Information Risk & Compliance Analyst III

Job Description:

NOTE: We currently have two openings for this role across the enterprise one with an affiliate company CDPHP (Capital District Physicians Health Plan) and one with Excellus BCBS/Univera Healthcare (depending on candidates geographic location).The selected candidate will be hired into one of the entities based on experience & business needs

Opening 1: Reporting to Jeff Ewing on the Cyber Security Office

Opening 2: Reporting to Scott Wiggins on the Third Party & Risk Platform Management Team

Summary:

The Information Risk & Compliance Analyst is responsible for delivering Enterprise-wide Information Risk & Compliance disciplines. The role is responsible for supporting all elements of the Information Risk and Compliance program including information security policies and procedures risk assessments training and awareness external/internal IT audit support management and facilitation of control issues to ensure remediation regulatory compliance management reporting and communication of risk. An Information Risk & Compliance Analyst contribute to the development maintenance and/or refinement of Cyber Risk policies and standards collaborate with others to create and manage security and related control documentation. The role will work with process owners and business partners to identify control gaps and appropriate remediation plans as well as monitor and report on progress of remediation efforts. This role will also drive quality review for all Cyber Risk & Information related audit artifacts.

This position collaborates with various throughout the business as well as maintains knowledge with best practices for managing cyber-risk and access controls in alignment with corporate policies standards guidelines and regulations.

Essential Accountabilities:

Level I

• Works with teams to continuously improve and update services to ensure they stay ahead of information security and compliance trends.
• Collaborates with external auditors or other inbound requests as needed.
• Performs and/or supports any aspect of Information Risk & Compliance activities (i.e. policy development security awareness 3rd party assessment internal control evaluations risk assessments issue management etc.).
• Contributes to cyber regulatory compliance at state and federal jurisdictions.
• Assists with issues relating to Information Risk including the development of procedures plans and security forms to aid the information security program as well as monitoring and response to unexpected information security control changes across the environment.
• Contributes input to the Organizations Cybersecurity program performance metrics.
• Creates and updates standard operating procedures for assigned security controls applications and platforms.
• Develops materials for Enterprise Security Awareness & training.
• Executes and supports Cybersecurity program initiatives such as maintaining processes and workflows such as access certification.
• Participates in various oversight Committee meetings generates agenda and meeting content.
• Plans and executes audits or control testing of technology platforms evaluates information systems internal controls and works collaboratively with management to identify and facilitate corrective actions.
• Provides monitoring guidance and direction on security controls policy and practices to key stakeholders.
• Responds to internal customer queries reports and/or requests relating to IT controls policies and standards.
• Performs review of change management deployments
• Defines and supports Service Level Agreements (SLA)s and Key Performance Indicators (KPIs).
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies mission and values adhering to the Corporate Code of Conduct and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

Level II (in addition to Level I Accountabilities)

• Acts as a change agent to educate the enterprise on Cyber Risk & Information Security Policies and Controls
• Independently manages intake activities recommends and executes on intake optimization already noted in level I.
• Pinpoint strengths and areas for improvement related to organizational security posture and risk management acceptance.
• Plans and executes complex audits of technology platforms evaluates information systems internal controls and works collaboratively with management to identify and facilitate corrective actions.
• Conducts complex data & cybersecurity risk assessments.
• Participates in various committees to establish oversight for cyber data and risk of the organization.
• Supports various risk assessments for information management controls.
• Mentors and trains Information Risk & Compliance Analyst level I

Level III (in addition to Level II Accountabilities)

• Performs as the Subject Matter Expert for majority Information Security Identity management technologies controls processes and practices internally to the Health Plan and externally in the industry.
• Assists stakeholders with complex security risk assessments.
• Mentors and trains Level II Analysts.
• Serves as the go-to person in the absence of the manager. Provide input to manager on team performance.

Minimum Qualifications:

NOTE: We include multiple levels of classification differentiated by demonstrated knowledge skills and the ability to manage increasingly independent and/or complex assignments broader responsibility additional decision making and in some cases becoming a resource to addition to using this differentiated approach to place new hires it also provides guideposts for employee development and promotional opportunities.

