Information Security Analyst Risk Assessment
5 - 7 years experience •
Summary:The Information Security Analyst will focus on Risk Assessment
This position reports to the Team Lead, Information Security Department and is responsible for working with other Baystate Health personnel and outside third parties to ensure the appropriate administrative, physical and technical information security safeguards are implemented across Baystate's environment. These safeguards strengthen our information system posture and better support Baystate’s Mission to improve the health of the people in our communities every day, as well as supports continued progress toward Baystate’s Vision of becoming one of the leading health systems in the nation.
Under general guidance of the Team Lead, the incumbent will conduct information security assessments to ensure the proper implementation of security controls across the environment. This includes populating defined security/risk assessments, identifying gaps and compensating controls, identifying remediation plans, and publishing maangement reports of results. This position may also participate in incident response investigations, work with Baystate management and Human Resources to ensure appropriate and consistent corrective action, help identify opportunities for improvement, maintain policies and procedures that are designed to be operationally effective and efficient, maintain workforce training programs and awareness communications, and monitor compliance to policies, laws and regulations. The security analyst works with members of the IT division to select and deploy technical controls to meet specific security requirements, and defines processes and standards to ensure that security configurations are maintained.
The incumbent will have a working knowledge of security frameworks such as HIPAA, HITRUST, NIST, ISO or other industry standards that are relevant to Baystate Health.
What You Will Do:
Work with various business units across the company to perform Meaningful Use SecurityRisk Assessments.
Conduct periodic evaluations of technical and non-technical security safeguards to demonstrate and document compliance with Baystate’s security policy and the requirements of the HIPAA Security Rule as required by HIPAA.
Perform information securityrisk assessments as part of the project lifecycle to ensure that new technology conforms to Baystate Health's security standards.
Perform risk assessments of Baystate Health information and technology systems by conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Baystate's information and technology systems.
Work with security leadership and stakeholders to identify remediation strategies and plans to enforce security requirements and address risks identified in the risk assessment process.
Along with the Security Architect, advise during application development or acquisition projects to ensure that security controls are implemented as planned.
Work with othersecurity department members and stakeholders in scoping, planning and conducting third-party penetration testing, code reviews, or security assessments during the information securityrisk assessment process.
Perform risk assessments of third-party technology systems by conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Baystate's information and technology systems.
Produce information securityrisk assessment reports for Baystate Health leadership and other stakeholders that identify gaps with Baystate Health Information Security Policies & Standards and propose remediation plans.
Produce status reports of progress on remediation efforts for information security gaps identified during the risk assessment process.
Assist with developing and publishing information security policies, procedures, standards and guidelines based on knowledge of best practices and compliance requirements along with processes that enable implementation.
Assisting in conducting information system activity reviews: Monitor and test application and network activity for assurance that systems of controls are in place and effective, and for compliance to BH policies, state and federal regulations. Information system activity reviews should include, but are not limited to; failed logins by administrators and general users, file accesses, security incident tracking reports, unauthorized software, dormant accounts, abandoned sessions, password sharing, data leakage, unauthorized deletion of corporate data, adequacy of auto-logoff and anti-malware configuration, and misuse of administrator accounts, internet access, remote access, personal use of network storage, etc.
Assist in using Information Security department reporting tools in incident response investigations, monitoring security effectiveness, and analyzing the output to suggest security improvements.
Assist with developing security training, awareness reminders and related communications.
Assists other department members advising partner and IT division security administrators on normal and exception-based processing of security authorization requests.
Assists othersecurity department members define security configuration and operations and standards for security systems and applications, including policy assessment and compliance tools, networksecurity appliances and host-based security systems.
Assist othersecurity department members in maintenance and support of ISO tools
What You Will Need:
Minimally Required Education: Associate's Degree
Preferred Education: Bachelor's Degree
Minimally Required Experience:
Minimum five years an IT Security role
Working knowledge internal controls & IT Risk Assessment and Mitigation procedures.
Technical experience in security-related technologies such as Active Directory, encryption, remote access, anti-virus systems, etc.
Background sufficient to obtain working knowledge of:
HIPAA, Massachusetts 201 CMR 17.00, and ISO 27002:2005
Preferred Experience: Healthcare IT experiencepreferred
Skills / Competencies:
Familiar with implementation of Application or Technical information systems
A basic knowledge of the 8 domains of the Common Body of Knowledge for information security:
1. Security & Risk Management
2. Asset Security
3. Security Engineering
4. Communications and NetworkSecurity
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security
Ability to work well in a team environment. Values information sharing, but recognizes situations requiring confidentiality.
Strong interpersonal, organizational, and administrative, communication and presentation skills, both oral and written.
Effective analytical/troubleshooting skills and ability to multi-task.
Effective negotiation and conflict management skills.
Experience in dealing effectively with people at different levels.
Self-motivated and able to work with little or no guidance.
Job ID 80309