Associate Info Security Risk Analyst

About Us:

As a not-for-profit organization, Mass General Brigham is committed to supporting patient care, research, teaching, and service to the community by leading innovation across our system. Founded by Brigham and Women’s Hospital and Massachusetts General Hospital, Mass General Brigham supports a complete continuum of care including community and specialty hospitals, a managed care organization, a physician network, community health centers, home care and other health-related entities. Several of our hospitals are teaching affiliates of Harvard Medical School, and our system is a national leader in biomedical research.

We’re focused on a people-first culture for our system’s patients and our professional family. That’s why we provide our employees with more ways to achieve their potential. Mass General Brigham is committed to aligning our employees’ personal aspirations with projects that match their capabilities and creating a culture that empowers our managers to become trusted mentors. We support each member of our team to own their personal development—and we recognize success at every step.

Our employees use the Mass General Brigham values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

General Summary:

With guidance from senior members of the team, this individual assists with the Mass General Brigham information security risk management program through active engagement with business owners including information gathering, risk analysis, reporting and remediation compliance. This position will focus on driving compliance with identified cybersecurity risk remediation recommendations and plans.

This Information Security & Privacy Associate Risk Analyst is be responsible for coordinating, scheduling and successfully concluding follow- ups to cybersecurity risk assessments with business owners and external vendors/parties. Responsibilities will include working with team members that have conducted assessments to understand the substance and purpose of security recommendations, and following up with business owners on remediation plans.

Principal Duties:

• Develop an understanding of Mass General Brigham applications, information security & privacy concepts and best practices, and service management offerings
• Read, understand, and perform information system and third-party risk assessments, following a NIST-based methodology.
• Document secure design and configuration requirements and standards for Mass General Brigham technical solutions to achieve acceptable risk level.
• Increase compliance with enterprise policies and standards understanding the Enterprise Information Security Policy portfolio and develop the skills needed to facilitate remediation or mitigation of non-compliant systems.
• Clearly document remediation plans and completed, pending and deferred remediations and mitigations in Archer and Service Now.
• Maintain a current knowledge of applicable federal and state privacy laws and accreditation standards, and monitor advancements in information privacy and security technologies to ensure adaptation and compliance.

• Maintain awareness of new technologies and related opportunities for impact on system or application security.

• Conduct information security research in keeping abreast of latest security issues and keeps abreast of testing tools, techniques, and process improvements in support of security event detection and analysis.

• Use/s the Mass General Brigham values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration

• Bachelor’s degree (B.A. / B.S.) or equivalent from an accredited college or university required.

• 1-3 years of experience in IT/IS.

• Some experience with information security risk analysis, security risk configuration development, or information security audit.

• Demonstrable natural aptitude with object relationship and cause/effect.

• Familiarity with HIPAA, GDPR, HITECH, Mass ID Theft regulation 201 CMR 17, and other appropriate information security and information privacy regulatory requirements for healthcare entities a plus.

• Knowledge of NIST 800-53, ISO 27K, GDPR, PCI-DSS is desirable.

• Legal training/experience is desirable.

• Any of the following certifications is a plus:

• ITIL, any of the following Information Security Certifications: CISSP, HCISSP, CISM, CISA, CIPP, CIPM, CIPT, CPHIMS, PCIP, GSEC, GCIH, GCFE, GCFA, CEH, GPEN, and PM

• A combination of education and analogous experience may be substituted for some requirements.

Skills, Abilities and Competencies:

• Possess strong interpersonal skills to effectively communicate with cross functional teams including staff at all levels of the organization
• Outstanding time management and organizational skills required.
• An ability to work under the required guidelines and deliver on business/project requirements.
• Ability to work with both team members and staff in a professional manner.
• Comfortable working in a dynamic environment with multiple work streams, goals, and objectives.
• Possess ability to recommend to ISPO leadership team to prioritize project related tasks.
• Excellent vocabulary, written and verbal communication and effective interpersonal skills is critical.
• Understanding of Windows, Unix/Linux operating systems, security administration, virtualization, and TCP/IP networking concepts. Must know how to use common M365 Office Suite of products.
• Ability to work independently with minimal supervision
• Ability to successfully negotiate and collaborate with others of different skill sets, backgrounds an levels within and external to the organization
• Strong problem solving and negotiation skills
• Ability to effectively conduct meetings, both formal and informal
• Requires minimal direction from leadership and possesses the ability to learn quickly

Mass General Brigham is an Equal Opportunity Employer & by embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law.