Manager, Identity Access Management and Governance

Shift: Day
Schedule: Full - Time Regular

Ardent Health Services invests in people, technology, facilities and communities, producing high-quality care and extraordinary results. Based in Nashville, Tennessee, Ardent’s subsidiaries own and operate 30 hospitals in six states with more than 25,000 employees including 1,150 employed providers. Ardent facilities exceed national averages in Overall Hospital Quality Star Rating as ranked by the Centers for Medicare & Medicaid Services; 89 percent of its hospitals received a three-star rating or above in comparison with 73 percent of all hospitals ranked. Twelve of the company's hospitals were recognized by Modern Healthcare as "Best Places to Work" in 2019 – the twelfth consecutive year an Ardent facility made this list. Ardent's corporate office was named "Top Work Places" for Nashville based companies in 2017, 2018 and 2019.

We have an exciting opportunity to join our Information Security team as Manager, Identity Access Management and Governance.

The Manager, Identity Access Management and Governance role is responsible for providing leadership in the areas of Identity and Access Management with special emphasis on Identity Governance and Administration as well as Privileged Access Management. This role helps safeguard Ardent Health Services brand by promoting, implementing and supporting controls to manage risks associated with identity. Through collaboration with other IT and company stakeholder leaders, this role will help ensure our Identity Access and Provisioning posture is strong, proactive and aligns with our current and future business objectives.

This role is responsible for assisting in design and support of the AHS enterprise-wide identity, access management and governance strategy that meets the needs of our current and future acquired operational locations.  This role is responsible for providing expert advice and effective oversight of information security and technology risk activities to identify, assess, control, and manage identity and access risks throughout Ardent Health Services. This role is charged with overseeing identity risk aggregation, correlation of risk, and reporting in support of enterprise-wide objectives.

This role will directly supervise multiple Identity Access Management and Governance Engineers and Analysts responsible for meeting defined SLAs for timely provisioning, change and deprovisioning of access across all of Information Technology systems at AHS, to meet both regulatory and contractual regulatory obligations.

PRIMARY DUTIES AND RESPONSIBILITIES

  • Serves as an internal information security consultant to the enterprise while balancing the needs of the day-to-day business.
  • Research and recommend solutions that meet security standards while ensuring functionality for business continuity.
  • Leads enterprise-wide definition, establishment, and maintenance of data security-related infrastructure, applications, and processes.
  • Lead a team of identity access management engineers and analysts through any project.
  • Mentor identity access management engineers and analysts in their professional growth.
  • Develop security test scenarios for unit, process, function, integration, and acceptance testing.
  • Design and develop integration schema and linkage for multi-platform business and technological solutions.
  • Evaluates the security of new technologies and assist with the plan to integrate them into the company environment.
  • Develop disaster recovery and contingency plans for Information Security projects and participate in DR planning for other projects.
  • Recommend best practices for security controls without hindering functionality.
  • Define the minimum access and identity configuration standards for all IT systems.
  • Evaluates new and proposed security systems and technologies.
  • Reviews, develops, test, and implements security plans, products, and control techniques.
  • Translates security standards regarding identity access and governance to project teams.
  • Develops guidelines for the usage, control, maintenance, and auditability of information and computer resources.

QUALIFICATIONS

Education and Experience

  • BS/BA degree and specialized information security technical training required. An advanced degree is a plus.
  • A reputable security certification (CISSP, CISSP w/specialization HCISPP, GIAC, CISA, etc.) is required
  • A minimum of 6 years of progressive Information Security experience.
  • Previous team lead or management experience is required.
  • Identity Access Management experience is required.
  • Identity Governance experience is a plus.
  • Experience in security architecture design is a plus.
  • Working knowledge of Epic EHR and Lawson ERP are a plus.
  • Working knowledge of IAM platforms (Imprivata, SailPoint, MIM) are a plus
  • In-depth knowledge of information security industry and regulatory obligations (Sarbanes-Oxley (SOX), HIPAA, GLBA, PCI DSS, HITRUST, NIST Framework, etc.).
  • Working knowledge of Microsoft Active Directory.
  • Ability to analyze all layers of the OSI model from the security stance.
  • Prepare and present plans/designs to IT and business leaders.
  • Advocate the integration of solutions into the enterprise directory structure.
  • In-depth knowledge of networking technologies and architecture.
  • Prioritize tasks effectively to meet project deadlines and deliverables.
  • ITIL familiarization - managing incidents, requests, and changes. Experience is a plus.
  • Excellent problem-solving ability.
  • High degree of self-motivation.
  • Competent using the Microsoft Office suite of products.

Additional Knowledge, Skills and Attributes (Underlying skills and abilities that enable the execution of duties and responsibilities)

Knowledge of:

  • Federal and state laws regarding security and privacy of electronic information assets, within the context of the healthcare industry is highly preferred (e.g., HIPAA, Sarbanes-Oxley, etc.);
  • Industry security standards (e.g., NIST), with healthcare industry standards such as CMS, JCAHO, etc. is required;
  • Platform independent information security policy and standards;
  • E-commerce/e-business security related strategies, policies, and standards;
  • Enterprise security awareness program practices that incrementally create organizational security awareness and education;
  • Compliance programs to help ensure conformity with established enterprise security policies, practices, and standards;
  • Risk assessment processes for the protection of electronic information assets; and
  • Large scale Wide Area Network and multiple platform environments with both decentralized and centralized focuses.

Skills including:

  • Superior analytical skills to identify high-risk security breach opportunities with the ability to develop solutions to prevent, correct, detect, or mitigate security risks via people, processes and technology;
  • Ability to relate business requirements and risks to technology implementation for security-related activities;
  • Ability to collaborate with IT&S and business area professionals to identify/recommend applicable security practices/controls rather than dictating security methods;
  • Ability to balance the seriousness of protecting electronic information assets with the need to enable users to effectively and efficiently use systems to perform job responsibilities, while continuing to emphasize quality patient care;
  • Strong customer service focus and ability to manage client (e.g., facility) expectations;
  • Solid project management and collaboration skills, especially in a cross-functional dynamic team environment;
  • Excellent oral and written communication skills with the ability to present and discuss technical information in a manner that establishes rapport, persuades others, and allows the individual to increase understanding of subject matter.
  • Working both independently and with key stakeholders to develop security policy and standards; and
  • Taking initiatives toward personal development such as maintaining skills and obtaining professional certifications (e.g., Information Systems Security Association, Certified Information Systems Security Professional, etc.).

Other Factors

  • Must be willing to travel occasionally.
  • Must be willing to respond to information security issues surrounding identity access and governance 24x7.