Summary: Information Security Analyst
This position reports to the Chief Information Security Officer (CISO) and is responsible for assisting othersecurity department personnel in maintaining administrative, physical and technical information security safeguards that strengthen our information system posture and better support Baystate’s Mission to improve the health of the people in our communities every day, as well as supports continued progress toward Baystate’s Vision of becoming one of the leading health systems in the nation.
Under general guidance of the CISO, the incumbent will be responsible for using and maintaining information security tools that help secure our environment. This can include, but is not limited to, tools such as AV, anti-SPAM, DLP, vulnerability scanners, etc. The incumbent will also assist in incident response investigations, work with Baystate Health partners in the organization to ensure appropriate and consistent corrective action, help identify opportunities for improvement, maintain policies and procedures that are designed to be operationally effective and efficient, maintain workforce training programs and awareness communications, and monitor compliance to policies, laws and regulations. The security analyst works with members of the IT division to implement and maintain technical controls to meet specific security requirements, and helps define processes and standards to ensure that security configurations are maintained.
The incumbent will have a working knowledge of security frameworks such as HIPAA, HITRUST, NIST, ISO or other industry standards that are relevant to Baystate Health.
What You Will Do:
- Conduct information system activity reviews: Monitor and test application and network activity for assurance that systems of controls are in place and effective, and for compliance to BH policies, state and federal regulations. Information system activity reviews should include, but are not limited to; failed logins by administrators and general users, file accesses, security incident tracking reports, unauthorized software, dormant accounts, abandoned sessions, password sharing, data leakage, unauthorized deletion of corporate data, adequacy of auto-logoff and anti-malware configuration, and misuse of administrator accounts, internet access, remote access, personal use of network storage, etc.
- Use system reporting tools such as SIEM, file integrity monitoring tools, DLP, etc to ensure a secure computing environment and analyze the output to suggest security improvements.
- Assist in researching new threats and vulnerabilities and identifying and implementing mitigating administrative, physical and technical safeguards
- Assist with identifying, designing and implementing information security projects, provide subject matter expertise to other IT department teams and ensure that IT division project plans include appropriate security activities.
- Work with I&T colleagues and Baystate Health partners to ensure the computing environment is properly secured. This can include, but is not limited to, ensuring the proper use of information security tools, the proper review of information security controls, and the proper processing of information security activities.
- Assist with monitoring, assessing and suggesting enhancements to Baystate Health’s business continuity and recovery programs
- Assist with developing and publishing information security policies, procedures, standards and guidelines based on knowledge of best practices and compliance requirements along with processes that enable implementation.
- Assisting in conducting investigations of suspected security and privacy incidents, whether internal or external to Baystate and whether intentional or unintentional and organize, document and reportinvestigation results within the organization. Coordinate investigations with clinical and administrative departments including Human Resources, client department management, Hospital Security, Corporate Compliance, Access and Guest Service Administration, and others as needed.
- Conduct periodic evaluations of technical and non-technical security safeguards to demonstrate and document compliance with Baystate’s security policy and the requirements of the HIPAA Security Rule as required by HIPAA.
- Assist othersecurity department members working with security leadership to develop strategies and plans to enforce security requirements and address identified risks.
- Assists othersecurity department members advising in application development or acquisition projects to assess security requirements and controls and to ensure that security controls are implemented as planned.
- Assists other department members advising partner and IT division security administrators on normal and exception-based processing of security authorization requests.
- Assists othersecurity department members planning and conducting penetration testing and vulnerability assessments.
- Assists othersecurity department members define security configuration and operations and standards for security systems and applications, including policy assessment and compliance tools, networksecurity appliances and host-based security systems.
Minimally Required Education: Associate's Degree
Preferred Education: Bachelor's Degree
Minimally Required Experience:
Minimum five years in an IT Security role
Working knowledge internal controls & IT Risk Assessment and Mitigation procedures.
Technical experience in security-related technologies such as Active Directory, encryption, remote access, anti-virus systems, etc.
Background sufficient to obtain working knowledge of:
- Securityreporting tools
- HIPAA, Massachusetts 201 CMR 17.00, and ISO 27002:2005
Skills / Competencies:
Familiar with implementation of Application or Technical information systems
A basic knowledge of the 10 domains of the Common Body of Knowledge for information security:
1. Access Controls
2. Telecommunications & NetworkSecurity
3. Information Security & Risk Management
4. Application Security
7. Operations Security
8. Business Continuity Planning
9. Regulations & Compliance
10. Physical & Environmental Security
Ability to work well in a team environment. Values information sharing, but recognizes situations requiring confidentiality.
Effective interpersonal, organizational, and administrative, communication and presentation skills, both oral and written.
Effective analytical/troubleshooting skills and ability to multi-task.
Effective negotiation and conflict management skills.
Experience in dealing effectively with people at different levels.
Self-motivated and able to work with little or no guidance.
Certification: Certified Information Systems Security Professional (CISSP) is preferred.
Job ID 80308