Academic Medical Center and Associated Hospital

Information Security Officer

General Purpose:

The Organization ABC Information Security Officer serves as the process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of patient, provider, employee, student and other business information in compliance with law, regulations, policies and standards in Organization ABC. The Organization ABC ISO is responsible for managing and supervising the execution and use of security measures to protect data and for managing and supervising the conduct of personnel in relation to the protection of data. This responsibility is carried out by working with the other members of the Organization ABC Information Security Leadership structure and appropriate offices and committees to foster the developmental and operational elements needed to assure appropriate information security throughout Organization ABC.

Responsibilities:

Work with closely related enterprises, especially the PDC and the Schools of Medicine and Nursing, to ensure that the information security environment is well coordinated.

Establish and maintain a set of Organization ABC Information Security Directorsfor Organization ABC  and work through them to effect appropriate security measures for the entity.The responsibilities for these managers are to include the core Organization ABC Information Security Manager responsibilities and any entity-specific responsibilities related to security.

Serve as an internal information security consultant to Organization ABC.

Establish and maintain a system that fosters appropriate, demonstrable, and coordinated security policies, procedures, and practices that are compliant with related law, regulation, policy and professional standards.

Establish and maintain a system that fosters appropriate training and awareness related to information security, chiefly by using the typical units and means used for training the workforce in Organization ABC.

Establish and maintain a system that fosters the routine use of risk assessments and risk management planning related to the information security features of systems, networks, and related administrative activities.

Establish and maintain a system that fosters review and monitoring of assessments, plans, implementations, operations, and usage related to information security throughout Organization ABC.

Establish and maintain a system that fosters appropriate and effective disaster recovery and contingency plans for information systems in Organization ABC. 

Serve as the HIPAA Security Officer as required in the HIPAA Security Regulations.

Co-chair the Organization ABC Information Security and Privacy Evaluation and Monitoring Committee.

Report periodically to the Organization ABC Executive Management Committee on Organization ABC’s status with regard to information security.

Produce periodic reports for the Audit and Compliance Committee of the Board of Directors as to the status of information security in Organization ABC.

Periodically provide the administrative managers of the Organization ABC Security Directors with a report on the performance of these directors in their security role that is suitable for usage in an employee performance evaluation.

top of page

Information Security Director

General Purpose:

The Information Security Director for an Organization ABC entity  serves as the process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of patient, provider, employee, student and other business information in compliance with law, regulations, policies and standards in that Organization ABC entity. In this role, the Director’s functional reporting relationship is to the Organization ABC Information Security Officer. The Director is responsible for managing and supervising the execution and use of security measures to protect data and for managing and supervising the conduct of personnel in relation to the protection of data in the Organization ABC entity. This responsibility is carried out by working with the other members of the Organization ABC Information Security Leadership structure and appropriate offices and committees to foster the developmental and operational elements needed to assure appropriate information security throughout the Organization ABC entity.

Core Responsibilities:

Maintain a functional reporting relationship with the Organization ABC Information Security Officer.

Work closely with the entity’s Information Privacy Director to ensure that the information security environment supports the privacy policies.

Work closely with related enterprises to ensure that the information security environment is well coordinated.

Establish and maintain a set of Organization ABC Information Security Managers for the entity and work through them to effect appropriate security measures for the entity.  The responsibilities for these managers are to include the core Organization ABC Information Security Manager responsibilities and any entity-specific responsibilities related to security.

Serve as an internal information security consultant to the entity.

Establish and maintain a system that fosters appropriate, demonstrable, and coordinated security policies, procedures, and practices that are compliant with related law, regulation, policy and professional standards. This system is to based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO.

Establish and maintain a system that fosters appropriate training and awareness related to information security, chiefly by using the typical units and means used for training the workforce in Organization ABC. This system is to based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO.

Establish and maintain a system that fosters the routine use of risk assessments and risk management planning related to the information security features of systems, networks, and related administrative activities.  This system is to based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO.

Establish and maintain a system that fosters review and monitoring of assessments, plans, implementations, operations, and usage related to information security throughout Organization ABC. This system is to based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO.

Establish and maintain a system that fosters appropriate and effective disaster recovery and contingency plans for information systems in Organization ABC.  This system is to based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO.

