Information Security Governance, Risk and Compliance Analyst - (1.0 FTE, Days)
This job posting is no longer active
1.0 FTE, 8 Hour Day Shifts
Lucile Packard Children’s Hospital Stanford is the heart and soul of Stanford Children’s Health. Nationally ranked and internationally recognized, our 311-bed hospital is devoted entirely to pediatrics and obstetrics. Our six centers of excellence provide comprehensive services and deep expertise in key obstetric and pediatric areas: brain & behavior, cancer, heart, pregnancy & newborn, pulmonary and transplant. We also provide an additional, wide range of services for babies, kids and pregnant moms.
Under the direction of the Information Security Governance, Risk and Compliance Manager, The Information Security Governance, Risk and Compliance Analyst will support risk management, training and awareness and governance efforts to mitigate risks to Stanford Children’s Health and the Packard Children’s Health Alliance. The analyst will be part of a small dedicated team and is expected to be a hands-on team player.
The analyst interacts with IT and business stakeholders to identify and mitigate risks to critical infrastructure conducting compliance assessments and applying effective mitigation strategies to ensure Information security controls are in place and being complied with. The analyst will be experienced in risk identification, tracking and mitigation. They will be exceptionally imaginative, collaborative, and truly excited about to managing risk and enabling Stanford Children’s Health to achieve our mission of providing Extraordinary Care. Continual Learning and Breakthrough Discoveries.
The Information Security Governance, Risk and Compliance Analyst will support four primary sub-programs: 1. Information Security Risk Identification, Tracking and Mitigation, 2. Management of Policies, Standards & Guidelines, 3. Security Training and Awareness and 4. Special Projects (as directed by the Information Security leadership team).
Provide support to the governance risk and compliance management program to achieve certifications such as ISO 27001/27002, HiTRUST, NIST and others as appropriate
Participate in the risk assessment process, and track and report on gaps to closure and final resolution.
Interface as the primary audit/assessment auditor
Maintain and report out on the Stanford Children’s Health Information Security Risk Register
Working in collaboration with the IT and business operations teams, provide oversight to risk mitigations
Provide recurring risk reports to the CISO, Information Security Governance, Risk and Compliance Manager, Business Stakeholders and IT leadership teams as directed
Responsible for developing, promulgating, and maintaining department cybersecurity policies and standards. Represents policy changes at OAT and the Change Management Committee (CMC).
Participates in the Standards and Guidelines Infrastructure Review Committee (SGIRC)
Promotes training, awareness and best practices within de-centralized operations teams with regard to needed processes and procedures to maintain a secure operating model.
Conduct recurring IT compliance audit and testing (process and technical) engagements and track activities to completion. Maintain history of testing and audit activities attestations for future reference
Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas
Keep existing policies and procedures aligned with audit and security requirements
Participate in planning, scheduling and preliminary analysis for all internal and external audit projects.
Coordinate audit activities including notification and scheduling for all affected parties of audit timing, scope, objectives, approach and deliverables
Establish agreement and support documentation efforts for process improvements related to security and compliance management
Any combination of education and experience that would likely provide the required knowledge, skills and abilities as well as possession of any required licenses or certifications is qualifying.
Education: BA or BS in Computer Science, Management Information Systems, or related field, from an accredited college or university. CISSP, GIAC, or other security certifications preferred (willingness to obtain CISSP within first year is desirable).
Experience: 3 plus years in IT Systems/Information Assurance experience.
Knowledge, Skills, and Abilities
Demonstrated experience working with regulatory requirements and standards (PCI-DSS, SOC, ISO, BSI, GDPR etc.) and frameworks (ISO, NIST, OWASP, etc.).
The ability to communicate complex security risks to non-technical staff
Work with business owners on remediation plans that address identified gaps.
Strong verbal and written communication skills and ability to influence others
Demonstrated experience in identifying, assessing, and mitigating, regulatory and compliance risk
Strong project management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion.
Ability to use independent judgment to make sound, decisions and take action to solve problems
Technical understanding of cloud infrastructure, networking, access controls, and change management.
Strong analytical and problem solving skills are required.
Ability to plan, organize, prioritize, work independently and meet deadlines.
Ability to work in a collaborative, team environment.
Experience in network security and systems certifications. CISSP and/or CISA certifications desired.
Physical Requirements and Working Conditions
The Physical Requirements and Working Conditions in which the job is typically performed are available from the Occupational Health Department. Reasonable accommodations will be made to enable individuals with disabilities to perform the essential functions of the job.
Equal Opportunity Employer