IS Risk Analyst - IS Security
Reporting to the OIS, IT Risk Manager, the OIS, IT Risk Analyst will be responsible for performing the tasks necessary to ensure the success of the IT Risk Management team within the Office of Information Security (OIS).
The OIS, IT Risk Analyst will be responsible for supporting the OIS, IT Risk Manager's efforts in;
* Ensuring that the risk management program elements meet our risk acceptance objectives and are designed, implemented and executed effectively, efficiently and economically
* Defining the risk management objectives and requirements are supported in all IT Security; policies, procedures, standards, guidelines, education, etc.
* Performing, reviewing and assessing the results of risk assessments of internal entities and third-parties and then recommending, documenting and monitoring the implementation of any prescribed corrective actions.
* Recommending, documenting and monitoring the implementation of any prescribed corrective actions resulting from risk assessments
* Supporting investigations by ensuring that risk objectives are carefully weighed during the management of any suspected security incidents in accordance with company security incident handling, reporting and management procedures
* Producing as required, any risk metrics reports for the Chief Information Security Officer (CISO) and any other stakeholders or security steering committees prescribed
* Responding to requests for consultation or other inquiries from staff and provide risk management advice as required
* Supporting the IT project Management Office (PMO) and business project managers by providing the necessary risk management expertise required to ensure that projects and initiatives are implemented in accordance with company objectives for risk acceptance
* Support any requests for information by any external authoritative agencies as required (E.g., assessors, auditors, investigators, etc.)
* Providing any requested input for the ongoing maturation and development of the information risk management strategies necessary to support the business planning process
* Maintain currency and expertise with emerging trends in risk management, governance standards and technologies (both internal and external)
* Assuring that all necessary risk management documentation is maintained and updated
* The following specific tools and processes;
o OIS Internal and External Risk Management program (performing risk assessments)
o IS Risk Register and Corrective Action Planning
o Third Party Due Diligence Security Reviews
o Program and Project Risk Management
o Enterprise Governance, Risk & Compliance Software (Archer)
* Information security presents a challenge in that there is never a "100% secure" environment, and organizations must decide "how much security is enough."
* Information security threats must be assessed in light of their likelihood of occurrence, the potential impact of a security breach, the cost to mitigate the risk. Potential impacts of security breaches can be financial, legal, public image. For example, loss of revenue due to information outage or theft, civil and criminal legal penalties, and unwanted publicity due to the disclosure of patients' confidential information or company sensitive information.
* Constantly evolving external security threats range from individual hackers targeting Steward Health Care to steal and publicize confidential information to non-specific malicious computer viruses that cause extensive, long-term damage to company operations.
* Internal security threats must be addressed as well; a high percentage of all security breaches originate inside the organization. Internal security safeguards include role-based security access controls, effective password management practices and training/awareness programs.
* Information security is a process, not a project. Although enhancements are made to our program on a project basis (such as a new intrusion detection product), it is the ongoing vigilance in monitoring all security processes that that leads to an effective security program.
* The most effective security strategy is "defense in depth." This means that multiple layers of technical, administrative and physical security safeguards must be employed. The challenge is to implement and oversee an effective mix of safeguards without over or under-emphasizing any particular safeguard.
Behavioral Competencies and Personal Proficiencies:
* Professionalism, great attitude and high aptitude
* Effective communicator
* Organized and planful
* Risk-based decision-maker
* Agile. Transitions smoothly between tactical and strategic thinking
* Conflict resolution skills, influencer and negotiator
* Takes Initiative, then maintains drive and enthusiasm
* Organizational competence and astuteness
* Sets and reflects a commitment to high standards
* Selfless, compassionate and responsiveness to peers and patients
* Confidence and high integrity
* Good working knowledge of security, governance, risk, compliance and privacy concepts and practices as they apply to health care and information technology
* Good working knowledge of relevant authoritative source material (e.g., HIPAA, PCI, Joint Commission, GDPR, Meaningful Use, MIPS, MACRA, etc.)
* Good working knowledge of relevant industry best practices (e.g., NIST, FIPS, FISMA, COBIT, ITIL, ISO, etc.)
* Good working knowledge of business risk management strategies and management practices
Requirements and Preferences:
* Bachelor's degree in a related area
* Professional Certification(s) in information risk management (e.g., CRISC, CISA, CRM, CERA, PRM, RIMS, PMI-RMP, CRMA, GRCP, CGEIT, CGRC, etc.)
* Minimum of (2) years previous experience working in a risk management role
* Previous experience in Healthcare and understanding of applicable compliance requirements
* Previous experience working in an ITGC auditing role
* Demonstrated experience consistent with ISO 27000; ITIL; NIST 800 series, and any other controls that are applicable to network security monitoring/analysis, event escalation, cyber threat analysis, and vulnerability analysis
* Specific experience in conducting risk assessments, third-party due diligence, managing a risk register, GRC software and corrective action plan
Job Status: Full Time
Job Reference #: 51400