Baystate Health Information Security Analyst Risk Assessment in Springfield, Massachusetts

Information Security Analyst Risk Assessment

Job ID

80309

Location

Springfield, Massachusetts

Full/Part Time

Full-Time

Regular/Temporary

Regular

Org Marketing Statement

About Baystate Health

Baystate Healthis an integrated health care delivery system serving a population of nearly 1 million people in western Massachusetts. We are one of the largest health systems in New England with over 11,500 employees, five hospitals, and over 60 medical practices. Baystate Medical Center is the onlyLevel 1 Trauma Centerin the region and has the only neonatal and pediatric intensive care units.

Responsibilities

Summary: The Information Security Analyst will focus on Risk Assessment

This position reports to the Team Lead, Information Security Department and is responsible for working with other Baystate Health personnel and outside third parties to ensure the appropriate administrative, physical and technical information security safeguards are implemented across Baystate's environment. These safeguards strengthen our information system posture and better support Baystate’s Mission to improve the health of the people in our communities every day, as well as supports continued progress toward Baystate’s Vision of becoming one of the leading health systems in the nation.

Under general guidance of the Team Lead, the incumbent will conduct information security assessments to ensure the proper implementation of security controls across the environment. This includes populating defined security/risk assessments, identifying gaps and compensating controls, identifying remediation plans, and publishing maangement reports of results. This position may also participate in incident response investigations, work with Baystate management and Human Resources to ensure appropriate and consistent corrective action, help identify opportunities for improvement, maintain policies and procedures that are designed to be operationally effective and efficient, maintain workforce training programs and awareness communications, and monitor compliance to policies, laws and regulations. The security analyst works with members of the IT division to select and deploy technical controls to meet specific security requirements, and defines processes and standards to ensure that security configurations are maintained.

The incumbent will have a working knowledge of security frameworks such as HIPAA, HITRUST, NIST, ISO or other industry standards that are relevant to Baystate Health.

What You Will Do:

Work with various business units across the company to perform Meaningful Use Security Risk Assessments.

Conduct periodic evaluations of technical and non-technical security safeguards to demonstrate and document compliance with Baystate’s security policy and the requirements of the HIPAA Security Rule as required by HIPAA.

Perform information security risk assessments as part of the project lifecycle to ensure that new technology conforms to Baystate Health's security standards.

Perform risk assessments of Baystate Health information and technology systems by conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Baystate's information and technology systems.

Work with security leadership and stakeholders to identify remediation strategies and plans to enforce security requirements and address risks identified in the risk assessment process.

Along with the Security Architect, advise during application development or acquisition projects to ensure that security controls are implemented as planned.

Work with other security department members and stakeholders in scoping, planning and conducting third-party penetration testing, code reviews, or security assessments during the information security risk assessment process.

Perform risk assessments of third-party technology systems by conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Baystate's information and technology systems.

Produce information security risk assessment reports for Baystate Health leadership and other stakeholders that identify gaps with Baystate Health Information Security Policies & Standards and propose remediation plans.

Produce status reports of progress on remediation efforts for information security gaps identified during the risk assessment process.

Assist with developing and publishing information security policies, procedures, standards and guidelines based on knowledge of best practices and compliance requirements along with processes that enable implementation.

Assisting in conducting information system activity reviews: Monitor and test application and network activity for assurance that systems of controls are in place and effective, and for compliance to BH policies, state and federal regulations. Information system activity reviews should include, but are not limited to; failed logins by administrators and general users, file accesses, security incident tracking reports, unauthorized software, dormant accounts, abandoned sessions, password sharing, data leakage, unauthorized deletion of corporate data, adequacy of auto-logoff and anti-malware configuration, and misuse of administrator accounts, internet access, remote access, personal use of network storage, etc.

Assist in using Information Security department reporting tools in incident response investigations, monitoring security effectiveness, and analyzing the output to suggest security improvements.

Assist with developing security training, awareness reminders and related communications.

Assists other department members advising partner and IT division security administrators on normal and exception-based processing of security authorization requests.

Assists other security department members define security configuration and operations and standards for security systems and applications, including policy assessment and compliance tools, network security appliances and host-based security systems.

Assist other security department members in maintenance and support of ISO tools

Qualifications

What You Will Need:

Minimally Required Education: Associate's Degree

Preferred Education: Bachelor's Degree

Minimally Required Experience:

Minimum five years an IT Security role

Working knowledge internal controls & IT Risk Assessment and Mitigation procedures.

Technical experience in security-related technologies such as Active Directory, encryption, remote access, anti-virus systems, etc.

Background sufficient to obtain working knowledge of:

Security reporting tools

HIPAA, Massachusetts 201 CMR 17.00, and ISO 27002:2005

Preferred Experience: Healthcare IT experience preferred

Skills / Competencies:

Familiar with implementation of Application or Technical information systems

A basic knowledge of the 8 domains of the Common Body of Knowledge for information security:

  1. Security & Risk Management

  2. Asset Security

  3. Security Engineering

  4. Communications and Network Security

  5. Identity and Access Management

  6. Security Assessment and Testing

  7. Security Operations

  8. Software Development Security

Ability to work well in a team environment. Values information sharing, but recognizes situations requiring confidentiality.

Strong interpersonal, organizational, and administrative, communication and presentation skills, both oral and written.

Effective analytical/troubleshooting skills and ability to multi-task.

Effective negotiation and conflict management skills.

Experience in dealing effectively with people at different levels.

Self-motivated and able to work with little or no guidance.

Certification:

Certified Information Systems Security Professional (CISSP) or Certified Risk & Information Security Control (CRISC) is preferred.

Equal Employment Opportunity

Baystate Health is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, marital status, national origin, ancestry, age, genetic information, disability, or protected veteran status.