Governance, Risk, and Compliance Analyst

Presbyterian is seeking a Governance, Risk, and Compliance Analyst!

This position is responsible for the oversight and coordination of various cybersecurity risk management activities focused on identifying, assessing, managing, and mitigating risks. Subject matter expert experienced in regulatory requirements, security framework standards, security operations and controls, and industry best practices.

The role works closely with Compliance, Internal Audit, and other Departmental Leaders in the coordination of planning, prioritization, tracking, and remediation of cyber risks, assessment and audit findings, supply chain risk, and operational risk. Works closely with technology and security leaders and subject matter experts to coordinate, review, and catalogue responses. Coordinates with Compliance and Internal Audit to further the planning, response, and cataloguing of assessment and audit activities related to both Information Security and Information Technology.

Supports the operationalization of the GRC management functions to ensure compliance with established security controls, industry frameworks, regulatory and legal requirements, organizational policies, and standards. Collaborates with the GRC Director and CISO on the risk management program, including risk assessments, risk analysis, internal and external audits, vendor security risk program, and risk register management. Other key activities will include reviewing existing security policies, assessing that procedures are implemented in accordance with security policies and standards, and that security metrics are being measured.

This is a Full Time position - Exempt: Yes
• Job is based at Rev Hugh Cooper Admin Center
• Work hours: Days

Preferred Qualifications:

• CRISC Certification
• CISSP Certification
• CGRC Certification
• Security+ Certification
• 5+ years of hands-on experience in technology risk management and/or vendor risk management
• Healthcare or insurance experience
• 3+ Years GRC experience

• Bachelors degree in Information Security, Computer Science, Information Management Systems, or related field desired; or 6 years of relevant experience may be substituted in lieu of degree. An advanced degree is strongly preferred.
• 3 years of experience in Information Security Risk Management or in Information Technology/Information Security Audit required.
• 5 years of experience in a large (over 2,000 end users) Healthcare IT Enterprise preferred.
• 7 years of experience in a combination of IT Governance, Risk Management, Compliance, and Information security roles preferred.
• Professional certifications such as Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP) or Certified Risk & Information Security Controls (CRISC) required or willing to obtain within the first year of employment.
• Expert working knowledge from within an information security function using ISO 27000, NIST CSF, NIST RMF, or NIST 800-53, HIPAA, or HITRUST Common Security Framework.
• Experience supporting SSAE 16 or SOC 2
• Detailed understanding and extensive experience with information security regulations, including at a minimum National Institute of Standards and Technology (NIST), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI), ISO 27001 and ISO 27018, Sarbanes-Oxley (SOX), Cloud Security Alliance (CSA) and various other laws and regulations including Executive Orders.
• Significant experience performing Information Security Risk Management, Third-Party Risk Management, and audits and assessments in large, complex organizations.
• Significant experience in end-to-end IT and Security Risk Management.
• Significant experience with technical risk remediation identification and planning.
• Significant experience with corrective action and remediation engagement and planning.
• Models high standards of integrity, performance, confidentiality, and demonstrates sound judgement.
• Incorporates Presbyterian Health Services values into the ITGRC compliance and audit program
• Certified Information Systems Security Professional
• Certified in Risk and Information Systems Control
• Certified Information Systems Auditor

• Provide expert knowledge in information security standards and practices and with related federal, state, and local regulatory requirements.
• Identify and assess the severity and potential impact of risks identified within audits and assessments. Educate risk owners within Information Technology and Information Security about risk assessment findings and proper risk remediation.
• Support the implementation of PHS and PHP information governance, risk, and compliance processes.
• Assess processes, practices, and controls against PHS Information Technology and Information Security policies, procedures, and standards.
• Coordinate, catalogue, and communicate internal and external risks and findings to the Director, ITGRC.
• Develop and maintain risk exception and acceptance processes, corrective action plans and mitigation strategies for cyber risks, assessment and audit findings, supply chain risks, and operational risks and recommendations. Corrective action plans are continually updated, and progress is documented for each open item.

About Presbyterian Healthcare Services
Presbyterian offers a comprehensive benefits package to eligible employees, including medical, dental, vision, disability coverage, life insurance, and optional voluntary benefits.

The Employee Wellness Rewards Program encourages staff to engage in health-enhancing activities - like challenges, webinars, and screenings - with opportunities to earn gift to earn gift cards and other incentives.

As a mission-driven organization, Presbyterian is deeply committed to improving community health across New Mexico through initiatives like growers' markets and local partnerships. Founded in 1908, Presbyterian is a locally owned, not-for-profit healthcare system with nine hospitals, a statewide health plan, and a growing multi-specialty medical group. With nearly 14,000 employees, it is the largest private employer in the state, serving over 580,000 health plan members through Medicare Advantage, Medicaid, and Commercial plans.

AA/EOE/VET/DISABLED. PHS is a drug-free and tobacco-free employer with smoke free campuses.