About The Position

Marana Health is seeking an Information Security Officer (ISO) to join the Information Technology team at the Marana Main Health Center, located in the heart of Marana, AZ. The Information Security Officer (ISO) is responsible for providing enterprise leadership, accountability, and subject matter expertise for information security, cybersecurity, compliance, risk management, and governance activities. The ISO serves as the organization's primary authority on the protection, governance, and responsible use of information assets, ensuring compliance with regulatory requirements while supporting organizational growth, innovation, and patient care. This position develops and maintains enterprise-wide security, governance, and risk management frameworks that safeguard organizational data and technology resources. The ISO collaborates closely with executive leadership, Information Technology, Clinical Informatics, Compliance, Operations, Human Resources, and business stakeholders to establish policies, standards, and governance processes that support organizational objectives. The ISO is responsible for leading the organization's Security Risk Analysis (SRA), cybersecurity risk management, PCI compliance, data governance, AI governance, vendor risk management, and regulatory compliance programs. The ISO serves as a trusted advisor to executive leadership regarding cybersecurity strategy, HIPAA Security Rule compliance, contingency planning, data governance, AI governance, enterprise risk management, regulatory compliance, and emerging technology risks. Marana Health is a Federally Qualified Community Health Center (FQHC), with 11 sites in Tucson and Pima County. Our mission is to improve our community by providing exceptional, whole-person healthcare.

Requirements

  • Bachelor's degree in Information Security, Cybersecurity, Information Technology, Information Systems, Computer Science, Healthcare Informatics, Business Administration, or related field required.
  • Minimum seven (7) years of progressively responsible experience in information security, cybersecurity, risk management, governance, compliance, or healthcare technology leadership, including experience conducting Security Risk Analyses (SRA), risk management activities, and regulatory compliance initiatives.
  • Minimum three (3) years of experience developing, implementing, or managing enterprise security, governance, or compliance programs.
  • Fingerprint Clearance Card through the Arizona Department of Public Safety.
  • Current Arizona driver's license with clean driving record and proof of current vehicle insurance (39-month MVR will be run by MH)
  • Experience conducting risk assessments, developing policies, and implementing security controls.
  • Experience managing vendor security reviews and regulatory compliance initiatives.
  • Experience leading cross-functional projects and organizational initiatives.
  • Experience presenting information to executive leadership and organizational stakeholders.
  • Strong understanding of ambulatory healthcare workflows and healthcare operations.
  • Thorough knowledge of HIPAA Security Rule requirements and healthcare cybersecurity practices.
  • Strong understanding of data governance, data stewardship, data quality, data lifecycle management, and information management principles.
  • Knowledge of NIST Cybersecurity Framework, CIS Controls, HITRUST, and other industry-recognized security standards.
  • Understanding of cloud security, identity and access management, network security, endpoint protection, vulnerability management, and incident response.
  • Knowledge of vendor risk management, third-party security assessments, and contract security requirements.
  • Understanding of AI governance frameworks, emerging technologies, and associated security and compliance risks.
  • Knowledge of Security Risk Analysis (SRA) methodologies, risk assessment frameworks, and risk management best practices.
  • Knowledge of PCI DSS requirements and payment card security standards.
  • Ability to develop and implement organizational policies, standards, and governance frameworks.
  • Ability to communicate complex technical concepts effectively to executive, clinical, operational, and non-technical audiences.
  • Knowledge of contingency planning, business continuity planning, disaster recovery planning, and emergency preparedness frameworks.
  • Ability to develop, implement, test, and maintain organizational contingency and recovery plans for critical business and technology functions.
  • Strong analytical, organizational, problem-solving, and project management skills.
  • Ability to build collaborative relationships across departments and influence organizational decision-making.
  • Excellent written, verbal, presentation, and facilitation skills.
  • Ability to manage multiple priorities and initiatives in a dynamic healthcare environment.

