ConnectiveRX is seeking a Security Analyst - Governance, Risk and Compliance to join our team. The Security Analyst is responsible for managing client and vendor risk assessments and ensuring compliance with client contractual and regulatory/legal security requirements. You will be a part of the Information Security organization and participates in all aspects of information security Governance, Risk and Compliance (GRC). This position guides adherence to all regulatory, legal, and contractual security requirements.
 

This position is responsible for validating level of compliance and evaluate information security risks across the entire company. Ability to make decisions and influence decisions in the areas of risk management and compliance are key to the role.
 

The Security Analyst Governance, Risk and Compliance will ensure that policy and compliance documentation, requirements and controls are properly and timely identified, mapped, tracked, reviewed, and reported for the organization to increase security posture. Aid compliance efforts related to various regulatory, legal, and security frameworks including SOC1, SOC2, ISO27001, PCI, HIPAA, and privacy laws like CCPA. Will ensure that documentation, data, assessment information, and GRC program information are kept up to date. In this role you will work closely with other members of the Security Team and IT Infrastructure Teams to manage and support security administration tasks and security projects
 

Your Day to Day:

• Assist with increasing the maturity of the Information Security Risk Management program, strategy and process.

• Communicate policies, procedures, guidelines, and plans to internal partners regarding security and risk management.

• Provide security consulting services in identifying, assessing, managing, and tracking remediation of risks related to IT infrastructure, applications, platforms and suppliers and drive explicit requirements and timelines in all environments.

• Perform third party risk assessments and user access reviews as a check on critical system and data access.

• Assist in the governance including the on-going maintenance, auditing, and process improvements of compliance programs including SOC1, SOC2, PCI, ISO27001, HIPAA, Client contractual requirements and local privacy laws.

• Work with control owners in the remediation of deficiencies.

• Assist with mapping controls to policies, procedures, and processes and testing of those controls to ensure adequate coverage.

• Research and develop policies, procedures and processes as the threat landscape and the organization change.

• Continue to build out and maintain current GRC tools and processes within information security to provide visibility and transparency related to risks, controls, assessments, and incidents.

• Develop strong relationships with external auditors and key stakeholders to ensure risk management oversight is understood, managed appropriately and current with all standards, guidelines, and regulations that are applicable to ConnectiveRx.

Essential Requirements

• 5+ years of progressive information security work experience

• 3+ years managing information security governance, risk, and compliance

• Prior experience with security policy, standards, and controls definition

• Utilizing various risk analysis technics and assessment frameworks

• Strong knowledge of current and emerging cyber security risks, and innovative risk management methods and solutions

• Demonstrated knowledge of industry authoritative sources such as NIST, PCI, SOC2, ISO, CCPA and COBIT standards

• High level understanding of cloud platforms (AWS).

• Ability to identify, monitor and remediate security compliance issues

• Ability to identify and define metrics to track program progress and maturity for various partners

• Ability to collaboratively develop a risk strategy in conjunction with stakeholders

• Strong analytical thinking, written, and oral communication and presentation skills

• Must have the ability to influence others and work at all management levels across the organizational structure

• Skilled at planning, tracking plans, working cross department to review risks, controls and processes, and gathering and organizing documentation and test results

• Working with GRC applications and toolsets

• Bachelor’s degree in information technology or security discipline (e.g. cybersecurity) or related worked experience

• Industry recognized security certifications strongly recommended (e.g. CISSP, CISA, CISM, CEH, etc.)

Desirable Requirements

• HIPAA and healthcare experience a plus

• Understanding of SDLC process is a plus

• System and Networking experience a plus

• Broad understanding of security and privacy concepts

• Ability to understand contracts and technical documentation and can assess it for consistency and alignment with processes and controls outlined in requirements and audit materials

• Knowledge and understanding of IT processes (Change Management, Problem Management, Incident Management, Vulnerability Management)