080713; Template Manager of Managers 1

Chief Information Security Officer

healthAlliance Purpose, Vision and Principles

Pu

rpo

se S

tate

me

nt

healthAlliance provides shared services to benefit NZ health organisations. We will deliver increasing value to our customers through:

Lower cost

Standardized system and processes

Reducing variation or rework

Quality and innovation

Vis

ion

To deliver outstanding shared services that enable healthcare excellence for the Northern Region’s population.

Pri

nci

ple

s

Partnership Developing lasting partnerships through collaboration, working to a common goal, facilitating joint solutions within our means, recognising and celebrating success, open communication to share knowledge and information.

Respect for people

We respect others by; developing trust by being open and honest, listening to and understanding others views, valuing everyone’s contribution, celebrating diversity and have fun and enjoy what we do as a team.

Integrity

We show integrity by; leading by example, open, fair, honest and transparent in everything we do, courage to speak up and challenge when things don’t seem right, act ethically and professionally at all times, can do, will deliver our promises, obligations and commitments.

Delivering Results

We deliver results by; delivering exceptional results through high performance teams, enhance the customer experience, continually improve and add value, being action orientated, responsible and accountable, providing consistent and reliable services.

Energised by Innovation

We are energised by innovation when we; encourage forward thinking ideas and challenge status quo, measure our performance and see it as an opportunity to learn and grow, creating positive change by developing smarter ways to work, empowering people to maximise potential.

Our principles define the expected behaviour of all staff and guide us on the behaviours that are important to us as an organisation. They underpin the way we do things at healthAlliance, defining how we strive to move towards our vision.

080713; Template Manager of Managers 2

This position description provides an indicative outline of the purpose and key responsibilities and tasks of the role.

Title and Reporting Relationships Position title:

Chief Information Security Officer

Reporting to: Chief Information Officer

Location: Auckland

Purpose of the Role

The CISO is responsible for establishing and maintaining a healthAlliance wide information security management programme to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the healthAlliance. This requires a visionary leader with sound knowledge of business management and a deep knowledge of information security technologies. The CISO will proactively work with business units to implement practices that meet defined policies and standards for information security. The role will also oversee a variety of IT-related risk management activities.

The CISO serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the healthAlliance’s information security policies. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the healthAlliance. The CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.

Once established the CISO will also be available to support customer information security activities and will represent healthAlliance on any appropriate regional advisory/ working groups including the regional security forum.

Personnel Dimensions (Employees reporting to this position directly and indirectly)

Number of Staff: Direct: 1 Through subordinates: 0 Total: 1

Key Relationships

People and organisations both inside and outside of the company that this position would be required to manage relationships with.

Internal Stakeholders External Stakeholders

hA IS Management Team Service Users and Customer User Groups

Other hA IS Project, Service Delivery, Applications and Infrastructure Teams

DHB stakeholder representatives including Clinical Directors/Advisors of IS, Health Information Managers, IM Consultants, etc.

Other hA IS Teams that require IS support and assistance

DHB embedded Functional Support, IS and Information Management Staff

Other Health Providers and Agencies such as Primary Care Providers, HBL and MoH

Suppliers & Contracted Personnel

080713; Template Manager of Managers 3

Position in Organisation

Key Responsibilities and Tasks Expected Outcomes

Develop, implement and monitor a strategic, comprehensive enterprise information security programme to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organisation.

Manage directly and indirectly the enterprise's information security organisation consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.

Facilitate information security governance through a governance programme, including creation (where necessary) and participation in various committees and/or advisory board.

Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.

Develop and manage information security budgets, and monitor them for variances.

Created a ‘Culture of Security’ through the creation, delivery and management of information security and risk management awareness training programmes and communications programmes for all employees, contractors and approved system users.

Enterprise information security programme developed

Implement a security governance programme

Up-to-date information security policies, standards and guidelines developed, maintained and published

Security Culture created

Budgets managed and maintained within set boundaries

Information security management framework implemented

Alignment between the security and enterprise architectures

Security programmes are in compliance with relevant laws, regulations and policies.

Security incidents and events are managed to protect corporate IT assets.

080713; Template Manager of Managers 4

Ensure policies, process and practices are developed and implemented to enhance the security of customer, patient management information

Ensure information security risks are effectively managed and monitored.

