Information Security Manager

About Us:

The Center for Improving Value in Health Care (CIVHC) is an independent non-profit that equips partners and communities in Colorado and across the nation with the resources, services and unbiased data needed to improve health and health care. As the designated administrator of Colorado’s All Payer Claims Database (CO APCD), CIVHC oversees the collection of health care claims from Colorado’s public and private health care insurers and uses that information to promote price transparency, inform policy, advance health equity, conduct research, and much more. We are objective, solution-oriented, and maintain the highest integrity in the work we do.

Job Summary:

The Information Security Manager leads the oversight and strategic direction of information security at CIVHC, with a focus on policy development, vendor security assurance, and regulatory compliance. This is not a hands-on systems administration or SOC (Security Operations Center) role.

The Information Security Manager serves as the internal point of accountability for ensuring that CIVHC’s data infrastructure, cloud migration initiatives, and vendor relationships meet the highest security and privacy standards. The Information Security Manager collaborates with the Finance, Compliance, Data Solutions, and Data Access and Impact departments to ensure the integrity, confidentiality, and availability of CO APCD information systems.

As the administrator of the Colorado All Payer Claims Database (CO APCD), CIVHC contracts with external vendors for data ingestion, storage, and analytics. This position provides oversight support of those partnerships to ensure compliance with HIPAA, NIST, and other regulatory standards. 

This position is especially critical for cloud migration, increased API use, and AI exploration, and plays a lead role in risk evaluation. The role also includes business-aligned responsibilities such as documentation of database architecture and governance planning, working closely with technical and compliance teams.

The Information Security Manager will integrate forward-thinking, community-centered innovation with scalable data services. The ideal candidate brings a strong commitment to equity, the ability to communicate complex information to diverse audiences, and a visionary mindset to leverage data for transformative health outcomes across Colorado and beyond.

Supervisory Responsibilities:

• Direct oversight of the IT & Network Specialist. Future supervisory responsibility may expand with organizational growth.
• Collaborate with the IT & Network Specialist to ensure that device management, internal network configurations, and endpoint protections align with the organization’s overall security and compliance framework.
• Set priorities, approve technology purchases, and support professional development for the IT & Network Specialist in alignment with organizational goals.
• Ensure proper documentation and incident handling for IT issues involving internal hardware, user access, and system configurations.
• Integrate business-side IT practices into enterprise-wide risk management, business continuity planning, and security training initiatives.

Duties/Responsibilities/Essential Functions:

• Develop information security policies, procedures, and documentation.
• Ensure organizational policies are compliant with relevant security and privacy regulations (e.g., HIPAA, NIST, SOC 2, FISMA).
• Support external partnerships on security matters, working closely with Legal & Compliance. In some cases, Legal & Compliance may lead, with the Information Security Manager providing technical input and documentation.
• Evaluate and oversee vendor risk related to data handling, system architecture, and regulatory adherence.
• Lead internal risk assessments, documentation, and architecture reviews related to cloud environments and APIs.
• Oversee incident response planning and coordinate post-incident reporting and improvement.
• Guide the documentation and improvement of database architecture.
• Define and implement security and ethical guidelines for AI, automation, and emerging technology adoption.
• Collaborate with technical staff and vendors to review and document security controls during infrastructure changes.
• Partner with Legal & Compliance and executive leadership to interpret and operationalize applicable laws, regulations, and contractual obligations in a rapidly evolving healthcare, IT, and data landscape.
• Develop training materials, best-practice guides, and onboarding resources for data and technology users.

Reasonable accommodations may be made to enable individuals with disabilities to perform these essential functions.

Required Skills/Abilities: 

• Excellent communication and collaboration skills across technical and non-technical teams.
• Strong understanding of security compliance frameworks: HIPAA, NIST, ISO 27001, SOC 2.
• Experience conducting or overseeing security assessments, risk reviews, and audits.
• Familiarity with cloud architecture documentation, vendor oversight, and system migration planning.
• Experience reviewing and documenting data structures, schema, or database system architecture.
• Familiarity with AI/ML governance, automation policy development, or responsible technology evaluation.

Education and Experience:

• Minimum 7 years of experience in information security oversight, Information Technology risk management, or technology compliance.
• Bachelor’s degree in Cybersecurity, Information Systems, Information Technology, IT Governance, or a related field; or a 7-year combination of education and/or progressive experience.
• Experience with healthcare data environments or privacy-sensitive data ecosystems.
• Prior involvement with cloud migration projects or multi-vendor data infrastructure preferred.
• Knowledge of CMS Incidental Disclosure protocols preferred.
• Experience working in public sector, nonprofit, or mission-driven organizations preferred.
• Professional certifications: CISSP, CISM, CISA, CCSP, are strongly preferred but not required.

Physical Requirements: Primarily computer-based work with extended periods of sitting, typing, and concentration. May occasionally require light lifting of office materials.

• Sitting for extended periods of time.
• Using a computer and keyboard for typing and data entry.
• Reaching and stretching to access files or equipment.
• Lifting and carrying light objects such as papers or office supplies.
• Walking short distances within the office environment.
• Operating office equipment such as printers, copiers, and fax machines.
• Occasionally bending or stooping to retrieve items from lower shelves or cabinets.
• Maintaining good posture to prevent discomfort or strain.
• Using a telephone or headset for communication.
• Ability to focus and concentrate for prolonged periods.

Other duties:

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.

Position Timeline:

Our target is to fill this position by October 24, 2025. Application review will begin immediately and will continue on a rolling basis until the position is filled. We encourage interested candidates to apply as soon as possible for full consideration.

Compensation and Benefits:

The salary range for this position is $95,000 - $115,000 annually, based on relevant experience, education, and internal equity. CIVHC offers a comprehensive benefits package including medical, dental, and vision coverage; paid time off; life and disability insurance; and retirement plan contributions.

Equal Opportunity Employer:

CIVHC is proud to be an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age, or any other legally protected status.