Governance, Risk, and Compliance Analyst

About The Position

Requirements

• Bachelors degree in Information Security, Computer Science, Information Management Systems, or related field desired; or 6 years of relevant experience may be substituted in lieu of degree. An advanced degree is strongly preferred.
• 3 years of experience in Information Security Risk Management or in Information Technology/Information Security Audit required.
• 5 years of experience in a large (over 2,000 end users) Healthcare IT Enterprise preferred.
• 7 years of experience in a combination of IT Governance, Risk Management, Compliance, and Information security roles preferred.
• Professional certifications such as Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP) or Certified Risk & Information Security Controls (CRISC) required or willing to obtain within the first year of employment.
• Expert working knowledge from within an information security function using ISO 27000, NIST CSF, NIST RMF, or NIST 800-53, HIPAA, or HITRUST Common Security Framework.
• Experience supporting SSAE 16 or SOC 2
• Detailed understanding and extensive experience with information security regulations, including at a minimum National Institute of Standards and Technology (NIST), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI), ISO 27001 and ISO 27018, Sarbanes-Oxley (SOX), Cloud Security Alliance (CSA) and various other laws and regulations including Executive Orders.
• Significant experience performing Information Security Risk Management, Third-Party Risk Management, and audits and assessments in large, complex organizations.
• Significant experience in end-to-end IT and Security Risk Management.
• Significant experience with technical risk remediation identification and planning.
• Significant experience with corrective action and remediation engagement and planning.
• Models high standards of integrity, performance, confidentiality, and demonstrates sound judgement.
• Incorporates Presbyterian Health Services values into the ITGRC compliance and audit program
• Certified Information Systems Security Professional
• Certified in Risk and Information Systems Control
• Certified Information Systems Auditor

Nice To Haves

• CRISC Certification
• CISSP Certification
• CGRC Certification
• Security+ Certification
• 5+ years of hands-on experience in technology risk management and/or vendor risk management
• Healthcare or insurance experience
• 3+ Years GRC experience

Responsibilities

• Provide expert knowledge in information security standards and practices and with related federal, state, and local regulatory requirements.
• Identify and assess the severity and potential impact of risks identified within audits and assessments. Educate risk owners within Information Technology and Information Security about risk assessment findings and proper risk remediation.
• Support the implementation of PHS and PHP information governance, risk, and compliance processes.
• Assess processes, practices, and controls against PHS Information Technology and Information Security policies, procedures, and standards.
• Coordinate, catalogue, and communicate internal and external risks and findings to the Director, ITGRC.
• Develop and maintain risk exception and acceptance processes, corrective action plans and mitigation strategies for cyber risks, assessment and audit findings, supply chain risks, and operational risks and recommendations. Corrective action plans are continually updated, and progress is documented for each open item.

Benefits

• Presbyterian offers a comprehensive benefits package to eligible employees, including medical, dental, vision, disability coverage, life insurance, and optional voluntary benefits.
• The Employee Wellness Rewards Program encourages staff to engage in health-enhancing activities - like challenges, webinars, and screenings - with opportunities to earn gift to earn gift cards and other incentives.