Information Security Governance, Risk and Compliance Analyst
menlo park, CA | Direct Hire
Information Security Governance, Risk and Compliance Analysts
Industry: Health Care
Duration: Direct Hire (Full-time)
Location: Menlo Park, CA
The Information Security Governance, Risk and Compliance Analyst will support risk management, training and awareness and governance efforts to mitigate risks.
The analyst interacts with IT and business stakeholders to identify and mitigate risks to critical infrastructure conducting compliance assessments and applying effective mitigation strategies to ensure Information security controls are in place and being complied with. The analyst will be experienced in risk identification, tracking and mitigation.
The Information Security Governance, Risk and Compliance Analyst will support four primary sub-programs: 1. Information Security Risk Identification, Tracking and Mitigation, 2. Management of Policies, Standards & Guidelines, 3. Security Training and Awareness and 4. Special Projects
- Provide support to the governance risk and compliance management program to achieve certifications such as ISO 27001/27002, HiTRUST, NIST and others as appropriate
- Participate in the risk assessment process, and track and report on gaps to closure and final resolution .Interface as the primary audit/assessment auditor
- Working in collaboration with the IT and business operations teams, provide oversight to risk mitigations
- Provide recurring risk reports to the CISO, Information Security Governance, Risk and Compliance Manager, Business Stakeholders and IT leadership teams as directed
- Responsible for developing, promulgating, and maintaining department cybersecurity policies and standards. Represents policy changes at OAT and the Change Management Committee (CMC).
- Participates in the Standards and Guidelines Infrastructure Review Committee (SGIRC)
- Promotes training, awareness and best practices within de-centralized operations teams with regard to needed processes and procedures to maintain a secure operating model.
- Conduct recurring IT compliance audit and testing (process and technical) engagements and track activities to completion. Maintain history of testing and audit activities attestations for future reference
- Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas
- Keep existing policies and procedures aligned with audit and security requirements
- Participate in planning, scheduling and preliminary analysis for all internal and external audit projects.
- Coordinate audit activities including notification and scheduling for all affected parties of audit timing, scope, objectives, approach and deliverables
- Establish agreement and support documentation efforts for process improvements related to security and compliance management
- 3+ years in IT Systems/Information Assurance experience.
- Demonstrated experience working with regulatory requirements and standards (PCI-DSS, SOC, ISO, BSI, GDPR etc.) and frameworks (ISO, NIST, OWASP, etc.).
- The ability to communicate complex security risks to non-technical staff
- Work with business owners on remediation plans that address identified gaps.
- Strong verbal and written communication skills and ability to influence others
- Demonstrated experience in identifying, assessing, and mitigating, regulatory and compliance risk
- Strong project management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion.
- Technical understanding of cloud infrastructure, networking, access controls, and change management.
- Any combination of education and experience that would likely provide the required knowledge, skills and abilities as well as possession of any required licenses or certifications is qualifying.
- BA or BS in Computer Science, Management Information Systems, or related field, from an accredited college or university. CISSP, GIAC, or other security certifications preferred (willingness to obtain CISSP within first year is desirable).
- Experience in network security and systems certifications. CISSP and/or CISA certifications desired.