This is a remote/work from home position. Hire must live within the continental US and be open to working eastern time zone hours.
Summary
The Cybersecurity Assurance Assessor proactively evaluates the system and network enterprise environments of the health system and uses technical knowledge and analytical skill to determine the optimum mix of technology, policy, procedures, and education to implement effective cybersecurity programs and strategies. The Assurance Assessor determines security controls, configurations, procedures, and policies based off industrial standards, best practices, federal, and state regulations, and contractual requirements. The Assurance Assessor establishes and manages program control processes, compliance assessments to determine deviations from acceptable configurations, policy, or standards, and provides expertise in compliance requirements for internal and external reviews of requirements. The Assurance Assessor conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls.
Essential Job Functions
Communicates and ensures programs are in compliance with applicable laws, regulations, policies, and standards
Serve as subject matter expert to internal business and technology teams on range of compliance standards as influenced by regulatory mandates (HIPAA, FTC) and industry best practices (e. g. NIST CSF, HITRUST, ITIL, PCI, SOC2 Type2, etc.)
Actively participate and manage various assessments such as HITRUST, PCI Compliance, HIPAA Risk Assessment, SOC2 Type2, etc.
Verify that application software/network/system security postures are implemented as stated, documented deviation, and recommend required actions to correct those deviations.
Document best practices for security and information assurance based on business and user requirements
Perform security reviews, identify gaps in security architecture and develop a security risk management plan.
Perform risk analysis (i.e. threat, vulnerability and probability of occurrence) whenever an application or system undergoes a certification process.
Provide input into the Risk Management Framework process activities and related documentation
Participate in Risk Governance process to provide security risks, mitigations and input on other technical risks.
Develop methods to monitor and measure risk, compliance, and assurance efforts
Perform internal control testing.
Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
Contribute to other Information Risk and Assurance programs and functions as needed.
Accountable for the reporting of key metrics as defined by the program in a timely manner.
All other duties as assigned.
This document is not an exhaustive list of all responsibilities, skills, duties, requirements, or working conditions associated with the job. Employees may be required to perform other job related duties as required by their supervisor, subject to reasonable accommodation.
Employment Qualifications
Bachelor’s Degree (required)
Specialty/Major- Business, Computer Science, Information Systems or healthcare related field
Licensing/ Certification
HITRUST CCSFP and/or PCI-P (required)
PCI-ISA, CISSP, CRISC, CISM or GSLC. SANS GIAC certifications (preferred)
Certifications are also encouraged
Minimum Qualifications
5+ years’ relevant work experience in information security and/or services in a multi-facility organization.
2+ years’ experience as a Security Control Assessor
2+ years’ experience managing external assessments such as HITRUST, PCI Compliance, HIPAA Risk Assessment, SOC2 Type2.
1+ years’ experience with project management
1+ years’ working remotely
Combination of post-secondary education and experience in lieu of a degree.
Other Knowledge, Skills and Abilities
Exceptional organizational skills with ability to manage multiple priorities in a rapidly changing environment and maintain composure under pressure.
Ability to work independently or as part of a team.
Advanced knowledge of IT systems and processes and experience evaluating internal and external technical control systems.
Skilled at preparing and delivering briefings, presentations, and project plans.
Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
Advanced knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage and transmission of information or data.
Excellent knowledge of current data security best practices, including relevant information security legal requirements (HIPAA, OIG, Sarbanes-Oxley, GLBA).
Experience in clinical or health care operations.
Many of our opportunities reward* your hard work with:Comprehensive, affordable medical, dental and vision plans
Prescription drug coverage
Flexible spending accounts
Life insurance w/AD&D
Employer contributions to retirement savings plan when eligible
Paid time off
Educational Assistance
And much more
*Benefits offerings vary according to employment status
All applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, sexual orientation, gender identity, age, genetic information, or protected veteran status, and will not be discriminated against on the basis of disability. If you'd like to view a copy of the affirmative action plan or policy statement for Mercy Health – Youngstown, Ohio or Bon Secours – Franklin, Virginia; Petersburg, Virginia; and Emporia, Virginia, which are Affirmative Action and Equal Opportunity Employers, please email recruitment@mercy.com. If you are an individual with a disability and would like to request a reasonable accommodation as part of the employment selection process, please contact The Talent Acquisition Team at recruitment@mercy.com