Information Security Risk Analyst

Overview:

The Information Security Risk Analyst is essential to enhancing Highmark's information security framework by focusing on security governance, control assurance, and effective policy management. This role is pivotal in establishing and enforcing strong security measures, ensuring adherence to critical standards such as HIPAA, NIST CSF 2.0, PCI DSS, and SOC. Additionally, the analyst will support cybersecurity integration during mergers and acquisitions, guaranteeing smooth alignment of security protocols throughout both pre- and post-acquisition stages. This position involves deciphering complex regulatory requirements, collaborating with colleagues, and engaging with cross-functional teams to uphold governance excellence and aid in reporting.

Key Responsibilities:

• Conduct Information Risk Assessments to evaluate security vulnerabilities, request and scrutinize pertinent documentation, and facilitate interviews to gather necessary information for thorough assessments.
• Document and convey risk assessment findings succinctly to relevant stakeholders, including requestors, security architects, and management.
• Develop accurate risk scoring based on threat scenarios, vulnerabilities, likelihood, impact, and existing security measures.
• Contribute to the management of the risk register, tracking and scoring risks and their associated statements effectively.
• Follow up on exceptions, risk acceptance processes, corrective action plans, and additional mitigation strategies.
• Communicate risk treatment methodologies such as avoidance, acceptance, transference, and mitigation to relevant teams.
• Collaborate on various projects to incorporate security architecture requirements, devise solutions, integrate security into designs, assess security gaps, and formulate remediation strategies.
• Assist teams in formulating and maintaining procedural documentation that meets compliance standards like PCI-DSS, HITRUST, and ISO 27001.
• Prepare and present security solutions to audiences at different managerial levels and with varying technical expertise.
• Gradually assume leadership responsibilities in ensuring compliance with necessary standards, procedures, and guidelines.
• Perform additional duties as required.

Educational Requirements:

Bachelor's Degree in Information Security, Information Systems, Information Assurance, Computer Science, or a related field.

Substitutions:

At least 7 years of relevant experience in Information Security, Governance, Risk, or Compliance.

Preferred Education:

Master's Degree in Computer Science, Information Security, or a related field.

Experience:

Minimum:

• 3 - 5 years of experience in Information Security, Information Risk Management, or Information Technology.
• 1 - 3 years in Governance, Risk, or Compliance roles.
• 1 - 3 years presenting Information Security and Risk Management concepts effectively to diverse audiences.
• Familiarity with security technologies like intrusion prevention systems, firewalls, endpoint protection, DLP, and SEIM.

Preferred:

• 5 - 7 years of experience in Information Security and Risk Management including:
  • Proven contributions to policy management, ensuring updates align with HIPAA and NIST standards.
  • Experience in control assurance and enhancing cybersecurity posture by addressing gaps.
  • Strong skills in interpreting and implementing security policies and regulations within complex environments.
  • Familiarity with governance tools like RSA Archer and related management systems.

Knowledge, Skills & Abilities:

• Understanding of HITRUST CSF, NIST 800-83, PCI, HIPAA, HITECH, COBIT, ISO standards.
• Knowledge of NIST Risk Assessment methodologies.
• Awareness of secure SDLC best practices.
• Familiarity with risk assessment methodologies such as OCTAVE.
• Ability to function effectively in high-performance, interdisciplinary teams.
• Excellent teamwork and interpersonal skills.

Licensure:

None required, but industry certifications such as Security+, GSEC, CySA+, or pursuits toward CISSP, CISM, CISA, or SANS certifications are preferred.

Travel Requirement:

0% - 25%

Working Conditions:

This position is office-based, requiring effective communication, data analysis, problem-solving, and multitasking in a fast-paced environment. Regular attendance and adherence to workplace policies are necessary. The employee may be called to work outside regular hours.

Additional Information:

The job description is designed to indicate the general nature and essential duties of this role. It may not contain every duty or qualification required. Compliance with ethical and legal standards is crucial, given the access to confidential information.

Pay Range:

$79,300.00 - $127,100.00, based on qualifications and experience.

Highmark Health promotes inclusivity and prohibits discrimination based on protected characteristics.