We are a well-funded not-for-profit project tasked with building the open-source DHIS2 platform, the world’s most widely-deployed health information system. The project is based at the Health Information Systems Programme (HISP) at the University of Oslo (UiO) where we operate as an independent software development organization.

With us you get a chance to work on problems which really matter: Improving the health and well-being of people around the world through access and use of information. Our platform is used in more than 90 countries worldwide and has the scale and adoption which will allow you to make an impact globally.

We give you a lot of flexibility and freedom and there is no micro-management or strict hierarchies. At DHIS2 we believe you will do your best work if you fully understand the context in which the system operates. As a result you are encouraged to engage directly with our projects, take part in the design process and get feedback from users in the field.

DHIS2 is hiring a Senior Security Manager for our global team. This is a full-time position with the option to work remotely or from Oslo, Norway

About This Role

As security manager, you will be responsible for defining and implementing security policies for DHIS2. As a senior member of the core team you will help to guide the development of a secure software platform as well as to promote and proliferate strong privacy and security practices to the global community of software users and implementers.

An important part of the security manager’s responsibilities will be to lead our support to implementing partners, primarily ministries of health in Africa and Asia. Development of guidelines and participation at DHIS2 academies and missions to countries will be essential in our effort to help countries build robust and secure health information systems. With the increasing adaptation of the DHIS2 for case-based data, the security manager will help countries build national structures and policies to protect not only the software system as a whole but also the sensitive data collected and processed by that system.

What You'll Do

• Develop, implement and maintain a security posture for the HISP project.
• Provide strategic guidance on security, privacy, and data protection issues, with particular regard for patient-level data in developing countries.
• Work with development partners, country implementers, and HISP nodes to raise awareness of and develop practical guidelines for appropriate security postures and practices.
• Promote security awareness through specific training and augmentation of existing training materials with appropriate security considerations.
• Assess, adopt, or develop auditable security controls appropriate for the activities of HISP
• Communicate the HISP security strategy internally and externally
• Work with the DHIS2 security team to promote best practices and standards in the storage and exchange of patient identifiable data across DHIS2 product development groups
• Work with Security Engineer and team to ensure that DHIS2 software is compliant to agreed upon framework
• Ensure that security requirements are embedded in partner and subcontractor software specifications (Android, 3rd party web apps, etc.) and that compliance is well-tested.
• Implement a formal vulnerability reporting, remediation, and disclosure process
• Coordinate, evaluate, and respond to external and internal penetration tests and security audits

Travel will be necessary, once COVID-19 travel restrictions have been lifted.

• Passionate about working on a meaningful, impactful, and challenging global project
• Someone with a strong information security background
• Knowledgeable and experienced working in an information security management framework (such as ISO27002)
• Strong experience with modern software system vulnerabilities and mitigation strategies
• Fluent in verbal and written English
• Strong skills in clear technical writing and communication
• Experience in public health and international development is a plus
• Particular experience dealing with privacy and individual patient data is a plus
• Experience working in ICT4D or international development projects is an asset

Location and Employment Details

Remote (Central European Time Zone +/- 2 hours) or in Oslo, Norway. This is a full-time position on a 1-year renewable contract.