Information Security Risk and Compliance Analyst III

Job Summary

The Information Security (InfoSec) Risk and Compliance Analyst III aligns with the privacy and compliance teams to develop, review, update, and disseminate the policies, standards, and processes required to maintain compliance throughout the organization. This position is responsible for maintaining and operating InfoSec's, risk, and compliance responsibilities. The InfoSec Analyst works closely with CDOC Analysts, LAC's Compliance department, and other IT teams to gather data and manage risk in the environment. Acts as a  Subject Matter Expert, serves as a resource and mentor for other staff. 

Duties

Performs security assessments, categorize and prioritize assessment findings, responds to audit requests, monitors for adherence to policies and procedures, and triages the InfoSec request queue.

Performs all regulatory assessments including HIPPA,  Security Controls Review and Accreditation.

Performs daily risk management activities including maintaining the Organizational Risk Register and documentation. 

Manages phishing campaigns, tabletop exercises, and conducts security awareness trainings. Cross trains with the CDOC Analysts.

Performs third-party risk assessments.

Executes procedures to assess and measure compliance with the organization's security policies and procedures. Partners with internal teams such as Compliance and Privacy to review all regulatory changes and works with the engineers to ensure their solutions are in compliance with regulatory requirements.

Documents, investigates, and reports security compliance issues.

Participates in the resolution of risk and compliance issues with appropriate stakeholders.

Collaborates with the Compliance department and the IT Risk and Audit team for assessments, audit requirements, and Corrective Action Plan (CAP) remediation's. 

Applies subject expertise in evaluating business operations and processes. Identifies areas where technical solutions would improve business performance. Consults across business operations, providing mentorship, and contributing specialized knowledge. Ensures that the facts and details are correct so that the project’s/program's deliverable  meets the needs of the department, and organization  policies, standards, and best practices. Provides training, recommends process improvements, and mentors junior level staff, department interns, etc. as needed.

Performs other duties as assigned.

Education Required

Education Preferred

Experience

Required:
At least 6 years of experience in information security or technology.

Operational experience assessing enterprise-wide GRC strategies and solutions.

Operational experience in a regulated environment (eg, classified networks, healthcare, finance, banking, etc.).

Preferred:
Experience with Vulnerability Management and/or Security Information and Event Management (SIEM) platforms.

Operational experience monitoring cloud computing (eg, AWS, Azure, etc.) and SaaS environments.

Skills

Required:
Strong knowledge of information security risk and compliance principles, practices, laws, and regulations in a healthcare environment.

Understanding of risk, and compliance activities and providing documentation for audit investigations.

Strong communication skills verbal and written.

Ability to collaborate with internal and external key stakeholders. 

Understanding of networking and communication protocols (such as TCP/IP, UDP, SSL/TLS, IPSEC, HTTP/S, etc.).

Understanding of Windows and Linux operating system fundamentals.

Licenses/Certifications Required

Licenses/Certifications Preferred

Required Training

Additional Information