IT GRC Analyst IV

at  Nuvance Health

SUMMARY:

The IT GRC expert serves as a key resource performing activities for the IT Governance, Risk & Compliance team. This position will be responsible for management and oversight of 2-3 IT GRC key program initiatives (such as HITRUST, Third Party Risk Management, Business Continuity, IT Policies and Standards, Security Awareness, Vulnerability Management, etc.) and will be expected to have significant subject matter expertise in these areas. Able to work independently requiring minimal direction to deliver high quality project work as assigned on a daily basis. Seeks out solutions and brings ideas forward. Project and work approach are team centric, creative, analytical and flexible.

Key GRC Team resource responsible for management and oversight of 2-3 of the following IT GRC key program initiatives as well as a key contributor for the other program initiatives:
1. HITRUST Compliance: Manages projects that ensures compliance with HITRUST by 2024. Implements appropriate levels of risk mitigation to ensure cybersecurity maturity levels meet HITRUST requirements for any domains that GRC team owns.
2. Third Party Risk Management: Completes advanced security reviews for Third Parties, as well as quantitative and qualitative risk assessments and production of reports.
3. Technical Design Reviews: Evaluates systems and business process flows for compliance with security policies & standards, and regulations: applies risk analysis methodologies; makes recommendations regarding alternate solutions; and implements corrective action, when necessary.
4. Audit and Regulatory Support: Provides oversight and management of audit finding remediation, including generates requirements for full remediation, provides feedback and suggestions on managerial responses to findings, and tracks progress and provides status and updates to the enterprise compliance team for reporting purposes.
5. Security Investigations: Participates in security investigations and compliance reviews as requested.
6. InfoSec Policies and Standards: Evaluates, develops, and implements Information Security Policies, Standards, and Procedures to support business needs and ensures ongoing regulatory compliance and security best practice.
7. GRC Project Management: Implements compliance-related projects, including updates project plans, management reporting, and adherence to established standards and guidelines.
8. Security Awareness: Manages the Corporate Cybersecurity Awareness program in order to propagate security awareness among employees; including monthly phishing program.
9. IT Risk Management: Maintains Risk inventory to track identified IT issues and risks; including risk acceptances or risk remediation plans that address each risk. Provides governance, oversight and reporting on issues and risks.
10. Business Continuity / Disaster Recovery: Develops, implements, maintains, and tests the Corporate Business Continuity program. Identifies, documents, and tests the business requirements for uptime against the infrastructure capabilities in order to implement appropriate recovery strategies and identify gaps/risks.
11. Vulnerability Management: Provides oversight to technical/security teams for vulnerability management monitoring and reporting.
12. InfoSec Data Analytics, Metrics, and Reporting: Collects, maintains, and analyzes information security and IT risk data. Builds reports and/or dashboards to provide security team and Nuvance Health Leadership with information to make data driven decisions.
13. Maintains and Models Nuvance Health Values.
14. Demonstrates regular, reliable, and predictable attendance.
15. Performs other duties as required.