Information Security Analyst (Risk & Compliance)

Talent Space is looking for a fulltime Information Security Analyst (Risk & Compliance) for our Healthcare domain client.

This role provides oversight and coordination on relevant projects, and risk remediation activities. The Sr Analyst updates management on the results of risk assessments and make recommendations for mitigations, or projects, to protect systems or cover potential losses. The role provides process improvements to risk management quality using Metrics and Key Risk Indicators (KRIs) based on security events.

Responsibilities

• Implement and administer TrustCloud GRC and OneTrust Applications; implement other GRC tools.
• Conduct security risk assessments of IT systems, applications, and infrastructure to ensure compliance with security standards and regulations.
• Assess and manage third-party risks, including evaluation of AICPA Statement on Standards for Attestation Engagements 18 (SAE18) Statement of Controls (SOC) 1 and 2 Type I and II reports.
• Facilitate the risk management process, including identification, analysis, and remediation efforts.
• Identifies internal control standard methodologies and promotes their adoption across the enterprise.
• Guide and maintain IT risk and compliance policies and procedures to ensure regulatory compliance and adherence to best practices, aligned with NIST, ISO, HIPAA, PCI, and state privacy regulations.
• Provide executive level IT Risk reports to stakeholders and senior management; provide quantitative and qualitative estimates of risk for various business practices.
• Promptly raise awareness of any high level or substantial risk or assessment findings to appropriate party in alignment with policies and processes, including potential impact on company revenue, security compliance, customer asset loss, and any cross-functional impact.
• Monitor compliance with IT policies, procedures, and standards and implement corrective actions to address gaps or issues; partner with business units to ensure compliance considerations are incorporated into new project implementations.
• Manage small to moderately complex projects; track/monitor Security, Compliance, Risk Management and Service Improvement projects as part of the Information Security Management System program.
• Provide guidance on key performance indicators (KPIs) and operational metrics to measure overall maturity of Information Security Management Program, Enterprise Risk Management.
• Conducts internal audits, technology assessments, health checks, and gap analysis against regulatory standards and frameworks such as HIPAA, PCI-DSS, HITRUST, and California Consumer Privacy Act (CCPA).
• Establish formal Information Security Management Systems (ISMS) training program, management of assigned learning modules, ensuring training compliance and overall program maturity.
• Complete project documentation throughout project lifecycle and to obtain appropriate approvals at each project phase.
• Provide project reporting for various levels inclusive of metric oversight and analysis of project process.
• Other duties and responsibilities as assigned.

Required

• Bachelor's degree in Business, Information Technology or related field of study from an accredited college or university. In lieu of degree, 5 years of experience.
• 6 years of professional experience in Governance, Compliance, and Risk, including 3 years of project management or business analysis experience in business.
• Travel as needed to office locations and third-party on-site engagements.

Preferred

• Certified in Risk and Information Systems (CRISC), Certified Information System Auditor (CISA), Security , Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), or Factor Analysis of Information Risk (FAIR).
• 2 years' experience working with Information Technology systems, including networks, servers, and/or storage devices.
• Ability to evaluate risk associated with AICPA Statement on Standards for Attestation Engagements 16 and 18 (SAE16/18) Statement of Controls (SOC) 1 and 2 Type I and II reports.
• Experience in dental, healthcare or retail industry.

Knowledge/Skills/Abilities

• Knowledge of the ISO 27001 framework with controls mapped to HIPPA, HITRUST; ability to implement the framework.
• Ability to manage HIPAA Security Risk Assessment process.
• Ability to manage the CCPA Data Subject Request Management process.
• Working understanding of Information Technology components including networks (wired/Wi-Fi), servers and virtualization, storage, and cloud services.
• Proficiency in Microsoft Office Suite: Word, Excel, Access, PowerPoint, Outlook, and Visio.
• Ability to operate with a personal scope of authority and collaborate to achieve objectives.
• Demonstrated excellent interpersonal, verbal, and written communication skills.
• Detail-oriented, organized, process-focused, problem resolution, proactive, ambitious, customer experience focused.
• Ability to respond to common inquiries from customers, staff, regulatory agencies, vendors, and other members of the business community.
• Self-motivated, reliable, work independently and as part of a team.
• Ability to multi-task effectively without compromising the work quality.
• Ability to draw conclusions and make independent decisions with limited information.