Report periodically to the Organization ABC Information Security Officer on the entity status with regard to information security.

Report periodically to the appropriate entity managers and committees with oversight of compliance in the security area.

Periodically provide the administrative managers of the Organization ABC Information Security Managers with a report on the performance of these managers in their security role that is suitable for usage in an employee performance evaluation.

top of page

Information Security Manager

General Purpose:

The Information Security Manager serves as the process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of patient, provider, employee, student and other business information in compliance with law, regulations, policies and standards in an area of a Organization ABC entity, typically a department.  In this role, the manager’s functional reporting relationship is to the Information Security Director for the entity. The manager is responsible for managing and supervising the execution and use of security measures to protect data and for managing and supervising the conduct of personnel in relation to the protection of data in assigned area. This responsibility is carried out by working with the other members of the Organization ABC Information Security Leadership Structure and appropriate offices and committees to foster the developmental and operational elements needed to assure appropriate information security throughout the assigned area.

Core Responsibilities:

Maintain a functional reporting relationship with the Organization ABC Information Security Director for the entity.

Work closely with the entity’s Information Privacy Manager in the same area to ensure that the information security environment supports the privacy policies.

Work closely with related areas in the entity and outside the entity to ensure that the information security environment is well coordinated.

Establish and maintain a set of Organization ABC Information Security System Administrators for the area and work through them to effect appropriate security measures for the entity.  The responsibilities for these system administrators are to include the core Organization ABC Information Security System Administrator responsibilities and any area-specific responsibilities related to security.

Serve as an internal information security consultant to the area.

Maintain a system that fosters appropriate, demonstrable, and coordinated security procedures, and practices that are compliant with related law, regulation, policy and professional standards. This system is to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the entity’s Information Security Director.

Maintain a system that fosters appropriate training and awareness related to information security, chiefly by using the typical units and means used for training the workforce in Organization ABC. This system is to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the entity’s Information Security Director.

Maintain a system that fosters the routine use of risk assessments and risk management planning related to the information security features of systems, networks, and related administrative activities.  This system is to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the entity’s Information Security Director.

Maintain a system that fosters review and monitoring of assessments, plans, implementations, operations, and usage related to information security throughout Organization ABC. This system is to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the entity’s Information Security Director.

Maintain a system that fosters appropriate and effective disaster recovery and contingency plans for information systems in Organization ABC.  This system is to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the entity’s Information Security Director.

Report periodically to the Organization ABC Information Security Director of the entity on the area’s status with regard to information security.

Report periodically to the appropriate entity managers and committees with oversight of compliance in the security area as required by the entity’s Information Security Director.

Periodically provide the administrative managers of the Organization ABC Information Security System Administrators with a report on the performance of these system administrators in their security role that is suitable for usage in an employee performance evaluation. 

top of page

Information Security System Administrator

General Purpose:

The Information Security System Administrator serves as the process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of patient, provider, employee, student and other business information in compliance with law, regulations, policies and standards for one or more assigned systems.   In this role, the system administrator’s  functional reporting relationship is to the Information Security Manager for the related area. The system administrator is responsible for managing and supervising the execution and use of security measures to protect data related to the assigned systems. This responsibility is carried out by providing technical management of the relevant systems, working with the Information Security Manager to whom the system administrator has a functional reporting relationship, working with other members of the Organization ABC Information Security Leadership Structure and working with others as needed. 

Core Responsibilities:

Maintain a functional reporting relationship with the Organization ABC Information Security Manager for the area (e.g. department).

Work closely with other system administrators to ensure that the information security environment is well coordinated.

Serve as an internal information security consultant related to the assigned systems.

Operate the assigned systems in a way that provides appropriate, demonstrable, and coordinated security procedures, and practices that are compliant with related law, regulation, policy and professional standards. The operations are to be based on the Organization ABC guidelines in this area as provided by the Organization ABC ISO and the guidance of the relevant Information Security Manager.

Maintain awareness related to information security among the workforce members.

Participate in risk assessments and risk management planning related to the information security features of systems, networks, and related administrative activities.

Participate in the review and monitoring of assessments, plans, implementations, operations, and usage related to information security throughout Organization ABC.

Participate in disaster recovery and contingency planning and testing for information systems in Organization ABC.

