The Information Security Risk Analyst provides support to the Chief Information Security Officer (CISO) by safeguarding the organization's sensitive information through evaluating risk by performing risk assessments of the existing IT environment and of all proposed new hardware and software assets, cloud-based services, medical devices, Internet of Things (IoT) devices, and other IT assets as the entry gate of the Architecture Review Board (ARB) process. This role reviews vendor provided documentation (i.e. architecture diagrams, data flow diagrams, test results, external third-party audit results, specifications, Manufacturer Disclosure Statement for Medical Device Security (MDS2) froms, medical device Software Bill of Material (SBOM) forms, etc.), independent external third-party risk information, and completed security questionnaires by vendors in order to determine organizational risk by thorough analysis of the implemented security controls and identification of any control gaps. Outputs of this anslysis includes IT implementation requirements, residual risk acceptance identification, and legal/contract requirements. The Analyst may also formally document an "Acceptance of Risk Form" for leadership sign-off. Periodic third-party review audits of third-party vendor security controls are managed within this role. The Analyst clearly documents and communicates assessment results/recommendations to both non-technical and technical audiences. This role manages the annual review of all acceptance or risk forms that have been approved. Risk assessments are conducted by the Risk Analyst on a regular basis in order to further understand the IT risk associated within the IT environment. Assessing of risk includes having the Risk Analyst test security controls for effectiveness. The Analyst also regularly fully documents and updates risks in the Enterprise Security Risk Register. The Information Security Risk Analyst also safeguards organizationally sensitive information through leading and coordinating with different department's stakeholders to ensure regular updates are made to the IT Disaster Recovery Plan, Business Impact Analysis (BIA), and Incident Response Plan (IRP) documents which are a subset of the organization's Continuity of Operations Plan (COOP). The Risk Analyst also plays an important role within the department for assisting with security awareness efforts for review, counsel, education and communication of Information Security policies, procedures, and standards to all Adena Health Caregivers. The Risk Analyst also provide support to the Data Loss Prevention (DLP) program.
Required Educational Degree: Bachelor's Degree Major/Area of Concentration: Computer Science or other technical discipline
Certified in Risk and Information Systems Control (CRISC); Certified
Information Security Auditor (CISA); Security+; Project Management
Professional (PMP); and/or Certified in Governance, Risk, and Compliance
(CGRC)
Required Experience: 1-2 years of IT, Information Security, Information Security Risk
Management, or IT Audit experience.
Preferred Experience:
3-5 years of IT, Information Security, Information Security Risk
Management, or IT Audit experience.
Read Full Description