Privacy & Information Security Risk Management Analyst II

About The Position

Requirements

• Bachelor's in Business, Computer Science, Engineering, Information Security, Management, Mathematics, Science, Technology or related field (Equivalent experience will be accepted in lieu of the required degree or diploma).
• 2 years recent relevant experience.
• Proficient technical skills in planning, administration, and management of information systems, operational and technical security controls, and security risk analysis and management.
• Thorough knowledge of information systems security concepts, current information security trends, practices including security processes, methods, and procedures.
• Working knowledge of software, hardware, databases, networks, firewalls, encryption, and other systems security devices.
• Good understanding of Transmission Control Protocol/Internet Protocol (TCP/IP), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Active Directory, network topologies, and intrusion detection systems.
• General knowledge regarding National Institute of Standards and Technology (NIST), Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH), Federal Information Procession Standards (FIPS), and other related industry security standards, regulations, and best practices.
• Advanced understanding of federal and state security and privacy-related regulatory requirements.
• Good business acumen and advanced analytic skills, including the ability to analyze data and information, reach practical conclusions, recommend corrective actions, resolve conflicts, and institute effective changes.
• Effective organizational and project management skills required, including the demonstrated ability to prioritize tasks, manage multiple projects simultaneously, and complete deliverables.
• Attention to detail with time management and organization skills, including attention to detail, clear documentation, diagnostic capabilities and problem-solving skills.
• Communication (written/verbal), interpersonal, and presentation skills to explain complex technical or sensitive information clearly and professionally to diverse audiences and all levels of internal and external constituencies.
• Robust computer skills, including an advanced knowledge of Microsoft Office Suite (Word, Excel, Outlook, Access, Access Control List (ACL)), Microsoft Visio or other flowcharting tool, various database architectures and related security and assessment tools and applications.
• Ability to identify key concepts, factors, and risks based on conversations and document them in clear and concise narrative.
• Ability to work independently, as well as part of a multidisciplinary team, while demonstrating organization skills to efficiently and effectively conduct reviews and assessments within established timeframes and government regulations.

Nice To Haves

• CISSP or CRISC certification preferred.
• Third‑party/vendor security risk assessments.
• Conducting formal risk assessments.
• GRC or third-party risk management platforms (e.g., ServiceNow VRM or equivalent).
• Continuous security monitoring tools (e.g., BitSight or similar).
• Experience assessing security risks affecting protected health information (PHI).

Responsibilities

• Conduct and validate technical security reviews and security assessments using the Sutter Health GRC platform.
• Produce security risk assessment reports.
• Act as a technical advisor to security leadership, IS departments, and business units on security issues and risks.
• Lead resolution on complex security issues and initiatives.
• Provide security training to IS staff.
• Develop and/or review technical information security policies, procedures, standards, and guidelines.
• Conduct technical security-related research and analysis.
• Translate research and analysis results into meaningful input for the Information Security program.

Benefits

• Comprehensive benefits package