Remote Position in United States:
This below description is more relevant to the position than the above Job Description.
Position Purpose:
Develop, maintain, document, and improve the organizational Information Security (IS) policies and standards for certification and compliance, driven by changes in new regulations, contract requirements, and internal IS changes. Manage the day-to-day activities related to IS policies and standards and assist in developing organizational IS Governance, Risk & Compliance (IS GRC) strategy, frameworks, goals, and targets.
Education/Experience:
Bachelor's degree in Computer Science, Business Administration, Law, or related field or equivalent experience. 5+ years of IS, IS risk, or IS compliance related operations experience. Demonstrated understanding of Security and IS Governance and Risk as they relate to compliance and legal support. Knowledge of IS, access controls, application and platform controls, data protection, operations security, network and internet security, disaster recovery and physical security controls.
[Noted Frameworks: primarily focused on NIST 800-53 (CSF, 800-37, 800-171), HITRUST, HIPAA, SOC 2, FedRAMP, FIPS 140-2, CMS MARSE 2.0]
Recommended Licenses/Certifications:
CISSP, CISM, CGEIT [Other relevant licenses or certifications include: JD, CIPP/US, CISA, CRISC, CCSP] preferred but not required
Responsibilities
Assists to develop, document, and maintain enterprise IS policies and standards for certification and compliance.
Determines if IS policy and standard updates are needed due to changes in regulations, business processes, and best practices; assists in managing IS policy management process in IS Governance, Risk & Compliance.
Maintains an awareness of existing and proposed state and federal legislation and regulations pertaining to organization IS policies and standards. Identifies changes that will affect IS policies, standards, and procedures, and recommends appropriate changes.
Collaborates with IS Governance team to develop and manage the organizational rationalized framework, identify compliance controls, test procedures, compliance standards, etc.
Monitors current IS policies and provides oversight to meet strategic IS targets and goals.
Supports IS risk analysis, evaluations and education on organizational assets and processes as it pertains to compliance, security, Policy Exception Requests, and risk management policies and standards.
Reviews compliance regulations and manages the creation and maintenance of organizational policy initiatives and standards.
Supports leadership by creating presentations regarding IS policy metrics, IS risks, and key accomplishments, key initiatives, and other metrics.
Manages enterprise-wide response to user inquiries, and performs additional duties, as assigned.
Promotes a positive security culture for the organization by protecting the confidentiality, integrity, and availability of data and assets while assisting the company to successfully meet its strategic goals. Leads the engineering, implementation, and maintenance of security processes and solutions throughout the enterprise according to policy and risk. This role will lead the design, development, and maintenance of the security environment and architecture to ensure the assets are protected. Be a champion to their team and other business units to promote a secure organization through positive knowledge sharing, training, influences, and conduct. Serve as a senior member of the Information Security team providing senior level expertise from various IT disciplines with focus in information security.
Leads efforts to ensure adequate security processes and solutions to mitigate or remediate identified risks sufficiently to meet business objectives, contractual and/or regulatory requirements.
Leads incident response activities, ensuring security incidents are properly contained, eradicated, and recovered.
Drives development of security policies, standards and plans to ensure the protection of corporate data against unauthorized use, access, modification and destruction.
Ensures proper security logs are generated and sent to the organization's Security Information and Event Management (SIEM) system.
Researches and implements emerging technologies to enhance the security portfolio.
Persistently evaluates adherence with defined policies and standards.
Leads efforts with identifying, remediating, and/or mitigating vulnerabilities in the environment, ensuring appropriate response to high risk and aged findings.
Leads the development, design, implementation, and maintenance of a secure environment for Magellan Health.
Ensures Magellan security processes and solutions are protected against a failure or attack that reduces the organization's ability to respond to security incidents.
Ensures Magellan processes and solutions are maintained securely and highly available to protect the confidentiality, integrity and availability of assets
Monitors and ensures systems revisions and patches are up to date.
Manages and performs changes to the solutions and remove unnecessary services.
Understands risks and impact to systems in the corporate environment and their interconnectivity
Builds cross function team unity by supporting other Magellan team members to understand security risks and impact to all corporate solutions
Performs forensic analysis and risk assessments for the entire environment.
Designs and manages enterprise high-availability solutions running a complex arrangement of operating systems, including system updates, log analysis, access controls and backup.
Performs changes to the solution configurations to add new services, adapt existing services, and removes unnecessary services.
Monitors, remediates and mitigates security violations for network, devices, servers and other assets
Designs, implements and maintains security guidelines and a security infrastructure for Magellan Health.
Develops technical solutions to autonomously verify compliance with required technical controls.
Other Job Requirements
Responsibilities
7+ years of IT experience required.
Minimum of 5 years of experience in Information Security.
May substitute 2 or more relevant certifications for a year of experience.
Demonstrated knowledge and experience in each of the following information security principles: risk assessment and management, threat and vulnerability management, incident response, and identity & access management.
Understand network protocols and packet analysis tools such as TCPDUMP and Wireshark.
Knowledge of and experience with security-related systems and applications, firewalls, load balancers, intrusion detection/prevention, and web content filtering.
Familiarity with information security publications (e.g., NIST 800-53), incident response, problem resolution, vulnerability remediation, computer forensic techniques and eDiscovery, reviewing automated security test results, and network and host-based firewalls.
Ability to work with multi-discipline teams and cross-functional management.
Excellent verbal and written communication skills with the ability to collaborate effectively with other groups.
Able to effectively manage evolving and competing objectives.
Possesses a mastery of the use of information security tools and techniques.
Has strong leadership, communication, and negotiation skills.
Results driven with a bias for action.
General Job Information
Title
Lead InfoSec Governance Analyst -- Policy Development & Management (InfoSec GRC) - Fully Remote
Grade
29
Work Experience - Required
Information Security, IT
Work Experience - Preferred
Education - Required
Education - Preferred
Bachelors - Computer and Information Science
License and Certifications - Required
License and Certifications - Preferred
CEH-Certified Ethical Hacker - Enterprise, CISSP - Certified Information Systems Security Professional - Enterprise, GISP-GIAC Information Security Professional - Enterprise, GSEC-SANS GIAC Security Essentials - Enterprise, Network+ - Enterprise, Security+ - Enterprise
Magellan Health, Inc. is proud to be an Equal Opportunity Employer and a Tobacco-free workplace. EOE/M/F/Vet/Disabled.Every employee must understand, comply with and attest to the security responsibilities and security controls unique to their position; and comply with all applicable legal, regulatory, and contractual requirements and internal policies and procedures.
