Job Description

GRC Activities

●Perform Policy review aligned to common cyber security frameworks.  

●Identifies and evaluates complex business and technology risks, internal controls that mitigate risks, and related opportunities for internal control improvement relative to established policies, procedures, regulations and cyber security frameworks (HIPAA, HITRUST, NIST CSF, ISO 27001)

●Monitors and identifies the broader impact of current decisions related to policies, implemented controls and projected needs as the security environment changes over time.

●Executes on regular/annual risk assessments (meaningful use, NIST CSF, HITRUST).  Maintains accurate record of the current state of the governance program.

●Responsible for the third-party risk management program.  Should have experience in artifacts verification and response preparation aligned to HITRUST, NIST CSF framework.

●Executes on third-party risk assessments and maintains a prioritized inventory of approved vendors with an associated recertification schedule.

●Experience in facing external audits (ISO 27001, HIPPA, SOC etc)

●Handle of incident response efforts. To lead the investigation and mitigation of security incidents. To coordinate with other teams, to gather evidence, and implement remediation measures. To participate in post-incident reviews and lessons learned exercises to identify root causes and implement preventive measures.

●As the Subject Matter Expert (SME) on Cyber Security, render guidance on all Security Incidents and Threats.

●Proactively mitigate cyber security risks and strengthen the attack detection and response processes.

●To facilitate training sessions and workshops to enhance the skills and knowledge of GRC team

●To foster collaboration with other IT and security teams, such as network operations, incident response, and vulnerability management.

●To contribute to risk assessments and help prioritize security initiatives based on potential impact and likelihood of threats. To assist in developing strategies to mitigate risks and improve overall security posture of organization.

Awareness Activities

●Responsible for the enterprise information security training program inclusive of end-user, executive and information security staff.

●Should have experience in conducting phishing campaigns

Business Strategy/Personnel Management

●Envisions business outcomes and facilitates alignment with them

●Aligns information security governance and awareness processes across the organization, and develops and documents standards for organizational use

●Supports the CISO with managing Assurance and Governance activities

●Strives to remove barriers and works across cross functional teams to deliver a unified strategy across the business

●Manage day-to-day tasks within the scope of the functions detailed within this job description. (vendor, auditor, employee, reporting and other associated interactions)