Information Security Governance, Risk and Compliance Analyst - (1.0 FTE, Days)

This job posting is no longer active

Category: Information Technology
Job Type: Full-Time
Shift: Days
Location:  Menlo Park CA 94025
Req: 7874
FTE: 1

Information Technology

1.0 FTE, 8 Hour Day Shifts

Lucile Packard Children’s Hospital Stanford is the heart and soul of Stanford Children’s Health. Nationally ranked and internationally recognized, our 311-bed hospital is devoted entirely to pediatrics and obstetrics. Our six centers of excellence provide comprehensive services and deep expertise in key obstetric and pediatric areas: brain & behavior, cancer, heart, pregnancy & newborn, pulmonary and transplant. We also provide an additional, wide range of services for babies, kids and pregnant moms.


Under the direction of the Information Security Governance, Risk and Compliance Manager, The Information Security Governance, Risk and Compliance Analyst will support risk management, training and awareness and governance efforts to mitigate risks to Stanford Children’s Health and the Packard Children’s Health Alliance. The analyst will be part of a small dedicated team and is expected to be a hands-on team player.


The analyst interacts with IT and business stakeholders to identify and mitigate risks to critical infrastructure conducting compliance assessments and applying effective mitigation strategies to ensure Information security controls are in place and being complied with. The analyst will be experienced in risk identification, tracking and mitigation. They will be exceptionally imaginative, collaborative, and truly excited about to managing risk and enabling Stanford Children’s Health to achieve our mission of providing Extraordinary Care. Continual Learning and Breakthrough Discoveries.




Essential Functions

The Information Security Governance, Risk and Compliance Analyst will support four primary sub-programs:  1. Information Security Risk Identification, Tracking and Mitigation, 2. Management of Policies, Standards & Guidelines, 3. Security Training and Awareness and 4. Special Projects (as directed by the Information Security leadership team).

Risk Management

  • Provide support to the governance risk and compliance management program to achieve certifications such as ISO 27001/27002, HiTRUST, NIST and others as appropriate

  • Participate in the risk assessment process, and track and report on gaps to closure and final resolution.

  • Interface as the primary audit/assessment auditor

  • Maintain and report out on the Stanford Children’s Health Information Security Risk Register

  • Working in collaboration with the IT and business operations teams, provide oversight to risk mitigations

  • Provide recurring risk reports to the CISO, Information Security Governance, Risk and Compliance Manager, Business Stakeholders and IT leadership teams as directed



  • Responsible for developing, promulgating, and maintaining department cybersecurity policies and standards. Represents policy changes at OAT and the Change Management Committee (CMC).

  • Participates in the Standards and Guidelines Infrastructure Review Committee (SGIRC)

  • Promotes training, awareness and best practices within de-centralized operations teams with regard to needed processes and procedures to maintain a secure operating model.



  • Conduct recurring IT compliance audit and testing (process and technical) engagements and track activities to completion.  Maintain history of testing and audit activities attestations for future reference

  • Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas

  • Keep existing policies and procedures aligned with audit and security requirements

  • Participate in planning, scheduling and preliminary analysis for all internal and external audit projects.

  • Coordinate audit activities including notification and scheduling for all affected parties of audit timing, scope, objectives, approach and deliverables

  • Establish agreement and support documentation efforts for process improvements related to security and compliance management


Minimum Qualifications

Any combination of education and experience that would likely provide the required knowledge, skills and abilities as well as possession of any required licenses or certifications is qualifying.

Education: BA or BS in Computer Science, Management Information Systems, or related field, from an accredited college or university. CISSP, GIAC, or other security certifications preferred (willingness to obtain CISSP within first year is desirable).

Experience: 3 plus years in IT Systems/Information Assurance experience.


Knowledge, Skills, and Abilities

  • Demonstrated experience working with regulatory requirements and standards (PCI-DSS, SOC, ISO, BSI, GDPR etc.) and frameworks (ISO, NIST, OWASP, etc.).

  • The ability to communicate complex security risks to non-technical staff

  • Work with business owners on remediation plans that address identified gaps.

  • Strong verbal and written communication skills and ability to influence others

  • Demonstrated experience in identifying, assessing, and mitigating, regulatory and compliance risk

  • Strong project management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion.

  • Ability to use independent judgment to make sound, decisions and take action to solve problems

  • Technical understanding of cloud infrastructure, networking, access controls, and change management.

  • Strong analytical and problem solving skills are required.

  • Ability to plan, organize, prioritize, work independently and meet deadlines.

  • Ability to work in a collaborative, team environment.




Preferred Qualifications:

Experience in network security and systems certifications. CISSP and/or CISA certifications desired.

Physical Requirements and Working Conditions

The Physical Requirements and Working Conditions in which the job is typically performed are available from the Occupational Health Department. Reasonable accommodations will be made to enable individuals with disabilities to perform the essential functions of the job.







Equal Opportunity Employer

Lucile Packard Children’s Hospital Stanford strongly values diversity and is committed to equal opportunity and non-discrimination in all of its policies and practices, including the area of employment. Accordingly, LPCH does not discriminate against any person on the basis of race, color, sex, sexual orientation or gender identity, religion, age, national or ethnic origin, political beliefs, marital status, medical condition, genetic information, veteran status, or disability, or the perception of any of the above. People of all genders, members of all racial and ethnic groups, people with disabilities, and veterans are encouraged to apply. Qualified applicants with criminal convictions will be considered after an individualized assessment of the conviction and the job requirements, and where applicable, in compliance with the San Francisco Fair Chance Ordinance.