Information Security Auditor

POSITION OVERVIEW

The Information Security Auditor evaluates and reports on the security and effectiveness of IT systems and related controls in support of organizational information/data security, IT systems, and their components.

This role has been designated as primarily remote which means it generally does not require onsite work more than an average of 2-3 times per month and may require additional prescheduled onsite work. We're open to considering candidates in the following states: PA, NJ, DE, and MD.

Diversity, Equity, and Inclusion Statement

At NBME ®, we continue to innovate and improve how we fulfill the evolving needs of the health care community. This commitment starts and ends with the people at NBME. By recruiting and empowering talented individuals from various disciplines and backgrounds, which includes professionals with diverse life experiences, abilities, and perspectives, NBME can take a well-informed, robust approach to advancing medical education and assessment for years to come. We also continue to focus on ensuring that our DEI work is impactful and ingrained in everything we do, including with our staff, workplace culture, products and services, the Philadelphia community and the broader medical education landscape.

RESPONSIBILITIES

• Plans and evaluates the IT controls supporting NBME business operations based on established policies and standards.
• Prepare audit plans including objectives, scope, and expected outcomes.
• Assesses the enterprise's ability to comply with security policies. Makes recommendations to help the system or process become compliant. Manage a registry of audit findings and corrective action plans.
• Assess cloud security controls within NBME's Azure and AWS environments, as well as legacy systems.
• Collaboratively develops security policies, standards, guidelines, and procedures with data owners and service owners, as needed.
• Coordinates with security providers for Statements of Work (SOWs) for various types of independent penetration testing and assessments. Tracks findings and remediation.
• Respond to information security inquiries from NBME clients or prospects as part of the client's third-party risk management process.
• Completes cyber controls assessments for annual cyber insurance renewal.
• Lead third-party vendor risk management, reviewing the security posture of NBME's third-party vendors using a combination of vendor risk questionnaires, SOC2 Type2 reports, and/or audits. Identify weaknesses / risks and corrective action plans. Coordinates with external security providers and/or performs third-party audits for a handful of business critical providers who store, process, and/or transmit highly confidential information on behalf of NBME.
• Lead the adoption of ISO 27001 security framework, assessing gaps and preparing for potential certification audit.
• Stays abreast of changes in regulatory requirements specific to state and country data privacy laws, GDPR, and security control frameworks such as NIST, ISO 27001/02 and/or SOC2 Type 2.

QUALIFICATIONS

Skills and Abilities

• The Information Security Auditor must be experienced with planning the objectives, scope, and expected outcomes of various evidence-based audits focused on general IT security controls.
• Perform audits including corporate networks and computing resources, internal procedures, and cloud security for compliance to best practices.
• Ability to analyze data and create outputs that summarize NBME's cybersecurity posture.
• Ability to develop audit findings supported by evidentiary data that are technically sound and reasonable.
• Specialized knowledge of information system controls, information technology concepts, policies, procedures, and tools necessary to audit complex interconnected information systems.

Experience

• 5 or more years conducting IT security audits, including development of an internal audit program.
• Experience with security frameworks such as ISO 27001 and NIST CSF, security standards such as NIST 800-53 and ISO 27001, and security and privacy regulations related to not-for-profits.

Education

• Bachelor's degree

Certifications

• CISA

About NBME:

NBME offers a versatile selection of high-quality assessments and educational services for students, professionals, educators, regulators and institutions dedicated to the evolving needs of medical education and health care. To ensure our assessments meet the highest standards of quality, stay relevant and align to the current curriculum in medical schools and training programs, we rely on a wide network of collaborators. These include the volunteers who help develop our exam questions, the committees and panels who represent various groups within the medical education community, external researchers and health profession organizations.

We are committed to meeting the needs of educators and learners globally with assessment products and expert services such as NBME® Subject Examinations, Customized Assessment Services, Self-Assessments, the International Foundations of Medicine® Program and Item Writing Workshops. Together with the Federation of State Medical Boards, NBME develops and manages the United States Medical Licensing Examination®, which measures the ability to apply knowledge and skills that form the basis of safe and effective patient care. Our Competency-based Assessment unit is focused on new methods as well as the optimization of assessment in the workplace and education.

As a result of leadership in ongoing research, innovative measurement practices and the exploration of forward-thinking assessment modalities and improvements, NBME advances assessment science. Our grant and funding opportunities further support this dedication to medical education and assessment science. We help develop the next generation of assessment professionals through our Summer Psychometric Internship Program. Through the Stemmler Fund, Strategic Educators Enhancement Fund and Latin America Grants Program, researchers and educators can continue to improve the assessment of health care professionals around the world.

NBME views diversity, equity and inclusion (DEI) as foundational and enduring to our strategy and vision. We continue to focus on ensuring that our DEI work is impactful and ingrained in everything we do, including with our staff, culture, products and services, the Philadelphia community and the broader medical education landscape. Our commitment manifests in our hiring and staff development, recruitment for committees, grants programs, design and review of our assessments, and involvement in our local and national communities.

Learn more about NBME at NBME.org.

The NBME offers competitive salaries, excellent benefits, and a rewarding work environment. Excellent Benefits include: Healthcare, Dental, Prescription, and Vision plans; 401(k) w/match, Tuition Reimbursement Plan, Commuter Benefit: Public Transit or Parking options. Remote Friendly Workplace.

NBME is an equal opportunity employer as defined by the EEOC.