Security Risk & Compliance Analyst
The HMH Information Security Risk Management program addresses both internal and external risks. As a Security Risk & Compliance Analyst, you will conduct project and technology-based risk assessments within the environment, conduct technical and nontechnical third-party risk assessments, and recommend mitigating action or controls.
You will further identify and convey information security, physical security, business continuity, and IT operational requirements to project teams, and the Sourcing department in support of new contracts and ongoing engagements.
The primary responsibility of the Security Risk & Compliance Analyst is to identify, analyze, and recommend mitigation strategies for information security risks.
The Secondary responsibility of the Security Risk & Compliance Analyst is to work with the IT Teams, Internal Audit and External auditors to ensure that HMH meets all requirements for SOX or other compliances.
- Perform third party vendor risk, project risk, or technology risk assessments.
- Evaluate and assess supplier criticality and review changes in scale and scope of services contracted with supplier for material impact. Confirm ongoing roles, responsibilities and persons involved with the Third Party.
- Manage, monitor and track third party compliance to the Third-Party Risk Management Program.
- Monitor all applicable risk assessments are completed in the appropriate timeframe based on third party risk tier.
- Individual judgment and decision making will be exercised to determine applicability of certain questions on various assessments based on the vendor service and vendor risk.
- Provide Information Security consulting and subject matter expertise on third party service sales contracts and/or Sourcing arrangements.
- Assess the adequacy of a vendor's security program to safeguard HMH data.
- Focus on developing and improving security processes, assisting in metrics development, both within the technology and business organizations.
- Conduct ongoing security assessments to validate that ITGCs are being followed.
- Ensure proper evidence is gathered to facilitate timely closure of remediation plans.
- Serve as advisors to the business by ensuring an ongoing awareness of identified risks.
- Document and communicate with business and IT regarding security risks and deficiencies.
- Utilize expertise to identify evolving security threats and provide in-depth understanding of "if, how, and when" they should be addressed.
- Third party, technology, and project risk assessment experience.
- Experience with Governance, Risk, and Compliance tools.
- BA or BS degree in Computer Science, Information Technology/Systems, or related degree preferred, or equivalent experience.
- 1-3 years of experience in Risk Management.
- 3-6 years of experience in an Information Technology Audit/Information Security.
- Proficient working knowledge within the following risk domains/technologies.
- CISSP, CISA, or equivalent experience.
- Requires an excellent understanding of IT security concepts with an emphasis on Security and Risk Assessment.
- Requires excellent knowledge of IT and computer systems.
- Requires excellent understanding of internal and external audit process.
- Requires in-depth understanding of Public Key Infrastructure (PKI), encryption, network security controls tools and functionalities.
- Requires an in-depth understanding of Payment Card Industry – Data Security Standard (PCI-DSS), and proficiency in applying Health Information Portability and Accountability Act (HIPAA) security rules and National Institute of Standards and Technology (NIST) standards.
- Requires demonstrated proficiency in applying Identity Management (IDM) concepts.
Skills and Abilities
- Exceptional analytical thinking skills.
- Excellent verbal and written communication skills.
- Ability to handle multiple tasks and prioritize effectively.
- Excellent PC skills and demonstrated proficiency with MS Office Suite.
- Excellent interpersonal skills and the ability to work effectively with others as a team.