Information Risk & Compliance Analyst I​/II

Job Description:

NOTE:

We currently have two openings for this role across the enterprise - one with an affiliate company, CDPHP (Capital District Physicians Health Plan) and one with Excellus BCBS/Univera Healthcare (depending on candidate's geographic location). The selected candidate will be hired into one of the entities based on experience & business needs.

Opening 1:
Reporting to Jeff Ewing on the Cyber Security Office.

Opening 2:
Reporting to Scott Wiggins on the Third Party & Risk Platform Management Team.

The Information Risk & Compliance Analyst is responsible for delivering Enterprise-wide Information Risk & Compliance disciplines. The role is responsible for supporting all elements of the Information Risk and Compliance program including, information security policies and procedures, risk assessments, training and awareness, external/internal IT audit support, management, and facilitation of control issues to ensure remediation, regulatory compliance, management reporting, and communication of risk.

An Information Risk & Compliance Analyst contributes to the development, maintenance, and/or refinement of Cyber, Risk, policies, and standards, collaborates with others to create and manage security and related control documentation. The role will work with process owners and business partners to identify control gaps and appropriate remediation plans, as well as monitor and report on progress of remediation efforts.

This role will also drive quality review for all Cyber Risk & Information related audit artifacts.

This position collaborates with various throughout the business, as well as maintains knowledge with best practices for managing cyber-risk and access controls in alignment with corporate policies, standards, guidelines, and regulations.

• Works with teams to continuously improve and update services to ensure they stay ahead of information security and compliance trends.
• Collaborates with external auditors or other inbound requests as needed.
• Performs and/or supports any aspect of Information Risk & Compliance activities (i.e., policy development, security awareness, 3rd party assessment, internal control evaluations, risk assessments, issue management, etc.).
• Contributes to cyber regulatory compliance at state and federal jurisdictions.
• Assists with issues relating to Information Risk including the development of procedures, plans, and security forms to aid the information security program, as well as monitoring and response to unexpected information security control changes across the environment.
• Contributes input to the Organization's Cybersecurity program performance metrics.
• Creates and updates standard operating procedures for assigned security controls, applications, and platforms.
• Develops materials for Enterprise Security Awareness & training.
• Executes and supports Cybersecurity program initiatives, such as maintaining processes and workflows such as access certification.
• Participates in various oversight Committee meetings, generates agenda and meeting content.
• Plans and executes audits or control testing of technology platforms, evaluates information systems' internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Provides monitoring, guidance and direction on security controls, policy, and practices to key stakeholders.
• Responds to internal customer queries, reports and/or requests relating to IT controls, policies, and standards.
• Performs review of change management deployments.
• Defines and supports Service Level Agreements (SLA) s and Key Performance Indicators (KPIs).
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies' mission and values, adhering to the Corporate Code of Conduct, and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

• Acts as a change agent to educate the enterprise on Cyber Risk & Information Security Policies and Controls.
• Independently manages intake activities, recommends, and executes on intake optimization already noted in level I.
• Pinpoint strengths and areas for improvement related to organizational security posture and risk management acceptance.
• Plans and executes complex audits of technology platforms, evaluates information systems' internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Conducts complex data & cybersecurity risk assessments.
• Participates in various committees to establish oversight for cyber, data and risk of the organization.
• Supports various risk assessments for information management controls.
• Mentors and trains Information Risk & Compliance Analyst level I.