Work in coordination with Legal, Compliance, Privacy groups and Audit on various inter-related initiatives including information ownership, classification, accountability and protection.

Serve as a resource and provides expert counsel on security matters.

Develop and enhance an information security management framework

Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.

Create and manage a unified and flexible control framework to integrate and normalise the wide variety and ever-changing requirements resulting from global laws, standards and regulations.

Ensure that security programmes are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.

Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required.

Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.

Monitor the external threat environment for emerging threats, and advise relevant stakeholders

Relationship Management

Facilitate cyber security and business alignment and communication through a cyber-security steering committee or advisory board

Coordinate the use of external cyber security resources will ensure that a consistent approach is being applied across the agency

hA and DHB staff support, contribute to, and realise demonstrable value in being a part of an security steering group.

Customer and stakeholder expectations are managed in line with the organisation’s capability to deliver.

080713; Template Manager of Managers 5

Develop and maintain effective relationships with customers, colleagues, suppliers and other stakeholders to foster and encourage collaboration.

Build effective client relationships through understanding their business models and by identifying their business drivers and key performance indicators (KPI)

Create and manage a seamless, flawless and valuable end user experience

Drive collaboration through governance by bringing the right stakeholders into the decision-making process

Positive feedback from customers, stakeholders and colleagues recognising effectiveness and contribution.

This role and customers you engage with understand each other’s objectives and pro-actively seek each other’s advice through regular and effective engagement.

Regular contact is maintained with all clients including visits to client sites as necessary

Divisional Support

Engage with the other members of hA Senior management to integrate end-to-end services delivery.

Activity support members of hA IS leadership team to achieve the collective set of objectives.

Contribute to general planning, management and reporting activities.

Attend and report at leadership team meetings as required

Provide input to strategic planning activities

hA IS team is coherent and achieves its goals as a team. This is also apparent in the way our teams collaborate to achieve end-to-end service excellence.

hA IS contribution to hA planning and reporting activities is outstanding.

Divisional operational information is shared.

Financial Management

Manage financial performance in line with relevant budgets and targets and in accordance with organisational policies and processes

Support the CIO and IT Leadership Team with business analysis and advice

Provide input to the annual divisional budget planning process

Identify areas and opportunities to drive efficiency, cost savings and support continued growth

Operational expenditure and capital expenditure are managed to budget

Annual plans are in place and are managed within agreed parameters and organisational policies

Benefits and savings targets met or exceeded

Active measurement, monitoring and improvement of financial performance

Budgets are prepared within the agreed time frame and are regularly reviewed and recast as agreed

Analysis reports are timely and provide information and options to address issues and challenges

080713; Template Manager of Managers 6

Professional Development

Accept responsibility for own professional development

Annually agree professional development plan with your Manager

Liaise with all customers (internal and external) as required in a helpful and polite manner

Development and training plans are in place

Knowledge sharing among team members

Spirit of co-operation with other work areas/departments is maintained

Risk Management

Manage all business risks and mitigation plans assigned to you and maintain accurate and up to date risk registers

Pro-actively seek opportunities to align strategy, risks and controls to optimise business performance

Adhere to the company’s risk appetite and business risk management policies

Assist the Executive Team to identify, evaluate, mitigate, monitor, manage and report all significant risks and internal control weaknesses in a timely, accurate and consistent manner

Create and embed a culture of strong ethical behaviour, quality and continuous improvement

Early warning systems in place (no “surprises”) which protect company from unforeseen events and which notifies risks promptly to the ELT

Key risks are identified and the control environment is optimised to: improve effectiveness, reduce costs and enhance business performance

Opportunity risks are identified and exploited and risk discussions are embedded in operational planning, resource allocation etc.

Activities related to regulatory, compliance and audit related matters are efficient and effective

Health, Safety and Wellbeing

Support healthAlliance health, safety and wellbeing culture and recognize individual responsibility for Workplace Health and Safety under the Health and Safety Employment in Act 1992

Support healthAlliance health, safety and wellbeing culture by:

Ensuring a safe working environment and safe working practices

Planning, organising and managing Health and Safety activities directed at preventing harm in the workplace

Reading and understanding healthAlliance Health and Safety policies and relevant procedures and applying to own work activities

Identifying, reporting & managing hazards where appropriate

Assisting in identifying Health and Safety Representatives for your area.

