Address
Form of work All the benefits and perks you need for you and your family:
- Benefits from Day One
- Paid Days Off from Day One
- Student Loan Repayment Program
- Career Development
- Whole Person Wellbeing Resources
- Mental Health Resources and Support
Our promise to you:
Joining AdventHealth is about being part of something bigger. It's about belonging to a community that believes in the wholeness of each person, and serves to uplift others in body, mind and spirit. AdventHealth is a place where you can thrive professionally, and grow spiritually, by Extending the Healing Ministry of Christ. Where you will be valued for who you are and the unique experiences you bring to our purpose-minded team. All while understanding that together we are even better.
Schedule: Full Time
The role you'll contribute:
The Third Party Risk Management (TPRM) Specialist - Senior, as part of the Enterprise Security team, will safeguard information system assets by developing an understanding of the security requirements of AdventHealth (ADH) Third parties and their information systems to identify potential or actual security compliance issues. The TPRM Specialist Senior will perform regular and ad-hoc risk assessments and follow up on remediation activities to update the risk posture on implemented security controls.
The TPRM Specialist Senior will support the business in assessing 3 rd parties that may access, process, transmit and/or store AdventHealth Data such as Protected Health Information (PHI), Payment Card Industry (PCI), or Personally Identifiable Information (PII).
Some of the other key activities include reviewing existing information security policies, working in conjunction with planning partners/relationship managers, contracting, business owners to discuss compensating controls, risk mitigation commitments, exceptions that may be required if the organization chooses to move forward with onboarding the solution. In part they must analyze the information provided from the third parties against the security requirements, measure the risk and outline the concerns to help the business and operational teams in developing effective strategies for mitigating security risks.
The TPRM Specialist senior will support the annual audit on the key PeopleSoft Information Technology General Controls in partnership with the AHS Internal Audit team. In addition to that they will support the annual PHSO SOC 2 Type 2 assessment, collaborating with key stakeholders, obtaining and reviewing evidence and working closely with the Third Party contractor engaged to complete the report.
The TPRM Specialist Senior should also have the knowledge of industry best practices for supporting the security of information systems and related techniques in order to handle the confidentiality, integrity and availability of the sensitive information. Strong interpersonal and communication skills, critical-thinking, analytical and problem-solving skills are required to avoid checkbox mentality and tackle unexpected challenges by coming up with intelligent ways of providing information security through best practices and compensating controls. This specialist must have an excellent understanding of current security standards, protocols, up-to-date knowledge of security threats and risks, related mitigation skills along with project management experience. He/she should be able to work well under pressure, independently, and be seen as a leader when participating in a team setting to achieve organizational goals.
The value you'll bring to the team:
• Conduct annual reviews of security questionnaire and enhance vendor toolkit(s) (risk tier, risk score, etc.).
• Determine vendor risk level using risk tier toolkit(s) and continually evaluate for accuracy
• Send security questionnaire to vendors based on risk level
• Partner with business, planning partner, and vendor point of contact to ensure responses are received within agreed upon timelines
• Escalate compliance concerns timely and effectively to the appropriate business line management and to the Director of Enterprise Security.
• Examine records, reports, operating practices, and evidence to finalize assessment report and remediation plan
• Provide expertise and oversight of 3 rd party findings with documented assessment gaps, information security risks and remediation recommendations in Governance, Risk, and Compliance platform to ensure current and emerging threats are adequately identified and remediated with the 3 rd party
• Negotiate vendor remediation planning and implementation efforts to reduce organizational risk
• Facilitate and enhance the use of Governance, Risk, and Compliance technology-based tools to review, design and/or delivery services
• Provide expertise in information security control implementations, standards, and best practices related to information security and compliance e.g., PCI-DSS and HITRUST with standards, laws, and regulations e.g., AICPA and HIPAA
• Support the annual audit and review key PeopleSoft Information Technology General Controls in partnership with the AHS Internal Audit team.
