Information Risk & Compliance Analyst

Information Risk & Compliance Analyst

NOTE: We currently have two openings for this role across the enterprise– one with CDPHP, an affiliate of The Lifetime Healthcare Companies (parent company of Excellus BCBS & Univera Healthcare) & one directly with The Lifetime Healthcare Companies. The selected candidate will be hired into one of the two entities based on experience & business needs.

Opening 1: Reporting to Jeff Ewing on the Cyber Security Office

Opening 2: Reporting to Scott Wiggins on the Vendor Risk & Incident team

Summary

The Information Risk & Compliance Analyst is responsible for delivering Enterprise-wide Information Risk & Compliance disciplines. The role supports all elements of the Information Risk and Compliance program, including information security policies and procedures, risk assessments, training and awareness, external/internal IT audit support, management, and facilitation of control issues to ensure remediation, regulatory compliance, management reporting, and communication of risk. An Information Risk & Compliance Analyst contributes to the development, maintenance, and/or refinement of Cyber, Risk, policies, and standards, collaborating with others to create and manage security and related control documentation. The role will work with process owners and business partners to identify control gaps and appropriate remediation plans, as well as monitor and report on progress of remediation efforts. This role will also drive quality review for all Cyber Risk & Information related audit artifacts.

This position collaborates throughout the business and maintains knowledge of best practices for managing cyber-risk and access controls in alignment with corporate policies, standards, guidelines, and regulations.

Essential Accountabilities

Level I

• Works with teams to continuously improve and update services to ensure they stay ahead of information security and compliance trends.
• Collaborates with external auditors or other inbound requests as needed.
• Performs and/or supports any aspect of Information Risk & Compliance activities (i.e., policy development, security awareness, 3rd party assessment, internal control evaluations, risk assessments, issue management, etc.).
• Contributes to cyber regulatory compliance at state and federal jurisdictions.
• Assists with issues relating to Information Risk, including the development of procedures, plans, and security forms to aid the information security program, as well as monitoring and response to unexpected information security control changes across the environment.
• Contributes input to the Organization’s Cybersecurity program performance metrics.
• Creates and updates standard operating procedures for assigned security controls, applications, and platforms.
• Develops materials for Enterprise Security Awareness & training.
• Executes and supports Cybersecurity program initiatives, such as maintaining processes and workflows like access certification.
• Participates in various oversight Committee meetings, generates agenda and meeting content.
• Plans and executes audits or control testing of technology platforms, evaluates information systems’ internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Provides monitoring, guidance and direction on security controls, policy, and practices to key stakeholders.
• Responds to internal customer queries, reports and/or requests relating to IT controls, policies, and standards.
• Performs review of change management deployments.
• Defines and supports Service Level Agreements (SLAs) and Key Performance Indicators (KPIs).

Level II (in addition to Level I Accountabilities)

• Acts as a change agent to educate the enterprise on Cyber Risk & Information Security Policies and Controls.
• Independently manages intake activities, recommends, and executes on intake optimization already noted in Level I.
• Pinpoints strengths and areas for improvement related to organizational security posture and risk management acceptance.
• Plans and executes complex audits of technology platforms, evaluates information systems’ internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Conducts complex data & cybersecurity risk assessments.
• Participates in various committees to establish oversight for cyber, data and risk of the organization.
• Supports various risk assessments for information management controls.
• Mentors and trains Information Risk & Compliance Analyst Level I.

Level III (in addition to Level II Accountabilities)

• Performs as the Subject Matter Expert for majority Information Security Identity management technologies, controls, processes, and practices internally to the Health Plan, and externally in the industry.
• Assists stakeholders with complex security risk assessments.
• Mentors and trains Level II Analysts.
• Serves as the “go-to” person in the absence of the manager. Provides input to manager on team performance.

Minimum Qualifications

NOTE: We include multiple levels of classification differentiated by demonstrated knowledge, skills, and the ability to manage increasingly independent and/or complex assignments, broader responsibility, additional decision making, and in some cases, becoming a resource to others. In addition to using this differentiated approach to place new hires, it also provides guideposts for employee development and promotional opportunities.

All Levels

• Three (3) years of information risk, compliance or related experience.
• Associate's degree in computer science, Information Technology, or relevant field. In lieu of degree, three (3) additional years of related experience required.
• Excellent communications skills with the ability to present clear and concise information to all levels and technical ability.
• Able to work both independently and as part of a team.
• Strong ability to articulate business risks relating to technical issues for both technical and non-technical audiences.
• Strong knowledge of IT and IS Oversight Risk and Compliance (GRC) best practices and regulatory/industry requirements.
• Intermediate knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations; Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST.
• Experience in the design and evaluation of internal controls or similar project controls.
• Experience in the creation, review, and lifecycle management of IT policies, processes, and procedures.
• Demonstrated skill in risk assessment, both quantitative and qualitative.
• Familiarity with maturity models as aids to gap assessment and remediation planning.
• Strong critical thinking skills with ability to act independently and exercise good judgment, as well as the ability to work cross-functionally and create virtual teams.
• Maintains current knowledge of the latest and newest Cyber Risk & Information Assurance technologies and identifies and researches for enhancement options and process improvements.
• One information security certification such as but not limited to: Security +, CISSP, CISM, CISA, CDPSE, CGEIT, CDMP, GSEC, CRISC, preferred.

Level II (in Addition To Level I Minimum Qualifications)

• Minimum of six (6) years of experience and advanced knowledge of a minimum of three (3) concepts listed above (under Level I).
• Advanced negotiation and organizational skills with demonstrated ability to multi-task, organize, prioritize, and meet deadlines.
• Advanced experience with security controls for operating systems, applications, and database management systems.
• Advanced knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to: Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations; Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF); Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST.
• Strong leadership or mentorship experience preferred.
• Ability to work – and to motivate others to work – under pressure and within tight timelines.
• Experience providing work direction for one or more individual’s specific projects and initiatives.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Level III (in Addition To Level II Minimum Qualifications)

• Ten (10) years of related work experience in IT security controls, security technology, cyber or data policy, risk practices, data governance or related field.
• Advanced knowledge of a minimum of five (5) concepts listed above (under Level I).
• Two or more certifications listed under Level I preferred.
• Experience providing work direction for multiple staff for team specific projects and initiatives.
• Experience providing guidance and mentorship to more junior team members.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Physical Requirements

• Ability to work prolonged periods sitting and/or standing at a workstation and working on a computer.
• Ability to travel across the Health Plan service region for meetings and/or trainings as needed.
• Ability to work in a home office for continuous periods of time for business continuity.

In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.

Equal Opportunity Employer

Compensation Range

Level I (E4): Minimum: $65,346 - Maximum: $117,622

Level II (E6): Minimum: $79,068 - Maximum: $142,322

The salary range indicated in this posting represents the minimum and maximum of the salary range for this position. Actual salary will vary depending on factors including, but not limited to, budget available, prior experience, knowledge, skill and education as they relate to the position’s minimum qualifications, in addition to internal equity. The posted salary range reflects just one component of our total rewards package. Other components of the total rewards package may include participation in group health and/or dental insurance, retirement plan, wellness program, paid time away from work, and paid holidays.

Please note: There may be opportunity for remote work within all jobs posted by the Excellus Talent Acquisition team. This decision is made on a case-by-case basis.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Key skills/competency

• Information Security
• Risk Management
• Compliance
• GRC (Governance, Risk, Compliance)
• IT Audit
• Regulatory Compliance
• Policy Development
• Cyber Risk
• Internal Controls
• Data Governance