080713; Template Manager of Managers 7

General

Model a culture of innovation by leading changes to processes, practices and systems that align with company values.

As an employee you are required to familiarise yourself with and comply with all our policies, including but not limited to our Code of Conduct.

Consistently displays the principles of the organisation and holds staff accountable for their behaviour

Adheres to and observes all organisational policies, methodologies and practices

Other duties as required in addition to or as a result of changing circumstances, that contributes to achieving the purpose of the role.

Qualification, Experience and Training Requirements

What is the typical background required to competently perform the responsibilities of the job?

Essential is the minimum acceptable level for entry. Preferred indicates the desirable level, but may also expand on the nature, eg: industry related, level of previous supervisory experience

Essential Preferred

Bachelor’s or Master’s Degree in Computer Science, Information Systems, or other related field. Or equivalent work experience.

10 to 15 years of IT and business/industry work experience

Deep understanding of health information system standards.

4 years of leadership experience in managing multiple, large, cross-functional teams or projects

Experience in current IT service delivery with strong knowledge of ITIL v3 framework and experience in its practical application in mid to large sized companies.

Proven experience of leading a review of an existing IT function and then defining and delivering a programme of improvements to its internal processes, structures and capability.

Awareness and understanding of industry standard security issues and processes.

Awareness and Understanding of Business Continuity principles

Competent knowledge of Prince2 methodology in order to complement project managers within the design stages of the project lifecycle

Awareness and understanding of Data Protection law and regulations.

Demonstrable and practical experience at a senior level, in public or private sector, of working with senior colleagues to deliver transformational change to business processes and systems, to deliver cost savings and service improvements for customers

080713; Template Manager of Managers 8

Competencies for the role Decision Quality Makes good decisions (without considering how much time it takes) based

upon a mixture of analysis, wisdom, experience, and judgement; most of his/her solutions and suggestions turn out to be correct and accurate when judged over time; sought out by others for advice and solutions.

Planning Accurately scopes out length and difficulty of tasks and projects; sets objectives and goals; breaks down work into the process steps; develops schedules and task/people assignments; anticipates and adjusts for problems and roadblocks; measures performance against goals; evaluate results.

Strategic Agility Sees ahead clearly; can anticipate future consequences and trends accurately; has broad knowledge and perspective; is future oriented; can articulately paint credible pictures and vision of possibilities and likelihoods; can create competitive and breakthrough strategies and plans.

Process Management Good at figuring out the processes necessary to get things done; knows how to organise people and activities; understands how to separate and combine tasks into efficient work flow; knows what to measure and how to measure it; can see opportunities for synergy and integration where others can’t; can simplify complex processes; gets more out of fewer resources.

Total Quality Management

Is dedicated to providing organization or enterprise –wide common systems for designing and measuring work processes; seeks to reduce variances in organization processes; deliver the highest –quality products and services which meet the needs and requirements of internal and external customers; is committed to continuous improvement through empowerment and management of data; leverages technology to positively impact quality; is willing to re-engineer processes from scratch; is open to suggestions and experimentation; creates a learning environment leading to the most efficient and effective work processes.

Conflict Management Steps up to conflicts, seeing them as opportunities; reads situation quickly; good at focussed listening; can hammer out tough agreements and settle disputes equitably; can find common grounds and get cooperation with minimum noise.

Drive for Results Can be counted on to exceed goals successfully; is constantly and consistently one of the top performers; very bottom-line oriented; steadfastly pushes self and others for results.

Interpersonal Savvy Relates well to all kinds of people-up, down, and sideways, inside and outside the organization; builds appropriate rapport; build constructive and effective relationships; uses diplomacy and tact; can diffuse even high-tension situations comfortably.

Customer Focus Is dedicated to meeting the expectations and requirements of internal and external customers; get first-hand customer information and uses it for improvements in products and services; acts with customers in mind; establishes and maintains effective relationships with customers and gain their trust and respect.

080713; Template Manager of Managers 9

Integrity and Trust Is widely trusted; is seen as a direct, truthful individual; can present the unvarnished truth in an appropriate and helpful manner; keeps confidences; admits mistakes; doesn’t misrepresent him/herself for personal gains.

Note: The position description needs to be reviewed by both parties annually. Signed as current and agreed: ______________ ______________ Manager Employee