Provide required reports on security events.
3.3 Escalate security events to MSDH leadership, Privacy Officer, Office of General
Counsel, and follow-up on suspected or actual violations/intrusions that affect the
confidentiality, integrity, and availability of MSDH’s enterprise information systems.
3.4 Assess potential breaches and respond accordingly.
3.5 Upon report of an incident, work with the MSDH and other parties as necessary to
gather and validate the facts.
3.6 Evaluate the facts surrounding an incident and weigh to assess whether a breach has
occurred.
3.7 Follow security protocols for reporting the incident/breach to the appropriate
authorities, as necessary.
4
Typical Projects
4.1 Researching, investigating and evaluating incidents for potential breaches.
4.2 Performing risk assessments and reporting findings and corrective actions.
4.3 Reviewing and modifying security policies and procedures.
4.4 Performing regular security vulnerability scans on the MSDH enterprise.
4.5 Managing and updating the status of risk mitigations and remediations.
4.6 Reviewing and providing security subject matter expertise to MSDH’s third party
contracts and other deliverable documents to ensure that adequate security controls
are in place to protect MSDH’s data.
4.7 Managing all audits involving technology and security matters, including facilitating,
gathering and suppling documentation.
4.8 Monitoring and reporting activity logs including, firewall, email/web activity, security
software, server activity, change management, privileged accounts, remote access, etc.
5
Complexity of Work
5.1 Work requires competency with security issues and the ability to understand how
bad actors access multiple operating systems and different types of computer
hardware and software as well as multiple architectures (on premise, hybrid, and
cloud-based).
5.2 Ability to use tools and diagnostics to evaluate the security threats to MSDH’s
network and IT infrastructure.
5.3 Typical Team Size:
5.3.1 The IT Security Officer will work collaboratively with the Chief of HDOR,
Privacy Officer, Information Security and Privacy Manager, OHIT Offices,
Data Governance Office, and other MSDH workforce members as
necessary to fulfill the requirements of this position.
About TCC
Founded in 1996 in Indianapolis, IN, The Consultants Consortium (TCC) is an innovative solutions provider committed to designing and delivering high-value, cost-effective IT consulting services and application technology solutions for both the private and public sectors. With a team of more than 250 IT and business professionals, TCC serves clients nationwide, from state and federal government agencies to commercial sector customers. TCC is committed to providing the most cutting edge solutions, and with that, ensures they stay up-to-date on crucial certifications and affiliations. Among these are the highly accredited Microsoft Certifications.
At TCC, we know that having a strong company culture is paramount in sustaining the success and stability of the company, especially within the information technology industry. That’s why we place our focus on the people who make our success possible: our employees, partners and clients. We strive to create an environment that preserves and fosters growth while still promoting the DNA of our company.
Our core values:
• Building strong, reliable relationships with our employees, our partners and our clients
• Upholding integrity, honesty and respect
• Supporting our local community
• Encouraging continued education and development
Equal Opportunity Employer, including disabled and veterans.
Technology, Process and Expertise 