All Levels

• Three (3) years of information risk compliance or related experience.
• Associates degree in computer science Information Technology or relevant lieu of degree three (3) additional years of related experience required.
• Excellent communications skills with the ability to present clear and concise information to all levels and technical ability.
• Able to work both independently and as part of a team.
• Strong ability to articulate business risks relating to technical issues for both technical and non-technical audiences.
• Strong knowledge of IT and IS Oversight Risk and Compliance (GRC) best practices and regulatory/industry requirements.
• Intermediate knowledge required of various information security regulations frameworks and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH GLBA/FFIEC Examination Handbook NAIC MAR/SOX NYS DFS Cybersecurity Regulations; Framework: COSO COBIT NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS NIST SP 800-53/30 SSAE 18 ISO HITRUST
• Experience in the design and evaluation of internal controls or similar project controls.
• Experience in the creation review and lifecycle management of IT policies processes and procedures.
• Demonstrated skill in risk assessment both quantitative and qualitative.
• Familiarity with maturity models as aids to gap assessment and remediation planning.
• Strong critical thinking skills with ability to act independently and exercise good judgment as well as the ability to work cross-functionally and create virtual teams.
• Maintains current knowledge of the latest and newest Cyber Risk & Information Assurance technologies and identifies and researches for enhancement options and process improvements.
• One information security certification such as but not limited to: Security CISSP CISM CISA CDPSE CGEIT CDMP GSEC CRISC preferred.

Level II (in addition to Level I minimum qualifications)

• Minimum of six (6) years of experience and advanced knowledge of a minimum of three (3) concepts listed above (under Level I).
• Advanced negotiation and organizational skills with demonstrated ability to multi-task organize prioritize and meet deadlines.
• Advanced experience with security controls for operating systems applications and database management systems.
• Advanced knowledge required of various information security regulations frameworks and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH GLBA/FFIEC Examination Handbook NAIC MAR/SOX NYS DFS Cybersecurity Regulations; Framework: COSO COBIT NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS NIST SP 800-53/30 SSAE 18 ISO HITRUST
• Strong leadership or mentorship experience preferred.
• Ability to work and to motivate others to work under pressure and within tight timelines.
• Experience providing work direction for one or more individuals specific projects and initiatives.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Level III (in addition to Level II minimum qualifications)

• Ten (10) years of related work experience in IT security controls security technology cyber or data policy risk practices data governance or related field.
• Advanced knowledge of a minimum of five (5) concepts listed above (under Level I).
• Two or more certifications listed under level 1 preferred.
• Experience providing work direction for multiple staff for team specific projects and initiatives.
• Experience providing guidance and mentorship to more junior team members.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Physical Requirements:

• Ability to work prolonged periods sitting and/or standing at a workstation and working on a computer.
• Ability to travel across the Health Plan service region for meetings and/or trainings as needed.
• Ability to work in a home office for continuous periods of time for business continuity.

************

In support of the Americans with Disabilities Act this job description lists only those responsibilities and qualifications deemed essential to the position.

Equal Opportunity Employer

Compensation Range(s):

Level I (E4): Minimum: $65346 - Maximum: $117622

Level II (E6): Minimum: $79068 - Maximum: $142322

The salary range indicated in this posting represents the minimum and maximum of the salary range for this position. Actual salary will vary depending on factors including but not limited to budget available prior experience knowledge skill and education as they relate to the positions minimum qualifications in addition to internal equity. The posted salary range reflects just one component of our total rewards package. Other components of the total rewards package may include participation in group health and/or dental insurance retirement plan wellness program paid time away from work and paid holidays.

Please note: The opportunity for remote work may be possible for all jobs posted by the Univera Healthcare Talent Acquisition team. This decision is made on a case-by-case basis.

All qualified applicants will receive consideration for employment without regard to race color religion sex sexual orientation gender identity national origin disability or status as a protected veteran.