Report periodically to the Organization ABC Information Security Manager for the area on the systems’ status with regard to information security.

top of page

Privacy Officer

General Purpose:

The Organization ABC Privacy Officer oversees all ongoing activities related to the development, implementation and maintenance of Organization ABC’s information privacy practices. This includes adherence to the Organization ABC’s policies and procedures covering the privacy and access to: patient, provider, employee, student and other business information in compliance with laws, regulations and Organization ABC’s information privacy practices.

Responsibilities:

Works closely with the Organization ABC Information Security Officer to ensure that the information security environment supports the privacy policies.

Serves as the Privacy Officer as required in the HIPAA Privacy Regulations.

Co-chairs the Organization ABC Information Security and Privacy Evaluation and Monitoring Committee.

Reports periodically to the Organization ABC Executive Management Committee on Organization ABC’s status with regard to information privacy.

Provides development guidance and assists in the identification, implementation and maintenance of Organization ABC’s information privacy policies and procedures in coordination with management and legal counsel.

Supervises periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with Organization ABC’s other compliance and operational assessment functions.

Establishes and maintains a system that fosters appropriate training and awareness related to information privacy, chiefly by using the typical units and means used for training the workforce in Organization ABC.

Assesses effectiveness of privacy policies and procedures in practice while recommending improvement opportunities.

Serves as information privacy consultant to Organization ABC.

Produces periodic reports to the Audit & Compliance Committee of the Board of Directors as to the status of information privacy in Organization ABC.

Periodically provides the administrative managers of the Organization ABC Privacy Directors with reports on the performance of these directors in their privacy roles that is suitable for usage in employee performance evaluations.

top of page

Privacy Director

General Purpose:

The Privacy Director (Director) for a Organization ABC entity oversees all ongoing activities related to the development, implementation and maintenance of the individual entity’s information privacy practices. This includes adherence to the entity’s policies and procedures covering the privacy and access to: patient, provider, employee, student and other business information in compliance with laws, regulations and the entity’s information privacy practices. In this role, the Director’s functional reporting relationship is to the Organization ABC Privacy Officer. The Director works with the other members of the Organization ABC Privacy Leadership structure and appropriate offices and committees to foster the developmental and operational elements needed to ensure appropriate information privacy throughout the Organization ABC entity.

Responsibilities:

Member of the Organization ABC Information Security and Privacy Evaluation and Monitoring Committee.

Reports periodically to the Organization ABC Privacy Officer on entity’s status with regard to information privacy.

Provides development guidance and assists in the identification, implementation and maintenance of entity’s information privacy policies and procedures in coordination with management, Privacy Officer and legal counsel.

Supervises periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with entity’s other compliance and operational assessment functions.

Establishes and maintains a system that fosters appropriate training and awareness related to information privacy, chiefly by using the typical units and means used for training the workforce in entity.

Assesses effectiveness of privacy policies and procedures in practice while recommending improvement opportunities.

Serves as information privacy consultant to entity.

top of page

Privacy Manager

General Purpose:

The Privacy Manager (Manager) for a Organization ABC entity serves as the process owner for all ongoing activities related to the development, implementation and maintenance of the individual entity’s information privacy practices. This includes adherence to the entity’s policies and procedures covering the privacy and access to: patient, provider, employee, student and other business information in compliance with laws, regulations and the entity’s information privacy practices. In this role, the Manager’s functional reporting relationship is to the Privacy Director for the entity. The Manager works with the other members of the Organization ABC Privacy Leadership structure and appropriate offices and committees to foster the developmental and operational elements needed to ensure appropriate information privacy throughout the assigned area.

Responsibilities:

Reports periodically to the Organization ABC Privacy Director on entity’s status with regard to information privacy.

Provides development guidance and assists in the identification, implementation and maintenance of entity’s information privacy policies and procedures in coordination with management, Privacy Director and other appropriate personnel.

Provides periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with entity’s other compliance and operational assessment functions.

Establishes and maintains a system that fosters appropriate training and awareness related to information privacy, chiefly by using the typical units and means used for training the workforce in entity.

Assesses effectiveness of privacy policies and procedures in practice while recommending improvement opportunities.

Serves as information privacy consultant to entity.

top of page