Senior Analyst, Risk & Security - FedRAMP
: Job Details :

The Security Analyst, Risk and Security is an individual contributor in Press Ganey's Information Security team and is responsible for reviewing and auditing controls that manage information risk and security. The duties of each member of the security team can fluctuate based on needs and risks, but this analyst will be primarily responsible for ensuring that the organization's security practices remain in compliance with all internal policies, pertinent laws and regulations, and client commitments. While this is not a primarily technical role, the analyst is expected to understand information security practices and technologies from an audit and compliance perspective.

All analysts in the Risk and Security team are expected to design, implement, govern, and evaluate security policies, technologies, solutions, and processes to secure corporate applications, data, computers, and networks. As a contributor to the team, this analyst will be expected to stay informed of information security practices, changes to the company environment and act as a trusted subject matter expert for the team.

The Security Analyst, Risk and Security is responsible for:

• Managing, triaging, and responding to third party auditor requests for artifacts related to the organization's Information Security Management Program
• Requesting, submitting and filing artifacts related to the completion of third party audits

The security team at Press Ganey has created a culture of growth and gratitude. Press Ganey has acquired more than 20 companies in the past 10 years, so the right candidate will be prepared to deal with a rapidly changing environment. For this role, we're focused on finding someone with a passion for security with a background in FedRAMP authorization program maintenance and other activities in conjunction with other audit and governance practices. This job will involve meeting with all levels of the organization to measure compliance with security policies and working with a team of skilled security analysts.

This position will have no direct reports. This is a remote work position that will require occasional travel (1-2 times per year).In addition, working hours may vary and limited on-call time may be required.

Duties and Responsibilities

Audit and Internal Controls Monitoring

• Work with external auditors
• Review technical systems controls and report on security weaknesses and communicate significant control and compliance risk to management.
• Identify opportunities for improvement in evidence collection by consolidating audit requirements, identifying areas that would support automating evidence collection, and supporting an ongoing audit-friendly culture.

Policy and Governance

• Monitor and audit people, process, and technology to ensure compliance with approved policies.
• Complete tasks associated with internal controls monitoring and report on collection difficulties or failures from responsible teams.
• Assist with the documentation of risk and security related areas of responsibility to include policies, procedures, tests, and product documentation.

Data Protection and Risk Management

• Work with Legal, Technology, and business partners to maintain controls that protect data and appropriately manage its lifecycle.
• Identify, assess, and communicate risks relating to PG Forsta data, systems, and personnel.
• Suggest changes that can reduce risk.
• Contribute to risk assessments and the execution of tests of data processing systems to ensure functioning of data processing activities and security measures.

Qualifications

Education/training: Bachelor's degree or equivalent experience.

• Ability to manage multiple issues at one time with exceptional follow through.
• Excellent customer service, communication, interpersonal and presentation skills.
• Demonstrated analytical and problem-solving skills.
• Familiarity with ITIL Foundation certified preferred.
• Certification for information security management or networking (preferred) (i.e. CISA, CISSP, CISM, CRISC).
• Familiarity with security and risk domains, including standards and practices; organization and management; processes; integrity, confidentiality and availability; and software development, acquisition and maintenance.
• Intermediate understanding of system security boundaries, data element classification and the concept of shared or inherited responsibility models.
• Basic understanding of basic computer science: Algorithms, data structures, databases, operating systems, networks, and tool development (not production software, but tools that can help you do stuff).
• Basic understanding of IT operations: Help desk, networks, endpoint management and server management.
• Basic understanding of adversary motivations: cyber-crime, cyber hacktivism, cyber war, cyber espionage and the difference between cyber propaganda and cyber terrorism.
• Basic understanding of security operations concepts: Perimeter defenses, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment and security metrics.

Experience: 3+ years

Minimum of 3 years' experience directly related to the management and maintenance of a FedRAMP authorization program including the creation and submission of POAM artifacts, working with clients, 3PAOs, assessment firms and other program related entities.

Minimum 3 years' of IT, audit, or risk management experience in one or more of the following frameworks: HITRUST CSF, SOC2, ISO 27001.

Minimum 3 years' experience working in a government regulated industry, such as healthcare or finance.

• Experience identifying and management of risks for HIPAA, PCI-DSS, SOC2, etc.

Basic knowledge of and ability to use system security and controls including firewall and anti-virus software, identity management, and computer control environments.

Basic knowledge of business theory, business processes, management, budgeting, and business office operations.

Teamwork: An individual who can work effectively in a collaborative environment and foster teamwork across all levels of the organization and also work independently as required.

Technical Expertise: The job holder must have a background in information security, development, or networking.

Business Acumen: The job holder should possess intermediate analytical and process management skills and have a broad understanding of business strategy and operations.

Compliance & Ethics Expectations:

• Participates and successfully completes the company's compliance program requirements and adheres to the Code of Conduct, Company policies, and applicable federal and state requirements.
• Sets an example for other employees regarding how the Company's Code of Conduct and Compliance Program is applied and observed every day when dealing with customers, business operations, or other teammates.
• Reports potential violations of company policy, Code of Conduct, and/or applicable laws and regulations to the company hotline, thorough the chain of command, to the Compliance and Ethics Department, or through other channels made available by the company for reporting potential violations.
• Promotes an environment in which other employees are encouraged to report potential violations.
• As appropriate, provides input and suggestions regarding areas in which policies, procedures, workflows, and/or controls can be improved to enhance compliance.

Special Working Conditions

If the job requires a person to work in special working conditions this should be stated in the job description. Special working conditions may include working outside of normal business hours, shift work, extensive travel, etc.

Special Physical Requirements

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Requires the ability to meet deadlines, frequent assignment changes, periodic heavy workload, rapidly changing environment, and dynamic business growth.
• Requires ability to concentrate on detailed tasks for sustained periods of time.
• Requires the ability to operate computer, printer, copy machine, calculator, other general office equipment, and to record written information.
• Requires the ability to communicate with customers, users and vendor representatives in person, in writing, and on the telephone.
• Requires the ability to read computer output and printed material.
• Requires the ability to read complex vendor reference material and written user manuals.
• Requires the ability to participate in interactive verbal group activities including brainstorming and application design working sessions.