CVS Health

Information Security Risk Analyst

Posted 26 days ago

Job Description

Job Description
The governance, risk management, and compliance (GRC) security team is responsible supporting the security direction of the business and elevating the companys security posture. As a member of the GRC team, the Information Security Risk Analyst is expected to support a pivotal change in moving from a qualitative to a quantitative measure of Risk Aid in the culture shift with your knowledge of FAIR taxonomy. Consequently, the position requires both an understanding of legacy systems, as well as new technologies and requirements. The GRC security analyst is also responsible for the planning and design of policies and maintenance.

The ideal candidate is technical and possesses at least five years of experience in security, compliance or risk management and FAIR certification. The role oversees the business security requirements and obligations mandated by standards and regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), General Data Protection Regulation (GDPR), Health Information Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). In tandem with security leadership, the GRC security analyst consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the GRC security analyst monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the GRC security analyst must focus on strong risk management and corporate resiliency, and not be driven solely by compliance.

As the Information System Risk Analyst, you will
* Conduct enterprise-wide, ongoing risk analysis in tandem with compliance and security.
* Maintain oversight in a GRC-related platform.
* Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks.
* Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation.
* Maintain strong oversight of third parties, vendors and business partners to safeguard against undue risk presented by external entities. Escalate to security management and business unit leads when points of weakness are discovered.
* Analyze findings, and document, recommend and report program gaps to security leadership.
* Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance.
* Apply GRC expertise across key lines of business

Required Qualifications
?? 3+ years of relevant work experience in risk management or a related field

Preferred Qualifications
* Knowledge of computer networking concepts and protocols, and network security methodologies.
* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
* Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage and transmission of information or data (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
* Knowledge of Personally Identifiable Information (PII) and Personal Health Information (PHI) data security standards.
* Skill in conducting reviews of systems, assessing security systems designs and security controls based on cybersecurity principles and tenets (e.g. NIST SP 800-53, ISO 27001, etc.).
* Skill in performing impact / risk assessments (utilizing FAIR or other quantitative risk analysis methodologies)
* Skill to identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.
* Skill and knowledge to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)
* knowledge of FAIR taxonomy
* 5+ years experience in cybersecurity as a practitioner
* Fair Certified
* 2+ years exposure with various security frameworks

Education
Bachelors degree in computer science, information assurance, MIS or related field, or 1 year of professional experience for every year degree not completed

Business Overview
At CVS Health, we are joined in a common purpose: helping people on their path to better health. We are working to transform health care through innovations that make quality care more accessible, easier to use, less expensive and patient-focused. Working together and organizing around the individual, we are pioneering a new approach to total health that puts people at the heart.

We strive to promote and sustain a culture of diversity, inclusion and belonging every day. CVS Health is an equal opportunity and affirmative action employer. We do not discriminate in recruiting, hiring or promotion based on race, ethnicity, sex/gender, sexual orientation, gender identity or expression, age, disability or protected veteran status or on any other basis or characteristic prohibited by applicable federal, state, or local law. We proudly support and encourage people with military experience (active, veterans, reservists and National Guard) as well as military spouses to apply for CVS Health job opportunities.