Job Information
Guthrie Cybersecurity GRC Analyst - IT Security - Full Time in United States
Summary:
Operate a Cyber Governance, Risk & Control (GRC) program based on the HITRUST Common Security Framework (CSF) and NIST Cybersecurity Framework, SOC 2 reporting, HIPAA and cyber risk quantification.
This role will research, design, implement, measure and communicate information technology and information security control standards, policies, guidelines, and procedures while providing industry best practices consulting and expertise. Analyst will partner with key stakeholders as a cybersecurity subject matter expert for procurement, legal, audit and compliance initiatives and to develop and continuously improve the information security and risk management program.
Essential Functions:
Collaborate with IT, cybersecurity, audit, compliance, caregivers, third parties and other key stakeholders to identify, design, implement, measure and monitor IT controls that quantifiably reduce patient care and financial loss risks.
Drive continuous improvement of our cybersecurity program by challenging its status quo, identifying top cyber control threats, risks and treatments following industry best practices
Perform control assessments against the HITRUST Common Security Framework (CSF), or NIST Cybersecurity Framework and SOC 2 Type 2 controls, consult in control design and assessing control operating effectiveness ensuring controls deliver risk reducing value for investment
Maintain a control catalog and control performance metrics to measure control effectiveness and inform control investment decisions
Drive preparation for compliance audits and control evidence collection
Conduct IT risk assessments, an annual HIPAA security assessment and track control remediation
Conduct third-party IT risk management program activities by performing supplier security due diligence assessments and contract information security requirement reviews for new and existing suppliers
Produce and continually enhance IT standards, policies, guidelines and procedures
Coordinate and maintain an information security and risk management calendar events, such as regular penetration tests, control assessments, contract reviews, auditing activities, etc.
Promote a cybersecurity aware culture, lead enterprise cybersecurity training, phishing campaigns and ensure training materials up to date and running occasional cybersecurity training sessions on select topics
Provide cybersecurity expertise/consulting to teams and management
Works independently, requiring guidance only in new or complex situations
Effectively communicate the “why” of the cyber security program to caregivers, management, cyber insurers, and other stakeholders
Leads root cause analysis to identify the root cause of problems to prevent future incidents
Consistently produces quality measurable cyber risk reducing results
Responds to caregiver’s requests by providing timely and accurate responses
Writes clear, concise and accurate audience centric reports, presentations and communications
Other Duties:
Participate in and maintain membership to cybersecurity and relevant healthcare industry information sharing organizations such as the Health-ISAC, WiCyS, AEHIS/CHIME, etc.
Keep supervisor informed on areas of responsibility.
Performs other duties as assigned
Education, License & Certification:
Required:
Associate’s degree in Information Systems, Cybersecurity, Computer Science or related discipline
2+ years of IT, IT control assurance or cybersecurity GRC experience
Security+ certification or GIAC Information Security Fundamentals (GISF) or (ISC)² Certified in Cybersecurity, and Microsoft Certified: Security, Compliance, and Identity Fundamentals required within 6 months of hire
Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) or similar cloud certification within one year
Preferred:
Bachelor’s degree in Information Systems, Cybersecurity, Computer Science or related discipline
IT technical background
Experience in reviewing cyber security legal contract language.
GSEC: SANS GIAC Security Essentials, GIAC Critical Controls Certification (GCCC), (ISC)² Governance, Risk and Compliance (CGRC), Certified Cloud Security Professional (CCSP), Certified in Risk and Information Systems Control® (CRISC®) certification, or similar industry certification, Factor Analysis of Information Risk (FAIR) certification, Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) or similar cloud certification
Joining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you’ll find staff members who have committed themselves to serving the community.
The Guthrie Clinic is an Equal Opportunity Employer that welcomes and encourages diversity in the workplace.
The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.