Information System Security Officer (ISSO)

Role Overview

The Information System Security Officer (ISSO) is responsible for overseeing the effective management of security controls for information systems from inception through disposal. The ISSO ensures that operational, technical, and management controls are in place and functioning effectively to protect the confidentiality, integrity, and availability of information systems and the data they process, store, and transmit.

At Millin, the CTO serves as ISSO. The Virtual Chief Information Security Officer (VCISO) provides independent security oversight and review of ISSO activities to ensure separation of duties.

Key Responsibilities

Security Program Oversight

• Develop, implement, and maintain the organization's information security program in alignment with NIST 800-53, HIPAA, and OHIP requirements.
• Ensure all security controls are documented, tested, and operating effectively.
• Maintain the System Security Plan (SSP) and ensure it accurately reflects the current security posture.
• Coordinate with the VCISO for independent review and validation of security activities.

Policy and Procedure Management

• Develop and document security policies and standard operating procedures (SOPs) aligned with applicable control frameworks.
• Review and update policies and procedures annually and upon significant changes to the regulatory environment, technology, or threat landscape.
• Disseminate policies and procedures to applicable personnel and ensure acknowledgment.

Security Awareness and Training

• Oversee the security awareness and training program for all personnel with access to systems that process, store, or transmit protected information.
• Ensure onboarding, annual, and role-based training requirements are met and documented.
• Coordinate with Human Resources on training record retention and compliance monitoring.

Risk Management and Assessment

• Conduct and coordinate risk assessments to identify threats, vulnerabilities, and impacts to information systems.
• Develop and maintain the Plan of Action and Milestones (POA&M) for remediation of identified findings.
• Evaluate security controls of IT Service Providers (ITSPs) and Cloud Service Providers (CSPs) through review of independent audit reports.

Incident Response

• Lead the SecOps team in coordinating and executing incident response protocols.
• Ensure timely identification, reporting, and resolution of security incidents.
• Maintain incident response documentation and conduct post-incident reviews.

Audit and Compliance

• Serve as the primary point of contact for external auditors and regulatory bodies.
• Coordinate evidence collection and responses for compliance audits (OHIP, HIPAA, SOC 2).
• Monitor and report on the organization's overall security and compliance posture to leadership.

Qualifications

• Demonstrated experience in information security management, particularly in healthcare or regulated environments.
• Deep understanding of NIST 800-53, HIPAA Security Rule, and state-level compliance frameworks (e.g., OHIP).
• Experience with cloud security in Azure environments.
• Strong understanding of system architecture, access controls, incident response, and contingency planning.
• Relevant certifications preferred (CISSP, CISM, CISA, or equivalent).

Key Competencies

• Security Leadership: Ability to lead security initiatives and coordinate across technical and operational teams.
• Regulatory Knowledge: Thorough understanding of applicable laws, regulations, and compliance requirements.
• Risk Assessment: Proficiency in identifying, evaluating, and mitigating information security risks.
• Communication: Ability to articulate security requirements and risks to both technical and non-technical stakeholders.
• Attention to Detail: Rigor in maintaining documentation, audit trails, and compliance evidence.