Privacy & Information Security Risk Management Analyst II

Security Risk Analyst

Uses the Sutter Health governance, risk management, and compliance (GRC) platform to conduct and validate technical security reviews and security assessments in alignment with the Sutter Health information security controls framework, state and federal regulations, and industry security best practices, culminating in the production of security risk assessment reports. Functions as a technical advisor to security leadership, Information Services (IS) departments, and Sutter Health business units on security-related issues and risks and provides support by leading resolution on complex security issues and initiatives. Provides security training to IS staff members through new hire orientation, just-in-time training, and regular department training. Develops and/or reviews technical information security policies, procedures, standards, and guidelines to support Sutter Health business initiatives in alignment with regulatory requirements, security best practices, and evolving technologies. Conducts technical security-related research and analysis and translates the results into meaningful input to the Information Security program.

***Please Note: While this position is listed as hybrid, regular in-office attendance is required. Candidates should be prepared to commute to the office on a consistent basis to support team collaboration and business needs.***

Education: Equivalent experience will be accepted in lieu of the required degree or diploma.

• Bachelor's in Business, Computer Science, Engineering, Information Security, Management, Mathematics, Science, Technology or related field

Certification & Licensure:

• CISSP or CRISC certification preferred, or one of the certifications will be required within one year of hire

Typical Experience:

• 2 years recent relevant experience.

Preferred Experience:

• Third-party/vendor security risk assessments
• Conducting formal risk assessments
• GRC or third-party risk management platforms (e.g., ServiceNow VRM or equivalent)
• Continuous security monitoring tools (e.g., BitSight or similar)
• Experience assessing security risks affecting protected health information (PHI)

Skills and Knowledge:

• Proficient technical skills in planning, administration, and management of information systems, operational and technical security controls, and security risk analysis and management with thorough knowledge of information systems security concepts, current information security trends, practices including security processes, methods, and procedures.
• Working knowledge of software, hardware, databases, networks, firewalls, encryption, and other systems security devices, including a good understanding of Transmission Control Protocol/Internet Protocol (TCP/IP), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Active Directory, network topologies, and intrusion detection systems.
• General knowledge regarding National Institute of Standards and Technology (NIST), Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH), Federal Information Procession Standards (FIPS), and other related industry security standards, regulations, and best practices.
• Advanced understanding of federal and state security and privacy-related regulatory requirements.
• Good business acumen and advanced analytic skills, including the ability to analyze data and information, reach practical conclusions, recommend corrective actions, resolve conflicts, and institute effective changes.
• Effective organizational and project management skills required, including the demonstrated ability to prioritize tasks, manage multiple projects simultaneously, and complete deliverables.
• Attention to detail with time management and organization skills, including attention to detail, clear documentation, diagnostic capabilities and problem-solving skills.
• Communication (written/verbal), interpersonal, and presentation skills to explain complex technical or sensitive information clearly and professionally to diverse audiences and all levels of internal and external constituencies.
• Robust computer skills, including an advanced knowledge of Microsoft Office Suite (Word, Excel, Outlook, Access, Access Control List (ACL)), Microsoft Visio or other flowcharting tool, various database architectures and related security and assessment tools and applications.
• Ability to identify key concepts, factors, and risks based on conversations and document them in clear and concise narrative.
• Ability to work independently, as well as part of a multidisciplinary team, while demonstrating organization skills to efficiently and effectively conduct reviews and assessments within established timeframes and government regulations.

Job Shift: Days

Schedule: Full Time

Days of the Week: Monday - Friday

Weekend Requirements: As Needed

Benefits: Yes

Unions: No

Position Status: Exempt

Weekly Hours: 40

Employee Status: Regular

Sutter Health is an equal opportunity employer EOE/M/F/Disability/Veterans.

Pay Range is $86,216.00 to $129,334.40 / annual salary

The compensation range may vary based on the geographic location where the position is filled. Total compensation considers multiple factors, including, but not limited to a candidate's experience, education, skills, licensure, certifications, departmental equity, training, and organizational needs. Base pay is only one component of Sutter Health's comprehensive total rewards program. Eligible positions also include a comprehensive benefits package.