Nice To Haves

  • Master's degree in Information Security, Cybersecurity, Information Technology, Healthcare Informatics, Business Administration, or related field.
  • Experience supporting Federally Qualified Health Centers (FQHCs), healthcare systems, or ambulatory healthcare organizations.
  • Experience serving as a HIPAA Security Officer or equivalent security leadership role.
  • Experience implementing NIST Cybersecurity Framework, CIS Controls, HITRUST, or similar governance and security frameworks.
  • Experience leading enterprise data governance initiatives.
  • Experience developing AI governance programs and responsible technology governance frameworks.
  • Experience managing regulatory audits, security assessments, and compliance reviews.
  • Experience leading enterprise Security Risk Analyses (SRA), risk remediation programs, and regulatory compliance initiatives.
  • Experience managing PCI DSS compliance programs, assessments, and remediation activities.
  • CISSP – Certified Information Systems Security Professional
  • HCISPP – Healthcare Information Security and Privacy Practitioner
  • CISM – Certified Information Security Manager
  • CRISC – Certified in Risk and Information Systems Control
  • CISA – Certified Information Systems Auditor
  • CDMP – Certified Data Management Professional
  • Security+
  • Equivalent combination of education and experience may be considered if applicable and must be directly related to the functions and body of knowledge required to successfully perform the job.

