Fresenius Medical Care Holdings, Inc.
Receive alerts when this company posts new jobs.
Information Security Risk Analyst
at Fresenius Medical Care Holdings, Inc.
PURPOSE AND SCOPE:
The Information Security Risk Analyst at Fresenius North America (FMCNA) will identify, quantify, and manage risk across the organization while integrating risk management processes into business operations. This role will work directly with subject matter experts to identify risks, elicit all necessary information about the situation to form a complete understanding of the risk, work with the other members of the Risk Team to quantify and document the risk, and present the complete quantified risk to the appropriate levels of management to support their decision-making process.
PRINCIPAL DUTIES AND RESPONSIBILITIES:
- Create and implement (ISO) risk management policies, standards, and procedures for FMCNA and provide oversight for other Business Units based on industry best practices and frameworks.
- Development, measurement, and management of risk metrics to support GRC reporting
- Identify, implement, monitor, and enforce information security compliance, regulatory, and control frameworks
- Ongoing analysis and coordination with stakeholders to improve risk posture for business units and overall FMCNA.
- Conducts risk assessments using industry standard frameworks.
- Studying risk assessments conducted by the business owners and support functions to incorporate relevant tests in assessment plans
- Builds and maintains database of risk assessment questionnaires, responses, and mappings to industry standard frameworks and regulatory requirements using TrustArc or other applicable solutions.
- Create and maintain documentation of issues/control gaps, corrective actions, and status.
- Supports the security exception management process.
- Reviewing third-party attestation and audit reports then providing feedback to business leaders and risk owners.
- Serves as a company representative with prospects, customers, and partners by assisting with completing security questionnaires, assessments and audits
- Delivery focused, willingness to perform and manage all tasks required to complete the job and meet deadlines, including administrative and documentation-oriented tasks.
- Attention to detail and thoroughness, with a focus on the completeness, accuracy, integrity, security, and confidentiality of the information handled and activities performed.
- Interacts enterprise-wide with all levels of personnel, including executives, business functional heads and technical staff
- Analyze key business processes in order to produce comprehensive risk scenarios that will be implemented by working by with and through business leaders and information security risk architecture
- Collaborating with threat and vulnerability intelligence teams to develop risk scenarios from new and emerging risks
- Conduct comprehensive analysis of risk scenarios and inform key stakeholders of findings on an ongoing basis
- Supports advancing the enterprise-wide information security risk function to create a union of business risk and information security risk
- Support awareness and accountability around IT governance, risk, and compliance control functions
- Team-oriented and will promote execution and change through influence
- Articulate information security risk into business terms
- May provide direction to peers or PM's leading projects for Risk Management related initiatives including ensuring delivery of business requirements and provide analysis and solutions for potential problems.
- Developing professional expertise; applies company policies and procedures to resolve a variety of issues.
- Normally receives general work instructions on routine work, detailed instructions on new projects or assignments. Work is reviewed for soundness.
- Works on problems of moderate scope where analysis of situation or data requires a review of a variety of factors. Exercises judgment within defined procedures and practices to determine appropriate action.
- Builds productive working relationships.
- May provide assistance to junior level staff with general tasks that require a better understanding of functions, as directed by immediate supervisor.
- May refer to senior level staff for assistance with higher level problems that may arise.
- Escalates issues to supervisor/manager for resolution, as deemed necessary.
- Review and comply with the Code of Business Conduct and all applicable company policies and procedures, local, state and federal laws and regulations.
- Assist with various projects as assigned by direct supervisor.
- Other duties as assigned.
Additional responsibilities may include focus on one or more departments or locations. See applicable addendum for department or location specific functions.
PHYSICAL DEMANDS AND WORKING CONDITIONS:
- The physical demands and work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- Bachelor's Degree required; degree in related discipline is desired (i.e., Computer Science or Computer Information Technology)
EXPERIENCE AND REQUIRED SKILLS:
- 2 – 5 years' related experience, particularly in a combination of risk management, information security and/or technology roles; or an advanced degree without experience; or equivalent directly related work experience.
- Deep understanding of information security regulations, including Federal Information Security Management Act (FISMA), Service Organization Control 2 (SOC 2), Federal Information Processing Standard (FIPS), National Institute of Standards and Technology (NIST), IS0 27000 series, HITRUST, Cloud Security Alliance (CSA) and various other laws and regulations including Executive Orders.
- Conducted risk assessments using a variety of frameworks
- Possess demonstratable knowledge of Third-Party Assurance risk management
- Able to self-start and lead cross functional teams and deliver results with minimal supervision.
- CISSP, CRISC, CISA, CISM, or other technical certification(s) a plus
- Experience with TrustArc Assessment Manager a plus
- Working knowledge of Scripting languages a plus
- Travel required per business need.
EO/AA Employer: Minorities/Females/Veterans/Disability/Sexual Orientation/Gender Identity