Description

Summary:

An IT Governance, Risk, & Compliance (GRC) individual contributor who serves as a resource performing activities for the IT Governance, Risk & Compliance team. This position will be responsible for oversight of 1-2 IT GRC key program initiatives (such as HITRUST, Third Party Risk Management, Business Continuity, IT Policies and Standards, Security Awareness, Vulnerability Management, etc.) and will be expected to have subject matter expertise in these areas. Able to work independently requiring minimal direction to deliver high quality project work as assigned daily. Seeks out solutions and brings ideas forward. Develop high quality problem resolution and escalation services. Delivers excellent customer service, assistance on projects, and appropriate escalation to senior staff.

Responsibilities:

Key GRC Team resource responsible for management and oversight of 1-2 IT GRC key program initiatives as well as a key contributor for the other program initiatives:

1. HITRUST Compliance: Manages project that will ensure compliance with HITRUST by 2024. Implements appropriate levels of risk mitigation to ensure cybersecurity maturity levels meet HITRUST requirements for any domains that GRC team owns.

2. Third Party Risk Management: Completes advanced security reviews for Third Parties, as well as quantitative and qualitative risk assessments and production of reports

3. Technical Design Reviews: Evaluates systems and business process flows for compliance with security policies & standards, and regulations: applying risk analysis methodologies; making recommendations regarding alternate solutions; and implementing corrective action, when necessary.

4. Audit and Regulatory Support: Provides oversight and management of audit finding remediation, including generating requirements for full remediation, providing feedback and suggestions on managerial responses to findings, and tracking progress and providing status and updates to the enterprise compliance team for reporting purposes

5. Security Investigations: Participates in security investigations and compliance reviews as requested

6. InfoSec Policies and Standards: Evaluates, develops, and implements Information Security Policies, Standards, and Procedures to support business needs and ensuring ongoing regulatory compliance and security best practice

7. GRC Project Management: Implements compliance-related projects, including updating project plans, management reporting, and adherence to established standards and guidelines

8. Security Awareness: Manages the Corporate Cybersecurity Awareness program to propagate security awareness among employees; including monthly phishing program

9. IT Risk Management: Maintains Risk inventory to track identified IT issues and risks; including risk acceptances or risk remediation plans that address each risk. Provides governance, oversight and reporting on issues and risks.

10. Business Continuity/Disaster Recovery: Develops, implements, maintains, and tests the Corporate Business Continuity program. Identifies, documents, and tests the business requirements for uptime against the infrastructure capabilities in order to implement appropriate recovery strategies and identify gaps/risks.

11. Vulnerability Management: Provides oversight to technical/security teams for vulnerability management monitoring and reporting

12. InfoSec Data Analytics, Metrics, and Reporting: Collects, maintains, and analyzes information security and IT risk data. Builds reports and/or dashboards to provide security team and Nuvance Health Leadership with information to make data driven decisions.

13. Maintains and Models Nuvance Health Values.

14. Demonstrates regular, reliable, and predictable attendance.

15. Performs other duties as required.

Education/Skills/Experience

*

• Bachelor's degree (BS) in MIS, IT, Information Security, Risk Management or related field is required, or equivalent experience is required.

• Minimum of 2-5 years recent experience in information security, IT risk, program or process management.

• Demonstrated experience in computer security combined with risk analysis, audit, and compliance standards.

• Strong process-oriented individual with experience in ITIL concepts, NIST, CIS CSC and/or HITRUST common security frameworks.

• Experience with GRC framework and/or tools preferred.

• Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA) or Other Senior Level Information Security Certification Preferred. Project Management, Business Continuity/Disaster Recovery certifications a plus.

Other Information:

• Ability to communicate clearly and concisely (both written and verbal, presentation and interpersonal skills) required.

• Ability to establish credibility and working relationships with a wide range of corporate personnel, including operations, management, and legal staff.

• Excellent conceptual, organizational, analytical, and problem-solving skills required.

• Extremely self-motivated, directed and detail oriented.

• Ability to set and manage priorities judiciously and accept responsibility willingly.

• Be available on an on-call basis to respond to pending issues or problems arising during non-business hours and provide support and response.

Working Conditions:

Manual: Little or no manual skills/motor coord & finger dexterity

Occupational: Little or no potential for occupational risk

Physical Effort: Sedentary/light effort. May exert up to 10 lbs. force

Physical Environment: Generally pleasant working conditions

Company: Nuvance Health

Org Unit: 1795

Department: Information Security

Exempt: Yes

Salary Range: $32.23 - $59.86 Hourly

We are an equal opportunity employer

Qualified applicants are considered for positions and are evaluated without regard to mental or physical disability, race, color, religion, gender, national origin, age, genetic information, military or veteran status, sexual orientation, marital status or any other classification protected under applicable Federal, State or Local law.

We will endeavor to make a reasonable accommodation to the known physical or mental limitations of a qualified applicant with a disability unless the accommodation would impose an undue hardship on the operation or our business. If you believe you require such assistance to complete this form or to participate in an interview, please contact Human Resources at 203-739-7330 (for reasonable accommodation requests only). Please provide all information requested to ensure that you are considered for current or future opportunities.