Mgr, Information Risk

The Information Risk Manager is responsible for implementing, managing, and executing the Information Risk Assessment Program which identifies system vulnerabilities and non-compliance.
Evaluating internal SDLC projects, procurement activities, merger & acquisitions, and Supplier arrangements, the Information Risk Manager, with the assistance of the Information Risk Analyst, performs an initial review and, as needed, a follow-up in-depth analysis of security controls and related mitigating controls.
Upon completion of a risk assessment, the Information Risk Manager would document the risks as an executive summary and coordinate remaining remediation activities with the Senior Security Engineer and the IT Compliance Manager.
Essential Responsibilities:
o Manage the annual assessment schedule, including deliverables, milestones, processes, and priorities o Manage activities of the Information Risk Analyst as they perform activities related to the Information Risk Assessment Program o Serve as primary liaison within HVHC with regard to PCI-DSS compliance.
Maintain PCI-SSC Internal Security Assessor certification, ensure that HVHC IT and business teams are aware of and design to applicable PCI-DSS requirements.
Conduct annual PCI-DSS audit, reporting results to HVHC leadership, acquiring banks and card brands.
o Work with executive leadership to:
o Identify potential risk areas related to the 3-5 year business plans o Communicate overall risk position of information security via monthly metrics o Understand the organization's risk tolerance o Understand the current prioritized project portfolio, including related compliance impact o Develop action plan to implement HITRUST assessment and certification program, leveraging existing PCI controls and processes.
o Design, develop and deliver security awareness and risk management training.
This will include mentoring and training teams as needed on applicable regulatory requirements, industry best practice, internal security policies and standards as well as the risk assessment process o Work from a defined schedule to perform information risk assessments on external Suppliers.
Assessments will be performed by referencing internal and external standards, and utilizing the following techniques:
o Interviews with Suppliers, internal personnel and stakeholders o On-site audits o Policy and procedural documentation review o Security questionnaires o Review of reports and other evidence o Document Supplier assessment results in a standardized report format which clearly communicates business risk and outlines suggested treatment o Communicate Supplier assessment results and suggested treatment to Information Security & Risk Management team members for QA o Work with Procurement and other stakeholders to review Supplier assessment results, identify and understand business risks and possible risk treatments.
Communicate remediation plans to Supplier representatives, Procurement and HVHC Supplier relationship managers for tracking and resolution o Work with Procurement to ensure that adequate contractual safeguards are in place as appropriate to each Supplier relationship o Work with Procurement to ensure that Suppliers have a clear understanding of compliance requirements and consequences of non-compliance o Work with the Information Risk Analyst to prioritize compliance gaps and vulnerabilities, identifying key stakeholders and remediation owners.
Communicate gaps to the Senior Security Engineer and the IT Compliance Manager for remediation and tracking o Maintain an understanding of common industry best practices, as well as quality management systems and standards, such as ISO 27001, PCI-DSS, COBIT and ITIL.
Recommend standards based realignment of internal processes and systems where improvements are needed o Understand how newly available technologies and industry trends may positively or negatively impact our compliance.
Develop recommendations for addressing compliance impact related to these changes o Maintain an understanding of current information security tools and trends via membership in professional organizations as well as up-to-date, relevant certifications o Ensure key information security controls and processes are documented and followed.
Work with Administrative Services and internal team leadership to ensure that these documents are reviewed at least annually for accuracy and improvement opportunities o On-call and provide 24/7 support for critical situations o Travel as needed Education:
o BA/BS in an appropriate discipline o CISSP a plus Experience & Background:
o Minimum of 3 years experience leading IT compliance programs o Minimum of 3 years experience testing IT control effectiveness o A broad technical background and IT delivery processes preferred o Knowledge of PCI, HIPPA, HITECH, COBIT, ISO 27001/2, and ITIL 3 preferred

Don't Be Fooled

The fraudster will send a check to the victim who has accepted a job. The check can be for multiple reasons such as signing bonus, supplies, etc. The victim will be instructed to deposit the check and use the money for any of these reasons and then instructed to send the remaining funds to the fraudster. The check will bounce and the victim is left responsible.

More Jobs

Principal Developer/Consultant - Java/Python (...
New York City, NY BNY Mellon
2019 Graduate Talent Program: Investment Risk ...
New York City, NY UBS Financial Services
Sr Mgr Product Mgmt & Strategy
New York City, NY Healthfirst
Sr Clinical Analyst - Relationship Mgr, Pharmacy
New York City, NY Healthfirst
Corporate Vice President, Financial Risk Manag...
New York City, NY New York Life Insurance Company
Corporate Vice President, Fraud Risk Coordinator
New York City, NY New York Life Insurance Company