• Support the annual PHSO SOC 2 Type 2 assessment by organizing interviews, obtaining and reviewing evidence, meeting with Third Party regularly to ensure AdventHealth provides everything required for report.
• Exercise professional judgment by evaluating information, making recommendations, and maintaining confidentiality of data per AHS policies, avoiding conflict of interests
• Contribute in the enhancement and delivery of a comprehensive Third Party Risk Management program through the continual review, evaluation, and testing of administrative, physical and technical controls to assess effectiveness
• Assist internal/external auditors with special projects or assessments, as needed
• Lead and actively support mentoring relationships within the team, department and organization
• Engage and work with a variety of internal departments and external organizations.
• Ability to elicit and understand customer need s
• Participate in routine administrative work of the information security department.
Qualifications
The expertise and experiences you'll need to succeed :
KNOWLEDGE AND SKILLS REQUIRED:
• Knowledge of the following areas: HITRUST, PCI-DSS, HIPAA Security and Privacy Rule, Healthcare IT Standards (HITSP), NIST, ISO and HITECH.
• Working knowledge of third part Risk Management.
• Risk management and compliance program development relating to HIPAA, FERPA, PCI-DSS, security awareness, policy and standards development
• Strong background in IT, information security, applications, and/or data centers
• In-depth knowledge and experience in IT Security, including access controls, network Security, logging/monitoring, vulnerability assessments, system hardening, secure software development, application security, encryption and key management best practices etc.
• Understanding of security requirements related to cloud-based applications/environments
• Interpretation of Generally Accepted Auditing Standards (GAAS), and/or SSAE-16/18 reports
• Negotiation of remediation planning and efforts with the Third Party
• IIA and ISACA standards, including preparation of detailed work papers adequately supporting conclusions to ensure a complete work product
• Complimenting assessments with the knowledge of various technologies to help AHS achieve its information security compliance objectives
• Skilled at logging, monitoring, and reporting key performance indicators (KPI) and development of continuous improvement plans.
• Effectively communicate both verbal and written
• Well versed in project management procedures and concepts.
• Time management skills
• Multi-tasking, prioritization, decision making, presentation, and strong interpersonal skills
• Build and actively support mentoring relationships within the team, department and organization
• Ability to elicit and understand customer needs
KNOWLEDGE AND SKILLS PREFERRED:
• A broad understanding of IT service functions such as technical security, network engineering, application development, server administration, database administration, user account administration, identity and access management, end-point device management and academic support.
• Experience with large enterprise system platforms such as EMR/EHR, PeopleSoft, Oracle databases, Windows and UNIX/LINUX
• GRC tool development and implementation (Navex LockPath IRM, highly desirable).
• Ability to develop a comprehensive picture of an organization's technology and information needs, and then assess the security structures and controls designed to protect them.
• Strong technical background in information security requirements and standards (e.g., HITRUST, HITECH, NIST, ISO 27001/2, ITIL, etc).
• Sound understanding of Payment Card Industry (PCI) standards and requirements for PCI risk assessments.
EDUCATION AND EXPERIENCE REQUIRED:
• Bachelor's degree in computer science, information systems, cyber security, a related field or an equivalent five years of related work experience
• Five or more years of experience in risk assessments and risk-based information security programs.
• At least five years of experience with information security frameworks (NIST, ISO, or HITRUST).
