Sr. Third Party Cybersecurity GRC Analyst

Elevance Health•Indianapolis, IN

23h•Hybrid

About The Position

This role requires associates to be in-office 1 - 2 days per week in the Indianaplis, IN or Atlanta, GA office, fostering collaboration and connectivity, while providing flexibility to support productivity and work-life balance. This approach combines structured office engagement with the autonomy of virtual work, promoting a dynamic and adaptable workplace. Please note that per our policy on hybrid/virtual work, candidates not within a reasonable commuting distance from the posting location(s) will not be considered for employment, unless an accommodation is granted as required by law. The Security Analyst Sr. is responsible for independently assessing, documenting, and monitoring cybersecurity risks associated with third-party vendors, service providers, and business partners. This role evaluates vendor security controls, reviews assurance evidence, identifies control gaps, supports remediation and risk acceptance decisions, and provides subject matter expertise throughout the vendor lifecycle.

Requirements

Requires a bachelor’s degree or equivalent combination of education and experience that would provide the knowledge to perform such work.
Experience must include a minimum of 3 years experience in a support & operations or design & engineering role in any of the following areas: access management or network security technologies, servers, networks, Network communications, telecommunications, operating systems, middleware, disaster recovery, collaboration technologies, hardware/software support or other infrastructure services role; or any combination of education and experience, which would provide an equivalent background.
Requires experience providing top-tier support for 3 or more of the information security technology areas: 1) Access Control, 2) Application Security, 3) Business Continuity and Disaster Recovery Planning, 4) Cryptography, 5) Information Security and Risk Management 6) Legal, Regulations, 7) Compliance and Investigations, 8) Operations Security, 9) Physical (Environmental) Security, 10) Security Architecture and Design, 11) Telecommunications and Network Security.

Nice To Haves

Technical security certifications (e.g. Systems Security Certified Practitioner) strongly preferred.
BA/BS degree in Information System and Computer Science or related field of study strongly preferred.
3–5+ years of experience in cybersecurity, third-party risk management, IT risk, GRC, IT audit, regulatory compliance, vendor risk management, or a related field.
Familiarity with common cybersecurity frameworks, standards, and assurance reports, such as NIST CSF, NIST SP 800-53, NIST SP 800-161, ISO 27001/27002, SOC 2, CIS Controls, Shared Assessments SIG, CSA CAIQ, or CSA CCM.
Experience with ServiceNow GRC/IRM, Vendor Security Risk Management, or similar third-party risk management workflows.
Experience performing third-party cybersecurity assessments in healthcare, insurance, financial services, or another regulated industry.
Familiarity with HIPAA, HITRUST, NIST, PCI DSS, SOC 2, ISO 27001, cloud security, and privacy/data protection control expectations.
Experience reviewing SOC 2 Type II reports, ISO 27001 certificates, HITRUST reports, PCI Attestations of Compliance, penetration test summaries, vendor security questionnaires, data flow diagrams, and technical remediation evidence.
Relevant certification such as CISA, CRISC, CISSP, CISM, Security+, CCSK, CCSP, ISO 27001 Lead Auditor/Implementer, AWS Certified Cloud Practitioner, or PCI DSS-related experience

Responsibilities

Support internal and external audit and compliance activities, including HIPAA, HITRUST, NIST, PCI DSS, SOC 2, and other healthcare or cybersecurity-related assessments.
Lead cybersecurity risk assessments and due diligence reviews for third-party vendors, service providers, SaaS platforms, cloud providers, and other external business partners, including high-risk and critical vendors.
Evaluate vendor security documentation, including SOC reports, ISO certifications, HITRUST certifications, penetration test summaries, security questionnaires, policies, data flow diagrams, and remediation evidence.
Communicate directly with vendors to clarify questionnaire responses, request supporting evidence, validate remediation status, and coordinate risk mitigation activities.
Provides trouble resolution on complex problems and leads implementations for system and network security technologies.
Develops testing plans to ensure quality of implementation; coordinates and prepares the reporting of data security events and incidents; provides system and network architecture support for information and network security technologies
Provides technical support to business and technology associates in risk assessments and implementation of appropriate information security procedures, standards and technologies
Represents major upgrades and reconfigurations in change control
Design & analyze mix of vendor services meeting business and information security requirements
Determine and perform complex configuration changes to meet business and information security requirements
Serve as the technical escalation for results of preventative maintenance routines
Participate in metrics development, trend analysis, quality reviews, and program maturity initiatives to strengthen Elevance Health’s third-party cybersecurity risk management program.
Represents infrastructure security support in significant projects and performs the most complex operations and administration tasks
Respond to level 3 & 4 change and problem requests without supervision
Lead level 1 & 2 incident recoveries and root cause analysis.