The Senior IT Governance, Risk, and Compliance (GRC) Analyst will be responsible for the corporate-wide IT GRC program. This person will work closely with Information Services, Office of Compliance and Risk Management (OCRM), Legal, HR and Procurement to ensure the "appropriate" IT controls are in place to minimize risk and ensure compliance with AltaMed's Information Security Policy and Standards, the HIPAA Security Rule, Data Privacy regulations and the Payment Card Industry – Data Security Standards (PCI-DSS). This person will assist with the development, implementation and maintenance of AltaMed's Information Security Policies, standards and guidelines and be the compliance SME for HIPAA, PCI and Privacy. Additionally, this person will also be responsible for the vulnerability, vendor and risk management programs, including leading the risk-based change management program, and liaise with internal / external auditors to ensure audits lead to a successful outcome, and be responsible for the Security Exception/Risk Acceptance process. The position will also manage, maintain and administer the Information Security Awareness Training program.
- Minimum Education Level: Bachelor's Degree, Business, Information Systems Management or related field.
- 5 years of full-time work experience in IT audit or IT risk management. Experience in leading security assessments, IT vendor risk assessments, and InfoSec control management.
- Working knowledge of HIPAA, Privacy and PCI data requirements and other state / federal regulatory requirements pertaining to sensitive information.
- Understanding of common Information Security and Information Technology frameworks and standards such as NIST, ISO27000 series, CIS Critical Controls, and SSAE-18 SOC-2 Type II.
- Basic understanding of technical aspects of information security.
- Working knowledge of common IT technologies and processes.
- Thorough understanding of risk management principles and methodologies.
- Ability to transform abstract regulatory requirements into cohesive compliance actions.
- Good communication skills including ability to present technical subjects to non-technical audiences.
- Strong work ethic, attention to detail, and organizational skills.
- Ability to multi-task and manage priorities in a fast-paced environment.
- Ability to collaborate in a team setting and moderate conversations involving cross-functional groups.
- Proficient with the Microsoft office suite; presentation development skills.
- General knowledge of technologies and services commonly deployed within Information Security.
- Experience with application security, SaaS, and/or cloud security is a plus.
- CISSP, CISA, CISM or a similar risk management, audit, or security certification(s) is required.
- Contribute to the ongoing development and execution of the Information Security and IT GRC strategy and roadmap.
- Operate the IT and Vendor Risk Management programs and conducting the assessments as required.
- Ensure the appropriate design and effectiveness of IT and Information Security controls by performing or managing the performance of periodic penetration testing, HIPAA/PCI-DSS Security Assessments, IT Risk Assessments as well as liaise with and support Internal/External Auditors.
- Coordinate written responses from customers and prospects on IT and Information Security controls and regulatory compliance.
- Periodically review and update the AltaMed Information Security Policies, Standards and Guidelines, and other Information Security documents.
- Collect and maintain evidence of compliance with our Information Security Policies and regulatory requirements.
- Collaborate across the organization on documenting, implementing, monitoring and managing IT and Information Security controls.
- Promote security awareness and cultivate employees' adherence to information security best practices.
- Support business projects and perform other duties as assigned.