EDUCATION AND EXPERIENCE PREFERRED:
• Master's degree - Computer Sciences, Information Systems, Cybersecurity or Business Administration
• Five or more years of experience in Information security audit and compliance initiatives within large complex organizations
• Three or more years of experience in a healthcare environment
LICENSURE, CERTIFICATION OR REGISTRATION REQUIRED:
One of the following
• Certified Information Systems Security Professional (CISSP)
• Security+
One of the following
• PCI Professional (PCIP)
• Internal Security Assessor (ISA)
LICENSURE, CERTIFICATION OR REGISTRATION PREFERRED:
• Certified Information Systems Auditor (CISA) or
• Healthcare Information Security Privacy Professional (HCISPP)
- Benefits from Day One
- Paid Days Off from Day One
- Student Loan Repayment Program
- Career Development
- Whole Person Wellbeing Resources
- Mental Health Resources and Support
Our promise to you:
Joining AdventHealth is about being part of something bigger. It's about belonging to a community that believes in the wholeness of each person, and serves to uplift others in body, mind and spirit. AdventHealth is a place where you can thrive professionally, and grow spiritually, by Extending the Healing Ministry of Christ. Where you will be valued for who you are and the unique experiences you bring to our purpose-minded team. All while understanding that together we are even better.
Schedule: Full Time
The role you'll contribute:
The Third Party Risk Management (TPRM) Specialist - Senior, as part of the Enterprise Security team, will safeguard information system assets by developing an understanding of the security requirements of AdventHealth (ADH) Third parties and their information systems to identify potential or actual security compliance issues. The TPRM Specialist Senior will perform regular and ad-hoc risk assessments and follow up on remediation activities to update the risk posture on implemented security controls.
The TPRM Specialist Senior will support the business in assessing 3 rd parties that may access, process, transmit and/or store AdventHealth Data such as Protected Health Information (PHI), Payment Card Industry (PCI), or Personally Identifiable Information (PII).
Some of the other key activities include reviewing existing information security policies, working in conjunction with planning partners/relationship managers, contracting, business owners to discuss compensating controls, risk mitigation commitments, exceptions that may be required if the organization chooses to move forward with onboarding the solution. In part they must analyze the information provided from the third parties against the security requirements, measure the risk and outline the concerns to help the business and operational teams in developing effective strategies for mitigating security risks.
The TPRM Specialist senior will support the annual audit on the key PeopleSoft Information Technology General Controls in partnership with the AHS Internal Audit team. In addition to that they will support the annual PHSO SOC 2 Type 2 assessment, collaborating with key stakeholders, obtaining and reviewing evidence and working closely with the Third Party contractor engaged to complete the report.
The TPRM Specialist Senior should also have the knowledge of industry best practices for supporting the security of information systems and related techniques in order to handle the confidentiality, integrity and availability of the sensitive information. Strong interpersonal and communication skills, critical-thinking, analytical and problem-solving skills are required to avoid checkbox mentality and tackle unexpected challenges by coming up with intelligent ways of providing information security through best practices and compensating controls. This specialist must have an excellent understanding of current security standards, protocols, up-to-date knowledge of security threats and risks, related mitigation skills along with project management experience. He/she should be able to work well under pressure, independently, and be seen as a leader when participating in a team setting to achieve organizational goals.
The value you'll bring to the team:
• Conduct annual reviews of security questionnaire and enhance vendor toolkit(s) (risk tier, risk score, etc.).
• Determine vendor risk level using risk tier toolkit(s) and continually evaluate for accuracy
• Send security questionnaire to vendors based on risk level
• Partner with business, planning partner, and vendor point of contact to ensure responses are received within agreed upon timelines
• Escalate compliance concerns timely and effectively to the appropriate business line management and to the Director of Enterprise Security.
• Examine records, reports, operating practices, and evidence to finalize assessment report and remediation plan
• Provide expertise and oversight of 3 rd party findings with documented assessment gaps, information security risks and remediation recommendations in Governance, Risk, and Compliance platform to ensure current and emerging threats are adequately identified and remediated with the 3 rd party
• Negotiate vendor remediation planning and implementation efforts to reduce organizational risk
• Facilitate and enhance the use of Governance, Risk, and Compliance technology-based tools to review, design and/or delivery services
• Provide expertise in information security control implementations, standards, and best practices related to information security and compliance e.g., PCI-DSS and HITRUST with standards, laws, and regulations e.g., AICPA and HIPAA
• Support the annual audit and review key PeopleSoft Information Technology General Controls in partnership with the AHS Internal Audit team.