Responsibilities

  • Develop, implement, and maintain a comprehensive enterprise information security program aligned with organizational goals and industry best practices.
  • Establish and maintain information security policies, standards, procedures, and controls.
  • Lead cybersecurity governance initiatives and provide strategic guidance to executive leadership.
  • Develop and maintain cybersecurity, compliance, governance, and risk management metrics, dashboards, and key performance indicators (KPIs) for executive leadership and organizational reporting.
  • Conduct organizational security risk assessments and develop mitigation strategies.
  • Monitor and communicate emerging cybersecurity threats and risks affecting healthcare organizations.
  • Provide leadership for security-related projects and organizational initiatives.
  • Coordinate and facilitate organizational data governance activities and maintain accountability in partnership with Clinical Informatics, Analytics, Compliance, and operational leaders.
  • Establish enterprise data governance policies, standards, and procedures.
  • Partner with clinical, operational, financial, and technology leaders to define data ownership, stewardship, and accountability.
  • Coordinate Data Governance Committee activities and governance initiatives.
  • Establish standards for data classification, retention, access, sharing, archival, and disposal.
  • Promote data quality, integrity, consistency, and reliability across organizational systems.
  • Maintain enterprise data inventories and support data lineage and information asset management efforts.
  • Collaborate with Clinical Informatics, Enterprise Analytics, Compliance, and operational leadership to establish governance standards for clinical, operational, financial, and artificial intelligence data assets.
  • Monitor organizational data quality issues and facilitate remediation efforts.
  • Establish governance processes supporting responsible and ethical use of organizational data.
  • Oversee vulnerability management, security monitoring, incident response, and threat mitigation efforts.
  • Coordinate investigations and response activities related to security incidents and data breaches.
  • Lead business continuity and disaster recovery security planning activities.
  • Review and provide security oversight for new systems, applications, integrations, cloud services, artificial intelligence technologies, and technology initiatives to ensure alignment with organizational security standards, regulatory requirements, and risk management objectives.
  • Collaborate with Information Technology teams to implement and maintain appropriate security controls.
  • Monitor organizational compliance with established security standards and policies.
  • Serve as the organizational lead for cybersecurity incidents, coordinating incident response activities, executive communications, regulatory notification requirements, remediation efforts, and post-incident reviews.
  • Coordinate with Information Technology, Compliance, Human Resources, Legal, and executive leadership during cybersecurity incidents, data breaches, and security investigations.
  • Develop and maintain incident response procedures, escalation processes, and communication plans.
  • Conduct periodic incident response exercises and lessons-learned reviews to improve organizational preparedness and resilience.
  • Serve as the organization's designated HIPAA Security Officer and maintain accountability for implementation, monitoring, and ongoing compliance with HIPAA Security Rule requirements.
  • Ensure compliance with HIPAA Security Rule requirements and other applicable regulatory requirements.
  • Own, coordinate, and execute the organization's enterprise-wide Security Risk Analysis (SRA) program, including annual assessments, ongoing risk evaluations, risk identification, remediation planning, and executive reporting.
  • Develop, maintain, and monitor corrective action plans resulting from Security Risk Analyses, security audits, penetration tests, vulnerability assessments, and compliance reviews.
  • Coordinate and maintain required security risk analyses and risk management activities.
  • Lead security-related audit preparation and responses.
  • Develop and maintain documentation supporting regulatory compliance.
  • Monitor changes in regulations and industry standards and advise leadership regarding organizational impacts.
  • Collaborate with Compliance and Legal teams on privacy and security initiatives.
  • Develop, implement, and maintain the organization's contingency planning program in accordance with HIPAA Security Rule requirements and industry best practices.
  • Lead the development and maintenance of Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), Emergency Operations Plans, and technology recovery procedures.
  • Conduct Business Impact Analyses (BIAs) to identify critical systems, applications, processes, and recovery priorities.
  • Coordinate periodic testing, tabletop exercises, and validation of contingency, business continuity, and disaster recovery plans.
  • Partner with Information Technology, Clinical Operations, Facilities, and organizational leadership to ensure continuity plans support patient care and business operations during disruptions.
  • Monitor and report on organizational readiness related to business continuity, disaster recovery, and emergency preparedness activities.
  • Coordinate corrective action plans resulting from contingency plan testing, disaster recovery exercises, and actual events.
  • Ensure contingency planning activities align with organizational risk management, regulatory compliance, cybersecurity, and operational resilience objectives.
  • Develop and maintain a third-party risk management program.
  • Conduct security assessments of vendors, business associates, and technology partners.
  • Review Business Associate Agreements (BAAs) and security requirements for third-party relationships.
  • Participate in procurement and contract review processes to ensure appropriate security and compliance protections.
  • Identify and mitigate risks associated with vendor relationships and system integrations.
  • Maintain accountability for AI governance standards while providing security, privacy, and risk guidance related to AI initiatives.
  • Evaluate privacy, security, ethical, and regulatory considerations associated with AI technologies.
  • Collaborate with Clinical Informatics, Operations, Compliance, and IT leadership regarding AI initiatives.
  • Establish governance frameworks supporting responsible AI adoption and use.
  • Monitor emerging AI regulations, guidance, and industry best practices.
  • Ensure AI initiatives align with organizational goals, security requirements, and regulatory expectations.
  • Develop and maintain security awareness and education programs.
  • Monitor and report workforce compliance with required information security, privacy, cybersecurity, and regulatory training requirements.
  • Promote a culture of cybersecurity, privacy, and data stewardship throughout the organization.
  • Provide education and guidance to workforce members regarding information security responsibilities.
  • Conduct enterprise technology, cybersecurity, and information risk assessments.
  • Develop and monitor risk mitigation and remediation plans.
  • Maintain cybersecurity and technology risk documentation, coordinate technology and cybersecurity risk management activities, and ensure identified risks are documented, prioritized, assigned, monitored, and tracked through resolution.
  • Develop and present risk reporting to executive leadership and governance committees to support informed decision-making and organizational risk management objectives.
  • Develop and present executive and governance committee reporting on cybersecurity risk, regulatory compliance, data governance maturity, AI governance activities, and organizational risk mitigation progress.
  • Support departments in identifying and managing technology-related risks.
  • Serve as organizational lead and facilitator for Information Security, Data Governance, AI Governance, and Risk Management committees including development of agendas, reporting, action plans, governance documentation, and executive communications.
  • Provide strategic recommendations to executive leadership regarding security, governance, compliance, and technology risks.
  • Collaborate with departments across the organization to establish governance frameworks and promote organizational accountability.
  • Support organizational strategic planning efforts related to information security, data governance, and emerging technologies.
  • May supervise future security, governance, compliance, or cybersecurity personnel, consultants, contractors, and third-party service providers.
  • Other Duties as assigned

Benefits

  • Medical, Dental, and Vision
  • 403(b) with employer contribution
  • Short-term disability and other benefits
  • Paid time off including 11 holidays plus vacation and sick leave accrual
  • Paid bereavement, jury duty, and community service time
  • Education reimbursement ($3,000 per year for full-time)
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service