Opportunity Details

Job Description:

The Senior Information Risk Analyst is an expert Information Security Generalist, as well as a Risk Management Professional, and a valued member of the Information Risk Management (IRM) team. They are broadly tasked with conducting objective, fact-based risk assessments of existing and new third-parties, systems, technologies, and applications. The role then analyzes those findings using a risk-based framework and collaborates with stakeholders to develop a mitigation plan which meets established risk tolerance levels. This role will also interact with stakeholders at all levels through data-driven, human-centered communications which appropriately utilize their excellent verbal, written, and presentation skills, as well as having reporting, analytics, and visualization capabilities which target their audience and facilitate broad comprehension and understanding, and advance the program’s needs.

In addition, the Senior Information Risk Analyst role is essential in ensuring the proper risk management of all third parties, negotiating contractual security requirements, tracking risk findings, and periodically reassessing applications and data. This role is part of a highly collaborative team of experienced Information Security Risk Analysts who partner with key security risk stakeholders, including members of the Legal, Privacy, Audit, Information Security, Procurement, Vendor Management, and Account teams to appropriately, and using a risk-based framework, safeguard the confidentiality and integrity of information while not unduly impacting business.

They are also expected to provide SME-level contributions to policies and procedures in their area of expertise, including managing the updates of those policies and procedures, and to support the growing evolution of the Information Risk Management team by leading and managing internal tasks and initiatives as directed by their leadership. This role will report directly to the Senior Manager of GRC.

Required Capabilities:
• Function as a general Information Security SME with a specific focus on risk and risk management; be broadly knowledgeable in the areas of data security, network security and architecture and specifically knowledgeable in one or more of the following: governance, compliance, contractual and regulatory language, application security, data analytics and visualizations.
• Be solutions-driven, using a broad understanding of Information Security principles, technologies, and processes to collaborate in developing and championing risk mitigation plans.
• Effectively, thoroughly, and in within established SLAs, conduct application, process, third-party and other risk assessments. Analyze and communicate those findings to stakeholders, then work collaboratively with those stakeholders to mitigate risks and facilitate risk-based senior leadership decisions.
• Review contractual security documentation to ensure incoming contracts require the appropriate technical controls and contain the appropriate administrative language to ensure data is protected along established risk tolerance levels. Working in coordination with the legal team, negotiate language and mitigation controls toward reducing risk to acceptable levels.
• Have the capacity to develop and maintain strong interpersonal relationships to support cross-team collaboration, mitigation planning, and facilitate foresight and planning to ensure upcoming or unknown business initiatives are properly risk managed.
• Participate and contribute SME-level expertise in cross-functional teams to develop risk, compliance, and information security policies, standards, and procedures.
• Given milestones and direction, be able to break a project down into tasks and manage those tasks to completion.
• As an Information Risk SME, serve as an advisor and consultant to business units and assist them with the planning, development, and coordination of risk mitigation initiatives related to business processes and systems.
• Function as a mentor to more junior members of the team providing training and guidance on operational issues and risk management strategies.

• BA or BS degree in Information Security, IT, Business Management, Risk Management, related degree, or equivalent experience.
• 8+ years of IT, IS, or Risk Management experience. 5+ years of strong Analyst or Project Management experience in the Information Security domain, with demonstrated competency executing an enterprise-wide risk management and security program.
• CISSP or CRISC strongly preferred.
• Experience achieving compliance with HIPAA, HITRUST, and other state and federal privacy regulations preferred.
• Audit certification a plus (CISM, CISA or equivalent).