Information Systems Security Officer (ISSO)

About Us:

The Center for Improving Value in Health Care (CIVHC) is an independent non-profit that equips partners and communities in Colorado and across the nation with the resources, services and unbiased data needed to improve health and health care. As the designated administrator of Colorado’s All Payer Claims Database (CO APCD), CIVHC oversees the collection of health care claims from Colorado’s public and private health care insurers and uses that information to promote price transparency, inform policy, advance health equity, conduct research, and much more. We are objective, solution-oriented, and maintain the highest integrity in the work we do.

Job Summary:

The Information Systems Security Officer (ISSO) leads the development, implementation, and management of CIVHC’s information security strategy. Under leadership of the Chief Technology Officer, the ISSO will play a critical role in maintaining compliance with industry and governmental cybersecurity standards while safeguarding sensitive data across CIVHC’s systems and networks. The ISSO collaborates with the Compliance, Data Solutions, and Data Access and Impact departments to ensure the integrity, confidentiality, and availability of CO APCD information systems. 

As the administrator of Colorado’s All Payer Claims Database (CO APCD), CIVHC often contracts with technology and data management partners. This position is responsible for ensuring that CIVHC’s technology infrastructure, data policies, and data management contractors comply with the highest security standards in health data management.

The ISSO will be a leader in all security processes involving upgrades to the CO APCD data warehouse, including supporting IT vendor transitions as needed. The ISSO will guide the security architecture, monitor system performance, oversee data transfers, and manage incident response processes. The ideal candidate will bring hands-on technical expertise, proven leadership in innovation, and experience fostering a culture of security across an organization.

A successful candidate will be able to manage communications with multiple entities, provide robust recommendations on network security improvements drawing from real-world experience, and lead implementation of upgrades to all systems.

The ISSO will integrate forward-thinking, community-centered innovation with scalable data services. The ideal candidate brings a strong commitment to equity, the ability to communicate complex information to diverse audiences, and a visionary mindset to leverage data for transformative health outcomes across Colorado and beyond.

Supervisory Responsibilities:

• None

Duties/Responsibilities/Essential Functions:

• Develop information security policies, procedures, and documentation.
• Ensure organizational compliance with relevant security and privacy regulations (e.g., HIPAA, NIST, SOC 2, FISMA).
• Act as primary point of contact for external audits, assessments, and risk reviews.
• Oversee incident response planning and coordinate post-incident reporting and improvement.
• Lead enterprise-wide risk assessment and control mapping across IT systems and data practices.
• Coordinate with legal, compliance, and executive leadership to align technology decisions with organizational policies.
• Maintain the organization’s IT risk register and mitigation roadmap.
• Evaluate the security and compliance posture of third-party vendors, especially those handling sensitive data or infrastructure.
• Collaborate on contract development and review for technical requirements and risk controls.
• Monitor ongoing vendor compliance, including periodic reviews and audits.
• Guide the design and implementation of cloud-native solutions, ensuring strong security posture and performance.
• Define access controls, encryption strategies, and disaster recovery standards for cloud environments.
• Support the migration of legacy infrastructure to secure, efficient, cloud-based platforms.
• Develop internal standards for API development, documentation, and security.
• Oversee authentication, authorization, rate-limiting, and data privacy protocols across integrated services.
• Collaborate with product owners and data teams to securely scale system integrations.
• Assess the security, compliance, and ethical considerations of AI/ML tools proposed for organizational use.
• Develop internal policies for responsible AI use, including bias mitigation and data usage boundaries.
• Monitor the adoption of automation and AI tools to ensure alignment with mission and security standards.
• Co-lead development of data classification standards, stewardship models, and access controls.
• Partner with operations and analytics teams to ensure secure, well-documented use of data assets.
• Implement best practices around data lifecycle management, archival, and secure deletion.
• Lead organization-wide training initiatives related to cybersecurity awareness and data responsibility.
• Develop onboarding materials, user guidance, and just-in-time learning tools for technology users.
• Serve as a trusted resource for teams exploring new and innovative technology solutions, helping to evaluate risks and opportunities.

Reasonable accommodations may be made to enable individuals with disabilities to perform these essential functions.

Required Skills/Abilities: 

• Excellent communication and collaboration skills across technical and non-technical teams.
• Strong understanding of security compliance frameworks: HIPAA, NIST, ISO 27001, SOC 2, or similar.
• Development and implementation of technology policies, procedures, and incident response plans. 
• Familiarity with AI/ML governance, ethical AI standards, or data science environments.
• Management of cloud-based infrastructure (AWS, Azure, GCP) and vendor risk programs.
• Ability to balance security with usability and innovation in complex environments.
• Leadership of enterprise cloud migrations or API-centric platform development.

Education and Experience:

• Minimum 7 years of experience in information security, IT governance, technology risk, or a related leadership role.
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Information Systems, or a related field; or a 7-year combination of education and/or progressive experience.
• Experience with healthcare data environments or privacy-sensitive data ecosystems.
• Knowledge of CMS Incidental Disclosure protocols preferred.
• Experience working in public sector, nonprofit, or mission-driven organizations preferred.
• Professional certifications: CISSP, CISM, CISA, CCSP, or equivalent credentials preferred.

Physical Requirements: 

• Sitting for extended periods of time.
• Using a computer and keyboard for typing and data entry.
• Reaching and stretching to access files or equipment.
• Lifting and carrying light objects such as papers or office supplies.
• Walking short distances within the office environment.
• Operating office equipment such as printers, copiers, and fax machines.
• Occasionally bending or stooping to retrieve items from lower shelves or cabinets.
• Maintaining good posture to prevent discomfort or strain.
• Using a telephone or headset for communication.
• Ability to focus and concentrate for prolonged periods.

Other duties:

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.

Position Timeline:

Our target is to fill this position by July 31, 2025. Application review will begin immediately and will continue on a rolling basis until the position is filled. We encourage interested candidates to apply as soon as possible for full consideration.

Compensation and Benefits:

The salary range for this position is $110,000 - $120,000 annually, based on relevant experience, education, and internal equity. CIVHC offers a comprehensive benefits package including medical, dental, and vision coverage; paid time off; life and disability insurance; and retirement plan contributions.

Equal Opportunity Employer:

CIVHC is proud to be an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age, or any other legally protected status.