GRC Engineer

**REMOTE STATES: Wisconsin, Arizona, Colorado, Indiana, Illinois--(only the following counties: Aurora, Bartlett, Cook, DuPage, Kane, Lake, Palatine, Plainfield), Iowa, Kentucky, Michigan, Minnesota, Nevada, North Carolina, Ohio, Tennessee, Texas, and Utah**

As a member of the IT Security team the Governance Risk and Compliance (GRC) Engineer contributes to a comprehensive information security program. In accordance with industry frameworks (NIST, PCI, and HIPAA) and business needs to ensure regulatory compliance and operational effectiveness this position leads and collaborates in the development and operation of IT GRC capability and requires an experienced IT GRC professional to lead initiatives associated with tactical risk analysis of operational controls and their effectiveness; develops and applies risk assessment methodologies and processes and generates artifacts; works with control owners and internal service provider(s) to prioritize the validation of control compliance; and facilitates identification and escalation associated control gaps and their remediation.

1. Plans implements and maintains the IT security risk management program capabilities and collaborates with Compliance ERM.
2. Provides leadership and supervision over IT risk capabilities and compliance activities.
3. Assures assessment process effectiveness measurement and optimization of IT general controls within a complex technical environment.
4. Assists in the creation and maintenance of security risk management standards processes procedures and other program documentation.
5. Develops and executes methods to identify and consider relevant internal and external data to enhance objective data driven risk models.
6. Prepares reports and presentations for diverse audiences with varying business perspectives on cyber security risks and IT effectiveness.
7. Supports and administers new Governance Risk & Compliance (GRC) tools implementation and utilization.
8. Performs program management assessments and evaluations to determine compliance with PCI HIPAA and IT general controls.
9. Maintains a strong understanding of security frameworks (NIST CSF & NIST SP800-53) and how these frameworks apply to operational activities within the IT environment.
10. Monitors and analyzes security risks and metrics to identify themes trends correlations and variances.
11. Communicates risk intelligence in a manner that enables business decision-making.
12. Provides risk management subject matter expertise.
13. Provides leadership (no direct people management) to individual contributors building risk capabilities and build program oversight.
14. Assists with the design and implementation of the IT Security Risk Registry.
15. Assists in the establishment of program plans procedures data categorizations risk rank modeling and other factors to provide a holistic representation of IT security risks that the client faces.
16. Develops implements maintains and oversees enforcement of policies procedures and associated plans for system security administration and user system access based on industry-standard best practices and internal business forces.
17. Assists in the development and execution of formal control structure and assessment risk methodologies processes and artifacts
18. Assists in the development and maintenance of an enterprise security controls framework
19. Processes analyses and tracks risk exception requests
20. Periodically reviews security controls for effectiveness and design
21. Maintains an awareness of proposed security standards state and federal legislations and regulations pertaining to information security.
22. Identifies IT Security requirement changes that will affect the organizations requirements legal addendums and risk assessments and recommends appropriate changes

Skills:

• A minimum of 5 years of experience in a related field. 6 or more years of experience in a related field.
• In-depth knowledge of cybersecurity frameworks including but not limited to NIST CF HITRUST CSF ISO 27001.
• Experience leading risk assessment and remediation activities
• Expert knowledge of information security risk management frameworks and compliance practices
• Understanding of common healthcare security regulations (e.g. HIPAA HITECH Meaningful Use PCI DSS ISO2700x FDA etc.)
• Familiarity with security auditing and risk assessment processes
• Skill in documenting risk and compliance activities
• Experience responding to analyzing and communicating information security audits
• Understanding of general security concepts including but not limited to cryptography DLP Security Operations Center Security Managed Services SIEM FW Audit Cloud Security Mobile Security

Education:

• BA in Computer Science or related field is required or equivalent acquired through combination of education and experience.
• Certifications preferred: CISA CRISC CGEIT CRMA CISSP & PCI- QSA