Information Risk Consultant

About The Position

Requirements

• Bachelor's Degree - Information Security, Information Systems, Information Assurance, Computer Science or related field
• At least 7 years' experience in Information Security, Governance, Risk and/or Compliance
• 3 - 5 years' experience in Information Security and/or Information Risk Management and/or Information Technology
• 1 - 3 years' experience within Information Security Governance, Risk and/or Compliance functions and activities
• 1 - 3 years’ experience developing, communicating and presenting Information Security and Risk Management concepts to varying audiences
• Familiarity with technologies such as intrusion Prevention Systems (IPS), firewalls, endpoint protection, web/email filtering, Data Loss Prevention (DLP), digital rights management, encryption, Security Event and Incident Management (SEIM), and virtualization platforms
• Knowledge of HITRUST CSF, NIST 800-83 cyber security framework, PCI, HIPAA, HITECH, COBIT, ISO 27001/2, and ITIL 3
• Knowledge of NIST Risk Assessment methodology
• Familiarity with secure SDLC best practices
• Knowledge of OCTAVE or OCTAVE Allegro risk methodology
• Ability to work within high performance, multi-discipline teams
• Strong teamwork and interpersonal skills

Nice To Haves

• Master’s Degree - Computer Science, Information Security or related field
• 5 - 7 years' experience in Information Security and/or Information Risk Management including:
• Demonstrated ability to contribute to policy lifecycle management, ensuring timely updates and alignment with HIPAA, NIST CSF 2.0, and other authoritative source requirements.
• Experience assisting with control assurance and maturity improvement initiatives, with a focus on remediating gaps and strengthening the cybersecurity posture.
• Strong background in interpreting and applying security policies, standards, and regulatory requirements within complex business and technical environments.
• Experience supporting cybersecurity governance activities, including coordinating cross-functional forums and contributing to dashboards and narratives for decision-making.
• Familiarity with governance tools and platforms such as RSA Archer (GRC) and policy management systems.
• Industry certifications such as Security+, GSEC, CySA+, or working towards CISSP, CISM, CISA, or SANS certifications.

Responsibilities

• Conduct Information Risk Assessments as assigned to the team.
• Request and analyze documentation necessary to perform appropriate assessment and conduct necessary interviews in order to collect and review relevant materials necessary to produce results of the assessment.
• Clearly and concisely document and communicate risk assessment results with requestor, security architects and management, as appropriate.
• Conduct and formulate appropriate risk scoring, as it relates to threat, vulnerability, likelihood, impact, security controls/counter-measures, etc.
• Understand and contribute to inventory of risk register tracking, scoring and associated risk statements.
• Perform follow up activities related to exceptions, risk acceptance, corrective action plans and additional mitigation activities.
• Communicate risk treatment methodology; risk avoidance, risk acceptance, risk transference and risk mitigation to appropriate groups.
• Partner with multiple projects and initiatives to apply security architecture requirements, develop architecture solutions, integrate security into solution designs, access risks of security gaps, and develop architecture remediation.
• Assist HM Health Solutions teams in developing and maintaining appropriate procedural documentation which meets relevant compliance standards, such as Payment Card Industry - Data Security Standards (PCI-DSS), Health Information Trust Alliance (HITRUST), and International Organization for Standardization (ISO) 27001.
• Prepare and present solution decks to different levels of management and varying technical experience.
• Begin to take lead role in assuring compliance to required standards, procedures, guidelines and processes.
• Other duties as assigned or requested.