Blue Cross Blue Shield of Arizona

Phoenix, Arizona, United States

IT Governance Risk Compliance (GRC) Specialist - Hybrid

Posted 12 days ago

Job Description

Awarded a Healthiest Employer, Blue Cross Blue Shield of Arizona aims to fulfill its mission to inspire health and make it easy. AZ Blue offers a variety of health insurance products and services to meet the diverse needs of individuals, families, and small and large businesses as well as providing information and tools to help individuals make better health decisions.

Purpose of the job

The GRC specialist is responsible for the administration and development of the GRC platform, associated IT processes, and risk management. Creates, edits, and publishes corporate and desktop policies, procedures, and standards. Serves as IT internal and external audit liaison interface for regulatory issues, IT compliance, and governance. The GRC Specialist will perform analytics, manage remediation items, and report on overall progress and compliance health of projects that have been assigned. This position will be responsible for maintaining a continuous process improvement work environment while leveraging industry standards and best practices.

REQUIRED QUALIFICATIONS

Required Work Experience

Level 1:

2 years of experience in information technology or computer systems

1 year of experience in information security and/or compliance

Level 2:

4 years of experience in information technology or computer systems

2 years of experience in information security and/or compliance

1 year of experience in IT audit and/or risk management

Level 3:

6 years of experience in information technology or computer systems

4 years of experience in information security and/or compliance

2 years of experience in IT audit and/or risk management

1 year of experience in project or team leadership

Level 4:

8 years of experience in information technology or computer systems

6 years of experience in information security and/or compliance

4 years of experience in IT audit and/or risk management

2 years of experience in project or team leadership

Required Education

  • Bachelors Degree in computer science, information systems, business, or related field (All Levels)

Required Licenses

  • N/A

Required Certifications

  • Certified Information Systems Security Practitioner (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA)

PREFERRED QUALIFICATIONS

Preferred Work Experience

Level 1

2 years of experience in information technology or computer systems

2 years of experience in information security and/or compliance

Level 2

6 years of experience in information technology or computer systems

3 years of experience in information security and/or compliance

2 years of experience in IT audit and/or risk management

Level 3

8 years of experience in information technology or computer systems

6 years of experience in information security and/or compliance

4 years of experience in IT audit and/or risk management

2 years of experience in project or team leadership

Level 4

10 years of experience in information technology or computer systems

8 years of experience in information security and/or compliance

6 years of experience in IT audit and/or risk management

4 years of experience in project or team leadership

Preferred Education

  • Masters Degree in computer science, information systems, business, or related field (All Levels)
Preferred Licenses
  • N/A
Preferred Certifications
  • Certified Information Systems Security Practitioner (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified Risk and Information Systems Control (CRISC), or any security related certification
ESSENTIAL job functions AND RESPONSIBILITIES

Strategy, Policies, and Frameworks

  • In-depth knowledge of information security management frameworks (NIST CSF, NIST 800-53, PCI-DSS, HITRUST, ISO), healthcare industry standards and regulations (HIPAA, CMS, URAC, AHCCCS, NCQA, State Privacy Law), and other legislative documentation requirements.
  • Partners with leadership, management, and subject matter experts to develop appropriate internal controls in accordance with industry standards and best practices.
  • Works with the GRC Manager and Chief Information Security Officer (CISO) to ensure policies and content are aligned with approved strategic plan.
  • Develops and/or facilitates in the development of new procedures and processes that support advancing technologies or capabilities.
  • Develop and maintain the on-going annual reviews of information security policies, standards, procedures, and processes.
  • Identifies opportunities to improve procedures and processes that support a culture of information security compliance.
  • Provide subject matter expertise to business and project teams to define information security governance and compliance policy and technical requirements.
  • Evaluates high-level project information and components to forecast work effort required.
  • Participates in large- or complex-technical projects including disaster recovery exercises, scoping, and testing.

GRC Tools Support

  • Administer GRC tools including uploading, updating, and managing content, and overall system management.
  • Conduct GRC tool user training sessions, develop training materials, and provide ongoing support to end users to ensure efficient tool use.
  • Assist with tools configuration and updates to align with organizational needs, participating in testing before production deployment

Risk Management

  • Performs risk and control effectiveness tests, risk analyses, and assessments.
  • Collaborate with internal stakeholders to drive implantation of effective risk treatment plans of identified risks from external assessments, internal scans, and third parties.
  • Analyze and prepare routine GRC metrics and effectiveness testing relating to ongoing measurement.
  • Works the GRC Manager and CISO to prepare executive- and board-level metrics and reporting.

