Security & Compliance Analyst

Job Purpose The Security & Compliance Analyst will be responsible for Security Governance, Risk, and Compliance (GRC) within the organization. The incumbent will participate in annual audits, interact with customers as needed, prioritize and track security and compliance risk issues, guide internal and external stakeholders on mitigation, identify risks that increase loss probability and communicate the posture to leadership.

Duties and Responsibilities

• Support the development, update, revision, and/or implementation of security and compliance policies, procedures, practices, and metrics
• Manage and support audit engagements (e.g., HIPAA, SOC 2, HITRUST), the audit request lists and ensure requests are being fulfilled by stakeholder management; participate in internal/external audits as it relates to evidencing control management practices; assist the business to document, assess, remediate any issues and risks raised during audit examinations and risk assessments.
• Implement, monitor, and continuously improve the HIPAA Training & Security Awareness Program
• Conduct third party risk assessments and vendor management to ensure all vendors are vetted and approved, onboarded according to defined policy/process, and have proper ongoing oversight to ensure Security and Regulatory compliance
• Coordinate and manage efforts to mitigate risks and remediation plans to completion
• Ensure effective risk management controls for the entire infrastructure, including but not limited to endpoints, mobile devices, servers, cloud services and tools, etc.
• Maintain a risk register
• Analyze and provide guidance for exception and non-standard software requests
• Coordinate Strategic Response Training and conduct Incident Response tabletop exercises
• Investigate, document, and remediate Security Incidents, including but not limited to SOC, MDR and other security controls alerts
• Support the Sales process, including addressing customer security questionnaires and interfacing with client security teams
• Respond to Customer Security Assessments and inquiries.
• Ensure compliance with Customer Requirements
• Perform other related duties as assigned
• Use, protect and disclose patients’ protected health information (PHI) only in accordance with Health Insurance Portability and Accountability Act (HIPAA) standards

Qualifications

• 3+ years of progressive experience in Risk Management, Audit, Compliance, and/or Security Operations roles
• Industry certification CompTIA Security+ required
• Industry certification Certified Ethical Hacker (CEH) Preferred
• Industry certification such as CISSP, HCISSP, CISM, or CISA preferred but not required.
• Solid understanding of relevant security and compliance certifications/frameworks, including HIPAA, NIST, ISO27001, SOC, PCI-DSS
• Experience with HITRUST preferred but not required
• Ability to "wear multiple hats" at once and/or pivot quickly based on business need
• Ability to balance competing priorities based on risk and criticality and independently develop initiatives

Working Conditions

• Physical Demands: While performing the duties of this job, the employee is occasionally required to move around the work area; Sit; perform manual tasks; operate tools and other office equipment such as computer, computer peripherals and telephones; extend arms; kneel; talk and hear.
• Mental Demands: The employee must be able to follow directions, collaborate with others, and handle stress.
• Work Environment: The noise level in the work environment is usually minimal.

Med-Metrix will not discriminate against any employee or applicant for employment because of race, color, religion, sex (including pregnancy, gender identity, and sexual orientation), parental status, national origin, age, disability, genetic information (including family medical history), political affiliation, military service, veteran status, other non-merit based factors, or any other characteristic protected by federal, state or local law.