Governance & Compliance Senior Analyst
Reporting to the OIS, Governance and Compliance Manager, the OIS, Governance and Compliance Senior Analyst will be responsible for performing the tasks necessary to ensure the success of the Security Management team within the Office of Information Security (OIS).
The OIS, Governance and Compliance Senior Analyst will be responsible for supporting the OIS, Governance and Compliance Manager's efforts in;
• Ensuring that the governance and compliance program elements meet our security and compliance objectives and are designed, implemented and executed effectively, efficiently and economically
• Developing, maintaining and publishing all necessary information security program documentation, including; policies, procedures, standards, guidelines, education, etc.
• Reviewing and assessing the results of compliance assessments and controls audits of IT systems and processes and then recommending, documenting and monitoring the implementation of any prescribed corrective actions.
• Recommending, documenting and monitoring the implementation of any prescribed corrective actions resulting from compliance assessments
• Promoting workforce engagement by developing, implementing and managing a security awareness and training program
• Investigating and responding to any suspected compliance/privacy incidents in accordance with company security incident handling, reporting and management procedures
• Producing as required, any compliance metrics reports for the Chief Information Security Officer (CISO) and any other stakeholders or security steering committees prescribed
• Responding to requests for consultation or other inquiries from staff and provide compliance advice as required
• Supporting the organization's Compliance, Privacy, Legal and Human Resources department by providing the necessary compliance management expertise required to ensure that compliance practices are implemented in accordance with company objectives for risk acceptance
• Support any requests for information by any external authoritative agencies as required (E.g., assessors, auditors, investigators, etc.)
• Providing any requested input for the ongoing maturation and development of the compliance and governance management strategies necessary to support the business planning process
• Maintain currency and expertise with emerging trends in compliance and governance standards and technologies (both internal and external)
• Assuring that all necessary compliance and governance documentation is maintained and updated
• The following specific tools and processes;
• OIS compliance and privacy incident management (Compliance, Privacy, Legal and Human Resources Investigations)
• Policies, Procedures, Standards, Guidelines development and publishing
• Security Awareness and Training program
• Compliance software (e.g., RL Solutions, ComplyTrack/MediRegs, FairWarning, etc.)
• Information security presents a challenge in that there is never a "100% secure" environment, and organizations must decide "how much security is enough."
• Information security threats must be assessed in light of their likelihood of occurrence, the potential impact of a security breach, the cost to mitigate the risk. Potential impacts of security breaches can be financial, legal, public image. For example, loss of revenue due to information outage or theft, civil and criminal legal penalties, and unwanted publicity due to the disclosure of patients' confidential information or company sensitive information.
• Constantly evolving external security threats range from individual hackers targeting Steward Health Care to steal and publicize confidential information to non-specific malicious computer viruses that cause extensive, long-term damage to company operations.
• Internal security threats must be addressed as well; a high percentage of all security breaches originate inside the organization. Internal security safeguards include role-based security access controls, effective password management practices and training/awareness programs.
• Information security is a process, not a project. Although enhancements are made to our program on a project basis (such as a new intrusion detection product), it is the ongoing vigilance in monitoring all security processes that that leads to an effective security program.
• The most effective security strategy is "defense in depth." This means that multiple layers of technical, administrative and physical security safeguards must be employed. The challenge is to implement and oversee an effective mix of safeguards without over or under-emphasizing any particular safeguard.
Behavioral Competencies and Personal Proficiencies:
• Professionalism, great attitude and high aptitude
• Effective communicator
• Organized and planful
• Risk-based decision-maker
• Agile. Transitions smoothly between tactical and strategic thinking
• Conflict resolution skills, influencer and negotiator
• Takes Initiative, then maintains drive and enthusiasm
• Organizational competence and astuteness
• Sets and reflects a commitment to high standards
• Selfless, compassionate and responsiveness to peers and patients
• Confidence and high integrity
• Excellent working knowledge of security, governance, risk, compliance and privacy concepts and practices as they apply to health care and information technology
• Excellent working knowledge of relevant authoritative source material (e.g., HIPAA, PCI, Joint Commission, GDPR, Meaningful Use, MIPS, MACRA, etc.)
• Excellent working knowledge of relevant industry best practices (e.g., NIST, FIPS, FISMA, COBIT, ITIL, ISO, etc.)
• Excellent working knowledge of business risk management strategies and management practices
Requirements and Preferences:
• Bachelor's degree in a related area
• Professional Certification(s) in information compliance management (e.g., CRISC, CISA, CRM, CERA, PRM, RIMS, PMI-RMP, CRMA, GRCP, CGEIT, CGRC, etc.)
• Minimum of (4) years previous experience working in a governance or compliance role
• Previous experience working in an ITGC auditing role
• Previous experience in Healthcare and understanding of applicable compliance requirements
• Demonstrated experience consistent with ISO 27000; ITIL; NIST 800 series, and any other controls that are applicable to network security monitoring/analysis, event escalation, cyber threat analysis, and vulnerability analysis
• Specific experience in compliance/privacy incident management response and reporting, policy and procedure writing, security awareness and training development, publishing tools (e.g., sharepoint, etc.)
Job Status: Full Time
Job Reference #: 4225