(GRC) Governance, Risk, & Compliance Analyst
Certilytics offers a suite of innovative analytic solutions including Big Data Services, Total Population Health Management, Financial Risk Intelligence and Customized Prediction Models. These solutions are configured upon our open source Hadoop Platform, with the underlying philosophy of providing analytics as a service and moving beyond predictions to deliver actionable intelligence.
Our team represents a dynamic infusion of multidiscipline which includes actuarial, data and behavioral scientists, IT engineers, software developers, nurse clinicians, as well as experts in public health and the health insurance industry. Certilytics has extensive experience working with a diverse set of customers including large self-insured employers, health plans, pharmacy benefit managers, government programs, care management companies and health systems. These relationships with various data providers and customers allows for rapid data ingestion, validation and enrichment as well as streamlined delivery of analytic dashboards, outputs and visualizations to our customers.
Our unique approach allows for the development of the most accurate financial, clinical and behavioral models in the industry.
The GRC Analyst is responsible for monitoring the identification of security requirements, the identification or development of business processes to support those requirements, development and coordination of creating information security documentation of those processes, and executing and coordinating internal and external information security audits to ascertain the level of compliance and any deficiencies in the program.
The Information Security Compliance Analyst also assists with other information security responsibilities as required.
- Coordinate and/or participate in responding to information security risk assessments, requests for proposal, audits, and examinations
- Perform operational and independent information security auditing and reviews
- Ensuring that submitted evidence for audits meets requirements and will satisfy audits performed by third party auditors
- Auditing requirements as an independent internal information security auditor as needed
- Validate security through management and coordination of internal and external audits
- Develop, operate, and maintain an internal continuous monitoring program that provides oversight of the security program on a regular basis
- Assess product compliance with compliance and make recommendations regarding external third parties, and new technologies
- Identify requirements from various sources including adopted security frameworks
- Perform process architecture to identify existing business process or creating new business process to support requirements
- Maintain, develop, and coordinate same for supporting policy and documentation of information security business processes and requirements
- Determine feasibility of meeting security requirements based on contracts or statements of work with external entities and identify deficiencies and methods to remediate
- Developing the maturity of existing requirements though measurement and management of their effectiveness
- Assist other information security personnel with their duties as required
- Identify information security gaps and identify potential solutions for resolution
- Perform risk management internally to the organization. Identify and prioritize risks, identifying options for remediation, assessing costs and levels of risk, and make recommendations to leadership regarding final risk mitigation plans.
- Host information security-based organizational meetings, such as daily change/problem management, and tactical information security management coordination meetings
- Remediation of control deficiencies where appropriate
- Identify out of parameter measures or metrics from audit and review results, taking remedial action and engaging appropriate stakeholders.
- Maintain currency of job knowledge and CISSP certification
- Generate ad hoc reports and queries in security tools as required
- Provide reporting on the state of the organizational security profile and activity
- Manage security-related projects including remediation of vulnerabilities, establishment of new processes, coordination of vendor activities and audits
- Mentor other staff as required
- Other duties as assigned.
- Bachelor’s degree in Computer Science, Information Security, or similar degree program, or equivalent work experience.
- At least five years’ experience as an information security professional or equivalent information security related field.
- Must possess broad general knowledge of information technology, including storage, networking, systems, databases, firewalls; with a preference for experience as one or more of the following: software developer, system or network engineer, database administration, or an equivalent technical role.
- Conceptional knowledge of and experience with monitoring and using a wide variety of security tools, including but not limited to host and network-based intrusion prevention/detection systems, firewalls, anti-malware, and content filtering, firewalls, vulnerability management, security information and event management; network detection and response, network and host-based data loss prevention, and asset management.
- Experience or excellent familiarity with HITRUST, NIST SP 800-171, GDPR, and HIPAA security/privacy frameworks/legislation is required. Experience with or knowledge of other security frameworks is desirable.
- Must possess excellent communication skills, particularly in writing, and with the ability to discuss or describe technical concepts with non-technical people.
- High proficiency MS Word, and proficiency with MS Office applications; such as PowerPoint, and Visio; and MS SharePoint.
- Jedi-like skill with Microsoft Excel.
- Project management skills.
Ability to work an on-call rotation, some after-hours, and weekends.
Special Qualifications: (Licenses, certifications, etc.)
Required: CISSP (or CISSP Associate of (ISC)2) certification required
- Cloud Computing Security Certifications (e.g., CCSP, CCSK, CompTIA Cloud+, CCA, CCP, AWS Certified Security – Specialty, etc.) highly desired.
- Other relevant Information Security certifications are desirable, including but not limited to: CISA, CISM, CRISC, SANS GIAC, SANS GSEC, and Security+.
Knowledge of or certification in ITIL desirable.
Information Security Requirements:
- Hold and maintain a CISSP (or Associate of (ISC)2) certification.
- Perform a minimum of 40 hours annual security training as planned with your supervisor.
- Abide by all security policies and practices defined by the organization.
- Abide by all applicable laws and regulations.
Upon hire and annually, acceptance of:
- Acceptable Use Agreement,
- Certilytics Statement of Confidentiality,
- Certilytics Confidentiality and Invention Assignment Agreement,
- These information security requirements.
- Security Awareness and Privacy,
- Code of Business Ethics,
- Conflict of Interest,
- Developer Security,
- Incident Response, and
- Other training as directed by your manager.
- Upon hire and annually, successful completion of training in:
- Serve as a technical responder of the Security Incident Response Team, and the Disaster Recovery Team
- Report any security incidents, breaches, violations, or non-compliance with security policy when identified or witnessed.
- Report any identified security risks or vulnerabilities.
- Cooperate with Company, local, state, or federal investigators in the event of a security incident and/or breach.
- Report any complaints concerning the information security policies and procedures or the organization's compliance with the policies and procedures program by submitting a Help Desk ticket or reporting to the Information Security team.
- Report any ideas for improvement of the organizational security program by submitting a Footprint ticket or by directly suggesting to the CISO.