Highmark Health IT Risk and Business Resiliency Lead in Boston, Massachusetts
Job Description :
This job serves a key role in implementing and administering IT Risk, Vendor Management and Business Continuity practices required to support Gateway Health Plan. Actively collaborates with lines of business and IT to document risk, manage the IT risk register, assist with development of corrective action plans, and provide oversight of issues requiring remediation. Works with lines of business to document issues that may impact business continuity and develop associated business resiliency plans that ensures required resiliency practices are in place to minimize operational downtime. Actively collaborates with IT to plan and execute disaster recovery exercises, document exercise results, and prioritize remediation of failures in disaster recovery exercises. Takes lead role in assessing vendor risk and actively updates lines of business with issues related to third party risk. Coordinates external assessments including but not limited to MAR, HI-TRUST, COBIT, NIST, CIS, and HIPPA regulatory and / or control frameworks.
Lead in conducting information risk assessments as assigned to the team. Request and analyze documentation necessary to perform appropriate assessment and conduct necessary interviews in order to collect and review relevant materials necessary to produce results of the assessment.
Clearly and concisely document and communicate risk assessment results with requester, security architects and management, as appropriate.Conduct and formulate appropriate risk scoring, as it relates to threat, vulnerability, likelihood, impact, security controls/countermeasures, etc.Understand and contribute to inventory of risk register tracking, scoring and associated risk statements.
Perform follow up activities related to exceptions, risk acceptance, corrective action plans and additional mitigation activities.Communicate risk treatment methodology, risk avoidance, risk acceptance, risk transference and risk mitigation to appropriate groups.
Take lead role in partnering with multiple projects and initiatives to apply security architecture requirements, develop architecture solutions, integrate security into solution designs, access risks of security gaps, and develop architecture remediation.Prepare and present solution decks to different levels of management and varying technical experience.
Provide consultative support to leadership on Business Impact Analysis and recovery strategies; conduct operational risk assessments and develop gap closure strategies and provide appropriate feedback, including revisions and alternative approaches; and facilitate leadership meetings and report on the state of organizational readiness and other essential activities relevant to business continuity and disaster recovery efforts.
Administer business continuity and/or disaster recovery plan exercises including, but not limited to, designing the protocols, objectives, schedule, communications, facilitating resolution of technical and administrative issues, maintaining the necessary documentation, assessing the results including leading lessons learned/debrief discussions, developing action items to improve response capabilities, and preparing reports for executive management.
Provide advice and counsel to leadership during business disruption events. Coordinate response activities with tactical response teams and enterprise incident management team. Facilitate lessons learned/debrief and develops action items to improve capabilities.
Review SOC reports of third parties and ensure any associated risks are documented and communicated to management enabling the appropriate risk response.
Other duties as assigned or requested.
- Bachelor's degree in Information Security, Information Systems, Information Assurance, Computer Science or Related Field
- 6 years of relevant work experience in Information Science, IT Audit, Governance, Risk and/or Compliance
- Master's degree in Computer Science, Information Science or related field
- 5 years of Information Security, Information Risk Management, Information Technology, Information Security Governance or Risk and/or Compliance or
- 5 years in Developing, communicating and presenting Information Security and Risk Management concepts to varying audiences
7 years in Information Security
7 years in Information Risk Management
7 years Information Technology
5 years working within an information security function using the HITRUST Common Security Framework (HITRUST CSF), or the NIST 800-83 cyber security framework
5 years of supporting SSAE 16 or SOC 2 Security Trust Principle audits
5 years of IT/Information Security Risk Advisory
5 years of Security industry organization participation / leadership (HITRUST, ISACA, InfraGard, ISC2, ISSA, etc.)
3 years of Governance Risk and Compliance (GRC) tool experience such as ARCHER
LICENSES or CERTIFICATIONS
One or more of the following:
Certified Information Systems Security Professional (CISSP)
Certified in Risk and Information Systems Controls (CRISC)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified Business Continuity Professional (CBCP)
Certified Third Party Risk Management Professional
Knowledge of HITRUST CSF, NIST 800-83 cyber security framework, PCI, HIPAA, Hi-Trust, CIS, NIST, COBIT, ISO 27001/2, and ITIL 3
Knowledge of NIST Risk Assessment methodology
Familiarity with secure SDLC best practices
Knowledge of Microsoft Apps and Suites, Windows server, SharePoint, etc.
Strong teamwork and inter-personal skills
0% - 25%
Disclaimer: The job description has been designed to indicate the general nature and essential duties and responsibilities of work performed by employees within this job title. It may not contain a comprehensive inventory of all duties, responsibilities, and qualifications required of employees to do this job.
Compliance Requirement : This job adheres to the ethical and legal standards and behavioral expectations as set forth in the code of business conduct and company policies.
Highmark Health and its affiliates prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, national origin, sexual orientation/gender identity or any other category protected by applicable federal, state or local law. Highmark Health and its affiliates take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, sexual orientation/gender identity, protected veteran status or disability.
Highmark Health and its affiliates prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, age, religion, sex, national origin, sexual orientation/gender identity or any other category protected by applicable federal, state or local law. Highmark Health and its affiliates take affirmative action to employ and advance in employment individuals without regard to race, color, age, religion, sex, national origin, sexual orientation/gender identity, protected veteran status or disability.
EEO is The Law
Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled/Sexual Orientation/Gender Identity ( https://www.eeoc.gov/sites/default/files/migrated_files/employers/poster_screen_reader_optimized.pdf )
We endeavor to make this site accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact number below.
For accommodation requests, please contact HR Services Online at HRServices@highmarkhealth.org
California Consumer Privacy Act Employees, Contractors, and Applicants Notice
Req ID: J206632
- Highmark Health Jobs