The Chief Information Risk Officer (CIRO) reports to the Chief of Technology Services (CTS) and will be responsible for leading the Privacy and Security Office (PSO). The CIRO will directly manage PSO’s Information Risk Management area which includes the Privacy and Security Governance, Risk, and Compliance (GRC) of NC Department of Health and Human Services (DHHS). The CIRO will also provide oversight of PSO’s Information Security Management area led by the Chief Information Security Officer (CISO). This position oversees the development of various security framework and policies for DHHS and enforces compliance to Federal, State, DHHS and industry security policy and strategies. Provides GRC methodologies and frameworks for DHHS’ enterprise technologies. Oversees and administers security and risk determination programs and procedures for DHHS by providing direction to all entities.
These duties include:
Develops risk assessment processes based on NIST 800-53, HIPAA and IRS Publication 1075.
Oversees the development and review of DHHS policies, standards, guidelines, and procedures to ensure compliance with federal and state requirements.
Participate in the planning and implementation of privacy, security, and continuity of operations strategies.
Manages the review of third-party assessments including SOC 2 Type 2.
Manges the evaluation of contracts, agreements, and projects for security requirements.
Participate in system reviews/audits in accordance with Federal, State and Departmental (DHHS) regulations and policies.
Oversees the Privacy Threshold Analyses (PTA) and Vendor Readiness Assessment Reports (VRAR) process.
Responsible for the development of information security frameworks such as Cloud Security, Incident Response, and Insider Threat Programs.
Defines Privacy and Security governance process and establishes steering committee to facilitate business and IT leadership participation in key decisions and to improve stakeholder communication.
Identifies various improvement opportunities within Privacy and Security organization (PSO) and oversees execution.
Manage the CISO and provide oversight of the Information Security Management area.
About NC Department of Health and Human Services: The North Carolina Department of Health and Human Services (DHHS) serves the needs of the most vulnerable of North Carolinians and to accomplish this, we hire only the most dedicated and caring individuals. Finding qualified clinical professionals to treat and care for our clients is a continual challenge as demand for services grows and the availability of providers struggles to keep pace. We are seeking a motivated individual who is up for this challenge and is dedicated to our mission of providing North Carolinians with the very best in clinical care.
About the DHHS Information Technology Division: The DHHS Information Technology (IT) Division provides enterprise information technology leadership and solutions to the department and their partners so that they can leverage technology resulting in the delivery of consistent, cost effective, reliable, accessible, and secure services. The DHHS IT Division works with business units to help ensure the availability and integrity, and promotion of confidentiality of automated information systems to meet their business goals. DHHS IT Division’s primary information technology services are Application Management, Project Management, Privacy and Security, Financial Management, Health Information Technology, Infrastructure and Service Management.
Knowledge, Skills and Abilities / Competencies
To receive credit for all of your work history and credentials, you must list the information on the application form. Any information listed under the text resume section or on an attachment will not be considered for qualifying credit. Qualified applicants must document on the application that they possess all of the following:
Thorough knowledge of risk management in the areas of operations, technology, security, data strategy, and disaster recovery.
Expertise in IT security disciplines.
Demonstrated skills in strategic planning to create integrated risk strategies.
Ability to apply and enforce laws, regulations, and policies across all areas of risk.
Solid teamwork and interpersonal skills and the ability to communicate with customers, employees, and senior management.
Excellent oral/written communication and ability to present and discuss technical information in a way that establishes rapport, persuades others and gains understanding.
Demonstrated ability to create policies and/or programs across multiple agencies.
Ability to exercise independent judgment and creative problem-solving techniques in a highly complex environment using leading edge technology and/or diverse user systems.
Strong business planning, analytical and conceptual skills.
Ability to develop new system approaches, solve problems and seize opportunities for sustaining business success.
Exceptional project management skills, including the ability to effectively deploy resources and manage multiple projects of various diverse scope in cross-functional environment.
Minimum of 6 years’ experience in information security, policy writing and security assessments
Experience with North Carolina DHHS business and IT functions
Experience with cloud security in AWS and Azure
Experience with external and internal security assessments
Demonstrate a working knowledge of HIPAA, IRS and SSA regulatory requirements
Ability to work with others to create plans for accomplishing objectives and strategy that comply with professional standards
Ability to work with an expedited delivery schedule
Ability to motivate/encourage divisions’ resources to assist in maintaining a schedule
Self-starter capable of understanding the “big picture”
Enjoys accepting challenges and persists until goals are achieved
SANS Global Information Assurance Certifications (Or Similar – ex. Carnegie-Mellon CERT), Security Essentials Certification (GSEC), or Information System Security Certification Consortium (ISC2) Certified Information Systems Security Professional (CISSP)
Minimum Education and Experience Requirements
Some state job postings say you can qualify by an “equivalent combination of education and experience.” If that language appears below, then you may qualify through EITHER years of education OR years of directly related experience, OR a combination of both. See oshr.nc.gov/experience-guide for details.
Bachelor s degree in computer science or a related IT field, business administration, project management, or closely related degree from an appropriately accredited institution and seven years of progressive information technology experience including three years managerial experience OR Associate degree in computer science or a related IT field, business administration, project management, or closely related degree from an appropriately accredited institution and eight years of progressive information technology experience with three years of managerial experience OR An equivalent combination of education and experience.
About Dept. Health and Human Services - Information Technology Division
Interested Candidate will only be considered through applying directly on the North Carolina State Website: