Security Risk Analyst II

Security Risk Analyst IIThe Security Risk Governance Analyst is a governance risk and compliance (GRC) role that is responsible for executing processes to identify and measure security risks and communicating whether the deployment of One Call''s security controls meet defined risk tolerance, compliance, regulatory and customer requirements. This role will work with colleagues from across the enterprise in departments such as Information Technology, Security, Product, and other business units and shared service groups to ensure that risks are measured and defined within the context of the scope of business and to ensure that deployed security programs meet One Call''s customer, regulatory, and business requirements and support the confidentiality, integrity and availability of One Call information. GENERAL DUTIES & RESPONSIBILITIES: Monitors and tracks security controls, the risk assessment framework, and programs to ensure alignment to regulatory requirements. Ensures documented and sustainable compliance that aligns and advances business objectives Uses the applicable security framework to monitor and track the maturity of key operational processes and technologies and makes recommendations to improve the company''s security risk and governance processes Assesses and tracks security risk and validates the effectiveness of related policies and controls. Evaluates the tradeoffs and alternatives when policies or requirements cannot be met. Leads or participates in third-party risk assessments and audits including HITRUST, SOC 1 Type II and SOC 2 Type II and HIPAA risk assessments, including providing evidence and mitigating issues Resolves risks in a timely fashion by escalating issues for required action as needed Works well with colleagues from Information Technology, Security Operations and other areas of the company to build support related to the identification and resolution of security risks Performs security risk assessments based on regulatory, legal and customer obligations to help the organization identify, measure, monitor and mitigate security risk that meets One Call''s risk tolerance Coordinates annual and periodic reviews and certifications of the security program such as HITRUST, SOC audits, HIPAA risk assessment and other assessments requested by management Leads HITRUST program ensuring changes to the audit are reviewed and planned for in advance. Responsible for ensuring the policies, procedures and evidence is updated and gathered at least annually for the third-party and tracking and managing the remediations of any correct action plans. Evaluates potential risks and develops security standards, procedures, and controls to manage risks Continuously improves One Call''s security positioning through engaging with other teams for remediations, process improvement, policy, automation, and the continuous evolution of capabilities Identifies and continuously monitors information security controls, exceptions, risks, testing Closely monitors unmitigated risks and provides meaningful reporting to management to help shape decision making and drive actions within reasonable time schedules by reporting metrics, dashboards, and evidence artifacts Coordinates annual and periodic reviews and certifications of the security program Schedules regular assessments and testing on the effectiveness and efficiency of controls and creates GRC reports Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations, protecting Personally Identifying Information (PII) data, Personal Health Information (PHI), and all other regulatory or contractual security controls Performs and investigates internal and external information security risk and exceptions assessments. Assesses incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities Assists other staff in the management and oversight of security program functions Trains, guides, and acts as a resource on security assessment functions to other departments Remains current on best practices and technological advancements and acts as One Call''s technical resource for security assessment and regulatory compliance Produces security-centric reporting, metrics and tracking reports to show a consistent view of risks, progress on security related projects and other shared priorities to facilitate joint decision making by Information Security and IT Performs continuous improvement processes on existing security processes to drive alignment to business and IT changes and ensure One Call policies and procedures are followed Assesses and provides oversight to identity and access lifecycle ensuring all security requirements are in place and potential gaps are identified and remediated by working with stakeholders through process improvements and metric tracking Manages the enterprise-wide, role-based information security awareness and training program Defines, implements, and enforces the acceptable use policy and standard as well as all other security policies and standards Performs other related duties as assigned EDUCATIONAL AND EXPERIENCE REQUIREMENTS: Bachelor''s or Master''s degree in Business, Computer Science, Information Systems Information Security, Risk Management, Accounting or the equivalent combination of education, training, or work experience. Desired professional qualifications may include: