Duties: As a member of the IT Security team the Governance Risk and Compliance (GRC) Engineer contributes to a comprehensive information security program. In accordance with industry frameworks (NIST PCI and HIPAA) and business needs to ensure regulatory compliance and operational effectiveness this position leads and collaborates in the development and operation of IT GRC capability and requires an experienced IT GRC professional to lead initiatives associated with tactical risk analysis of operational controls and their effectiveness; develops and applies risk assessment methodologies and processes and generates artifacts; works with control owners and internal service provider(s) to prioritize the validation of control compliance; and facilitates identification and escalation associated control gaps and their remediation.
1 .Plans implements and maintains the IT security risk management program capabilities and collaborates with Compliance ERM. 2. Provides leadership and supervision over IT risk capabilities and compliance activities .3. Assures assessment process effectiveness measurement and optimization of IT general controls within a complex technical environment. 4. Assists in the creation and maintenance of security risk management standards processes procedures and other program documentation. 5. Develops and executes methods to identify and consider relevant internal and external data to enhance objective data driven risk models.6. Prepares reports and presentations for diverse audiences with varying business perspectives on cyber security risks and ITGC effectiveness.7. Supports and administers new Governance Risk & Compliance (GRC) tools implementation and utilization. 8. Performs program management assessments and evaluations to determine compliance with PCI HIPAA and IT general controls. 9. Maintains a strong understanding of security frameworks (NIST CSF & NIST SP800-53) and how these frameworks apply to operational activities within the IT environment.10. Monitors and analyzes security risks and metrics to identify themes trends correlations and variances. 11. Communicates risk intelligence in a manner that enables business decision-making. 12. Provides risk management subject matter expertise. 13. Provides leadership (no direct people management) to individual contributors building risk capabilities and build program oversight. 14. Assists with the design and implementation of the IT Security Risk Registry. 15. Assists in the establishment of program plans procedures data categorizations risk rank modeling and other factors to provide a holistic representation of IT security risks 16. Develops implements maintains and oversees enforcement of policies procedures and associated plans for system security administration and user system access based on industry-standard best practices and internal business forces.17. Assists in the development and execution of formal control structure and assessment risk methodologies processes and artifacts 18. Assists in the development and maintenance of an enterprise security controls framework 19. Processes analyses and tracks risk exception requests 20. Periodically reviews security controls for effectiveness and design 21. Maintains an awareness of proposed security standards state and federal legislations and regulations pertaining to information security. 22. Identifies IT Security requirement changes that will affect the organization requirements legal addendums and risk assessments and recommends appropriate changes
Skills: A minimum of 5 years of experience in a related field. 6 or more years of experience in a related field. In-depth knowledge of cybersecurity frameworks including but not limited to NIST CF HITRUST CSF ISO 27001 .Experience leading risk assessment and remediation activities Expert knowledge of information security risk management frameworks and compliance practices Understanding of common healthcare security regulations (e.g. HIPAA HITECH Meaningful Use PCI DSS ISO2700x FDA etc.) Familiarity with security auditing and risk assessment processes Skill in documenting risk and compliance activities Excellent written and verbal communication skills interpersonal and collaborative skills and the ability to communicate strategic information security topics policies and standards as well as risk-related concepts to technical and nontechnical audiences at various hierarchical levels Sound knowledge of business management practices Knowledge of common security policy taxonomies and how they inform the creation of standards procedures and guidelines Experience responding to analyzing and communicating information security auditsUnderstanding of general security concepts including but not limited to cryptography DLP Security Operations Center Security Managed Services SIEM FW Audit Cloud Security Mobile SecuritySelf-starter who has the ability to work independently with minimal supervision Maturity to accept direction self-confidence to give directionIn-depth knowledge of cybersecurity frameworks including but not limited to NIST CF HITRUST CSF ISO 27001. Experience in the implementation or usage of ServiceNow IRM / GRCCertifications preferred: CISA CRISC CGEIT CRMA CISSP & PCI- QSA Knowledge of the imbedded operating systems design and implementation desired
Education: BA in Computer Science or related field is required or equivalent acquired through combination of education and experience.