Sr. InfoSec GRC Analyst
As a Sr. IT Risk and Compliance Analyst, you will work as a member of the Information Security team at Health Catalyst and guide the organization towards continuous compliance with industry laws, regulations and frameworks. The IT Risk and Compliance Analyst facilitates the development and implementation of security, risk, and compliance best practices and is a key influencer in driving governance, risk and compliance (GRC). Chief among these duties is to develop, mature and maintain HIPAA compliance for Health Catalyst. The analyst will act as a subject matter expert for enterprise controls. The analyst must communicate effectively with end customers, business partners, team members and Leadership to help raise the culture of Compliance. As a key risk advisor, you will be addressing business issues and processes that impact both current and future system architectures that are in scope for HIPAA. We are searching for a candidate who knows both sides of the audit and assessment process; how to test controls and how to design them. The candidate will review the design of existing controls and offer ideas on improving and consolidating those controls, educating and informing others within the organization, and identifying opportunities for improvements in existing processes.
Required Proven Experience
- Practical working knowledge (7-10+ years) in three or more of the following governance, risk and compliance (GRC) frameworks: HIPAA, SOC2, ISO 27001, NIST 800-53, PCI DSS.
- 5+ years’ experience in Information Security.
- Background as Internal or 3rd Party Auditor.
- Proven ability in managing compliance project plans and requirements prioritization.
- Preferred experience with eGRC tools a must to drive standardization to third party assessments and efficiency in scaling to self-assessment questionnaires.
- General understanding of DevSecOps concepts (i.e. agile methodologies, CI/CD pipeline, configuration management tools, microservices, etc).
Required Functional Skills
- Excellent oral and written communication and presentation skills.
- Project Management experience; PMP or CAPM certification a plus.
- Highly collaborative as a team member.
- Extremely detailed oriented with excellent problem solving and critical thinking skills
- Dexterity to work with little supervision in a growing, fasted-paced environment
- Excellent time management skills to coordinate multiple tasks and meeting deadlines
Primary Duties & Responsibilities
- Drive Health Catalyst InfoSec GRC programs such as: Risk Management, Third Party/Vendor Management, Vulnerability/Threat Management, Compliance Management, RFP/SAQ Process Management and others.
- Review and make recommendations related to product and infrastructure security controls.
- Drive information security risk and process improvement across the organization by working with Engineering, Operations, Human Resources, IT, and Executive Management. Managing and coordinating plan of action and milestones (POA&M) to reduce residual risk identified through compliance audits, risk assessments or penetration tests.
- Contribute to the improvement and maintenance of information security policies, standards, and control procedures based on Information Security policies and procedures and industry best practices.
- Maintain, track and report risk across the enterprise related to our business operations.
- Facilitate and carry out HITRUST, SOC1/2, ISO 27001, GDPR compliance and certification audits engagements, data/artifact collection, exception remediation and monitoring.
- Help develop, maintain and deliver Security Awareness Training to over 1,000 team members and our affiliate partners worldwide.
- Partner with operations and sales team(s) to complete self-assessment questionnaires related to existing and prospect client vendor risk assessment on Health Catalyst leveraging desired experience with eGRC tools to optimize.
- Prioritizing, evaluating, resolving and escalating calls or tasks as required.
- Providing appropriately detailed and timely follow-up support with customers (internal and external)
Education & Relevant Experience
- Bachelor’s degree in Accounting, Business, Information Technology or Computer
- Science preferred; MS or MBA degree preferred.
- Minimum of 5 years of experience with Health Insurance Portability and Accountability Act (HIPAA) combined with experience from risk management, compliance, audit, information security or information technology.
- Experience supporting compliance in an IaaS and SaaS environment.
Poise and ability to act calmly and professionally in high-pressure, high-stress situations. - Experience in dealing with internal / external auditors and senior company management.
- Preferred security certification(s) from the following (or equivalent documented education and experience):
- Security: CISA, CRISC, CISM or CISSP