Third-Party Cyber Risk Management

  • Assist in enhancing third-party risk management activities through refined assessment methodologies, process innovation, and comprehensive vendor risk analysis.
  • Perform vendor security and privacy risk assessments for third-party suppliers
  • Review and analyze content of the security and privacy risk questionnaire of third-party suppliers
  • Monitor the ongoing security and privacy risk of third-party suppliers and prepare reports for management

Training and Awareness

  • Develop and maintain security awareness training for new hires and annual refreshers.
  • Educate workforce on compliance and governance practices through individual training, Intranet articles, etc.
  • Consults with workforce members on information security governance and compliance issues, documentation standardization, and other related concerns or questions.

Audit and Compliance Support

  • Collaborate with internal and external auditors to facilitate security audits and assessments and control testing for in-scope applications.
  • Support audit readiness by organizing and maintain accurate and current data in GRC tools.
  • Partner with legal and compliance teams to analyze new and upcoming industry regulations related to cybersecurity controls, risk management and reporting, and external reporting requirements for compliance.

ALL LEVELS

  • Each progressive level includes the ability to perform the essential functions of any lower levels and mentor employees in those levels.
  • The position requires a full-time work schedule. Full-time is defined as working at least 40 hours per week, plus any additional hours as requested or as needed to meet business requirements.
  • Perform all other duties as assigned.
competencies

REQUIRED COMPETENCIES

Required Job Skills (Applies to All Levels)

  • Proficient in spreadsheet, database and word processing software
  • Strong knowledge of information security frameworks and standards, including NIST, HITRUST, ISO, PCI-DSS
  • Extensive knowledge of data security and privacy laws and regulations, including HIPAA and other regulations related to data security and privacy.
  • Experience with server and endpoint hardware components
  • Experience with current cloud technologies
  • Strong knowledge of Microsoft Visio, PowerPoint, Excel, and SharePoint

Required Professional Competencies (Applies to All Levels)

  • Strong analytical skills and attention to detail
  • Intermediate knowledge or power user of Microsoft Visio, PowerPoint, Excel, and SharePoint
  • Effective interpersonal skills and ability to maintain positive working relationship with others
  • Verbal and written communication skills and the ability to interact professionally with diverse groups, including executives, managers, and subject matter experts
  • Ability to write and present business intelligence documentation
  • Analytical knowledge necessary to generate reports and make decisions based on available data
  • Ability to maintain confidentiality and privacy

Required Leadership Experience and Competencies

  • Work experience with 3rd party consulting firms, and/or Big 4 firms
  • Facilitate and resolve customer requests and inquiries for all levels of management. (Applies to Levels 2 - 4)
  • Build synergy with a diverse team in an ever changing environment. (Applies to Levels 3 - 4)

PREFERRED COMPETENCIES

Preferred Job Skills (Applies to All Levels)

  • Knowledge of current and upcoming governance, risk, and compliance technologies, platforms, and best practices
  • Ability to use critical judgment to make decisions and solve problems involving various levels of complexity, ambiguity, and risk.
    • Ability to prioritize tasks and work with multiple priorities, sometimes under limited time constraints.

Preferred Professional Competencies (Applies to All Levels)

  • Minimum 6 years experience within a GRC role working with information security frameworks and standards including NIST, PCI-DSS, HITRUST, ISO 27001.
  • Minimum 6 years experience working with all phases of audit life cycle in IT Auditor Role or GRC Audit Liaison role

Preferred Leadership Experience and Competencies (Applies to All Levels)

  • Extensive experience and progressive responsibilities at 3rd party consulting firms, and/or Big 4 advisory firms
  • Ability to develop key working relationships to support the strategic direction, both internally and external to the department and company.
  • Provide leadership, promote teamwork, meet objectives and exercise independent judgement.
  • Ability to prioritize tasks and work with multiple priorities, sometimes under limited time constraints.

Our Commitment

AZ Blue does not discriminate in hiring or employment on the basis of race, ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status or any other protected group.

Thank you for your interest in Blue Cross Blue Shield of Arizona. For more information on our company, see azblue.com. If interested in this position, please apply.

e5990ba9445f3cc12c9da7b382b35d58