The Senior Information Risk Analyst will provide critical project management skills to the Governance, Risk, and Compliance team, and be responsible for planning and overseeing roadmap initiatives to completion. This position will require strong interpersonal and communication skills, time management, and data analytics, in addition to their core responsibilities as part of the Information Risk Management team to ensure that the security risk of all third parties and applications with access to our client’s data are managed. This position will ensure that by providing risk assessments of third parties, negotiating contractual security requirements, tracking risk findings, and risk assessing our client’s applications and data.
Reporting to the Sr. Manager of Information Risk Management, this key role performs information security due diligence to ensure that application and third-party risk is identified and managed by our client. This role works as part of a highly collaborative team of experienced information security risk analysts who partner with key security risk business stakeholders, Legal, Privacy, Audit, Information Security, and Vendor Management to safeguard the privacy of our confidential information. This is accomplished by performing information security risk assessments on Third Party Vendors, Applications and then working with business owners, project teams and third parties to develop remediation plans to reduce risk and enable projects which benefit the business. The role also partners with Procurement through an integrated process to identify outsourced services risk and negotiate contractual security requirements with third parties.
• Utilizes expert level knowledge of applicable state and federal security and privacy regulations and security best practices to champion approaches across the business.
• Given a project and its goal, effectively works with teams across the company to determine a full roadmap, including milestones and tasks, resource requirements, and the documentation and execution strategy required to ensure project completion.
• Strong and demonstrable interpersonal and communications skills as needed to influence others to understand their point of view, bring others along to the team, mitigate and mediate risk, and execute departmental priorities.
• Exhibits strong interpersonal relationships with Procurement teams, Audit and Compliance team, Enterprise Risk Management, Enterprise Technology Architecture, Information Security, business partners, project managers, the IT Strategy & planning teams, and Quality Assurance team.
• Participate in cross-functional teams to develop security policies, standards and procedures assisting to communicate these to the IT Division.
• Serve as advisor and consultant to business units in planning and coordinating systems security analysis, design, and implementation/enhancement projects to automate processing or improve business systems.
• Conducts application and third-party risk assessments. Communicates resulting risk findings to stakeholders. Works collaboratively with project stakeholders to mitigate risks and facilitate senior leadership risk decisions.
• Identify gaps and weaknesses in administrative, technical, and physical controls, and systems, and propose mitigation efforts to address those gaps and weaknesses.
• Provide expert level recommendations for communicating security risk with other GRC services, including policy exceptions, audit requests, and other business requests such as RFPs and RFIs.
• Functions as a mentor to more junior members of the team providing training and guidance on operational issues and risk management strategies.
• Review Security Exhibits to address security requirements during third party contract review. Negotiate language in the security exhibit that is acceptable and falls within the organization’s defined risk tolerance. Provide input as needed for change in approved templates.
• Collect, analyze, and visualize data to better understand potential risks and outcomes of decisions with the ability to effectively communicate that information.
• Translate results and evidence into strategy and goals. Measure effectiveness and how they are achieved.
• BA or BS degree in Systems, IT, Business Management, or related degree preferred, or equivalent experience.
• 6-10 years of experience. 5+ years of strong Analyst or Project Management experience in the Information Security domain, with demonstrated competency executing an enterprise security program.
• Experience achieving compliance with HIPAA and other state and federal privacy regulations preferred.
• Security or auditor certification a plus (CISSP, CISM, CISA or equivalent)