Information Risk & Compliance Analyst I/II

About The Position

Requirements

• Three (3) years of information risk, compliance or related experience.
• Associate's degree in computer science, Information Technology, or relevant field. In lieu of degree, three (3) additional years of related experience required.
• Excellent communications skills with the ability to present clear and concise information to all levels and technical ability.
• Able to work both independently and as part of a team.
• Strong ability to articulate business risks relating to technical issues for both technical and non-technical audiences.
• Strong knowledge of IT and IS Oversight Risk and Compliance (GRC) best practices and regulatory/industry requirements.
• Intermediate knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations; Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST
• Experience in the design and evaluation of internal controls or similar project controls.
• Experience in the creation, review, and lifecycle management of IT policies, processes, and procedures.
• Demonstrated skill in risk assessment, both quantitative and qualitative.
• Familiarity with maturity models as aids to gap assessment and remediation planning.
• Strong critical thinking skills with ability to act independently and exercise good judgment, as well as the ability to work cross-functionally and create virtual teams.
• Maintains current knowledge of the latest and newest Cyber Risk & Information Assurance technologies and identifies and researches for enhancement options and process improvements.
• One information security certification such as but not limited to: Security +, CISSP, CISM, CISA, CDPSE, CGEIT, CDMP, GSEC, CRISC, preferred.
• Minimum of six (6) years of experience and advanced knowledge of a minimum of three (3) concepts listed above (under Level I).
• Advanced negotiation and organizational skills with demonstrated ability to multi-task, organize, prioritize, and meet deadlines.
• Advanced experience with security controls for operating systems, applications, and database management systems.
• Advanced knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations; Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST
• Strong leadership or mentorship experience preferred.
• Ability to work – and to motivate others to work – under pressure and within tight timelines.
• Experience providing work direction for one or more individual’s specific projects and initiatives.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.
• Ten (10) years of related work experience in IT security controls, security technology, cyber or data policy, risk practices, data governance or related field.
• Advanced knowledge of a minimum of five (5) concepts listed above (under Level I).
• Two or more certifications listed under level 1 preferred.
• Experience providing work direction for multiple staff for team specific projects and initiatives.
• Experience providing guidance and mentorship to more junior team members.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Nice To Haves

• One information security certification such as but not limited to: Security +, CISSP, CISM, CISA, CDPSE, CGEIT, CDMP, GSEC, CRISC, preferred.
• Strong leadership or mentorship experience preferred.
• Two or more certifications listed under level 1 preferred.

Responsibilities

• Works with teams to continuously improve and update services to ensure they stay ahead of information security and compliance trends.
• Collaborates with external auditors or other inbound requests as needed.
• Performs and/or supports any aspect of Information Risk & Compliance activities (i.e., policy development, security awareness, 3rd party assessment, internal control evaluations, risk assessments, issue management, etc.).
• Contributes to cyber regulatory compliance at state and federal jurisdictions.
• Assists with issues relating to Information Risk including the development of procedures, plans, and security forms to aid the information security program, as well as monitoring and response to unexpected information security control changes across the environment.
• Contributes input to the Organization’s Cybersecurity program performance metrics.
• Creates and updates standard operating procedures for assigned security controls, applications, and platforms.
• Develops materials for Enterprise Security Awareness & training.
• Executes and supports Cybersecurity program initiatives, such as maintaining processes and workflows such as access certification.
• Participates in various oversight Committee meetings, generates agenda and meeting content.
• Plans and executes audits or control testing of technology platforms, evaluates information systems’ internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Provides monitoring, guidance and direction on security controls, policy, and practices to key stakeholders.
• Responds to internal customer queries, reports and/or requests relating to IT controls, policies, and standards.
• Performs review of change management deployments
• Defines and supports Service Level Agreements (SLA)s and Key Performance Indicators (KPIs).
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies’ mission and values, adhering to the Corporate Code of Conduct, and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.
• Acts as a change agent to educate the enterprise on Cyber Risk & Information Security Policies and Controls
• Independently manages intake activities, recommends, and executes on intake optimization already noted in level I.
• Pinpoint strengths and areas for improvement related to organizational security posture and risk management acceptance.
• Plans and executes complex audits of technology platforms, evaluates information systems’ internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Conducts complex data & cybersecurity risk assessments.
• Participates in various committees to establish oversight for cyber, data and risk of the organization.
• Supports various risk assessments for information management controls.
• Mentors and trains Information Risk & Compliance Analyst level I
• Performs as the Subject Matter Expert for majority Information Security Identity management technologies, controls, processes, and practices internally to the Health Plan, and externally in the industry.
• Assists stakeholders with complex security risk assessments.
• Mentors and trains Level II Analysts.
• Serves as the “go-to” person in the absence of the manager.
• Provide input to manager on team performance.