Certification in Risk Management Assurance (CRMA), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Third Party Risk Management Professional (C3PRMP), Certified Information Systems Security Professional (CISSP) GENERAL KNOWLEDGE, SKILLS & ABILITIES: Willingness to continually advance Security Risk Governance knowledge and Information Security knowledge and abilities through engagement of both formal and informal educational opportunities. Excellent written and verbal communication skills. Ability to communicate complex issues in a language understood by colleagues from multiple disciplines (such as business, IT and security). Strong customer service orientation Strong organizational and time management skills Strong collaborative and interpersonal aptitude Ability to understand and manage the implications and impacts of technical issues and processes in the context of information security and risk management Strong dispute resolution and mediation skills directed toward driving positive outcomes for involved parties High level of personal integrity and demonstrated willingness to call out and act on issues Experience in technical security architectures within a large enterprise environment is preferred. Familiarity and experience in working in multiple environments and with multiple security frameworks and processes is preferred Understanding of security frameworks and the deployment and monitoring of controls effectiveness Strong knowledge of IT, operational, security and legal risk concepts Experience with compliance and security audits, and risk mitigation plans Understanding of various risk and security certifications and attestations (SOC2, ISO 27001, etc.) Familiarity with customer management, vendor management and governance concepts Experience developing and completing risk assessments Familiarity with local/regional/global industry and government regulations (for example: Sarbanes-Oxley Act, Payment Card Industry Security [PCI] Standards, Health Insurance Portability and Accountability Act [HIPAA]) Industry certifications relating to security and risk management are desired (for example, CRMA, CISA, CISSP) Stays current with advancements in technology and techniques to ensure that risk and security solutions are continuously improved, supported, and aligned with industry and company standards Knowledge of enterprise level security systems and implementation procedures, corporate and government security regulations, security software products, domain structures, user authentication, user profiles, and digital signatures Understanding of cloud deployment models: Private Cloud, Public Cloud, Hybrid Cloud; Cloud service models: Infrastructure as a service (IaaS), Platform as a service (PaaS) and Software as a service (SaaS); implementation of relevant controls to ensure confidentiality, integrity and availability of data In depth knowledge of Health Insurance Portability and Accountability Act (HIPAA) Knowledge of technical security controls and technologies (e.g. IDS, IPS, traditional, NextGen and Web Application Firewalls) Knowledge of software development lifecycles Familiar with secure coding practices Knowledge in application and relational database security Ability to perform review and assess vulnerabilities Knowledge of Microsoft Azure architecture and services Ability to obtain federal government clearance for handling sensitive information if working with federal government contract clients PHYSICAL/EMOTIONAL DEMANDS & WORK ENVIRONMENT: For roles located in office or home settings, this job is primarily sedentary and may involve repetitive motions. The employee is regularly required to sit, use hands and fingers, speak, and hear For roles located in the field, this job is primarily active; the employee is regularly mobile and must be able to utilize transportation (such as driving), sit, use hands and fingers, speak, and hear The employee is occasionally required to stand, walk, and lift objects (up to 10lbs weight; up to 4 ft. height). Specific vision abilities required by this job include ability to see things from a close distance and ability to adjust focus The work environment utilizes florescent lighting; noise level is moderate The emotional demand of the job may cause undue stress from, but not limited to, moderate/heavy workload Reasonable accommodations will be individually assessed and possibly made to enable individuals with disabilities to perform the essential functions of the position Please be advised this job description is subject to change at any time ADDITIONAL LEVELS WITHIN JOB FAMILY (IF APPLICABLE) SECURITY RISK GOVERNANCE ANALYST II Intermediate professional role. Moderate skills with high level of proficiency. Develops and implements solutions that require analysis and research. Works on small to large complex projects that require increased skill in multiple technical environments. Possesses specialist knowledge in a specific business area. Works on one or more projects as a team member or occasionally as a project lead. May coach more junior technical staff. Works under general supervision with wide latitude for independent judgment and decision-making. May consult with senior peers on certain projects. Typically requires 3 or more years of experience. Typically reports to a Security Risk Governance Manager.

Created: 2021-11-29