• Support the annual PHSO SOC 2 Type 2 assessment by organizing interviews, obtaining and reviewing evidence, meeting with Third Party regularly to ensure AdventHealth provides everything required for report.
• Exercise professional judgment by evaluating information, making recommendations, and maintaining confidentiality of data per AHS policies, avoiding conflict of interests
• Contribute in the enhancement and delivery of a comprehensive Third Party Risk Management program through the continual review, evaluation, and testing of administrative, physical and technical controls to assess effectiveness
• Assist internal/external auditors with special projects or assessments, as needed
• Lead and actively support mentoring relationships within the team, department and organization
• Engage and work with a variety of internal departments and external organizations.
• Ability to elicit and understand customer need s
• Participate in routine administrative work of the information security department.
Qualifications
The expertise and experiences you'll need to succeed :
KNOWLEDGE AND SKILLS REQUIRED:
• Knowledge of the following areas: HITRUST, PCI-DSS, HIPAA Security and Privacy Rule, Healthcare IT Standards (HITSP), NIST, ISO and HITECH.
• Working knowledge of third part Risk Management.
• Risk management and compliance program development relating to HIPAA, FERPA, PCI-DSS, security awareness, policy and standards development
• Strong background in IT, information security, applications, and/or data centers
• In-depth knowledge and experience in IT Security, including access controls, network Security, logging/monitoring, vulnerability assessments, system hardening, secure software development, application security, encryption and key management best practices etc.
• Understanding of security requirements related to cloud-based applications/environments
• Interpretation of Generally Accepted Auditing Standards (GAAS), and/or SSAE-16/18 reports
• Negotiation of remediation planning and efforts with the Third Party
• IIA and ISACA standards, including preparation of detailed work papers adequately supporting conclusions to ensure a complete work product
• Complimenting assessments with the knowledge of various technologies to help AHS achieve its information security compliance objectives
• Skilled at logging, monitoring, and reporting key performance indicators (KPI) and development of continuous improvement plans.
• Effectively communicate both verbal and written
• Well versed in project management procedures and concepts.
• Time management skills
• Multi-tasking, prioritization, decision making, presentation, and strong interpersonal skills
• Build and actively support mentoring relationships within the team, department and organization
• Ability to elicit and understand customer needs
KNOWLEDGE AND SKILLS PREFERRED:
• A broad understanding of IT service functions such as technical security, network engineering, application development, server administration, database administration, user account administration, identity and access management, end-point device management and academic support.
• Experience with large enterprise system platforms such as EMR/EHR, PeopleSoft, Oracle databases, Windows and UNIX/LINUX
• GRC tool development and implementation (Navex LockPath IRM, highly desirable).
• Ability to develop a comprehensive picture of an organization's technology and information needs, and then assess the security structures and controls designed to protect them.
• Strong technical background in information security requirements and standards (e.g., HITRUST, HITECH, NIST, ISO 27001/2, ITIL, etc).
• Sound understanding of Payment Card Industry (PCI) standards and requirements for PCI risk assessments.
EDUCATION AND EXPERIENCE REQUIRED:
• Bachelor's degree in computer science, information systems, cyber security, a related field or an equivalent five years of related work experience
• Five or more years of experience in risk assessments and risk-based information security programs.
• At least five years of experience with information security frameworks (NIST, ISO, or HITRUST).
EDUCATION AND EXPERIENCE PREFERRED:
• Master's degree - Computer Sciences, Information Systems, Cybersecurity or Business Administration
• Five or more years of experience in Information security audit and compliance initiatives within large complex organizations
• Three or more years of experience in a healthcare environment
LICENSURE, CERTIFICATION OR REGISTRATION REQUIRED:
One of the following
• Certified Information Systems Security Professional (CISSP)
• Security+
One of the following
• PCI Professional (PCIP)
• Internal Security Assessor (ISA)
LICENSURE, CERTIFICATION OR REGISTRATION PREFERRED:
• Certified Information Systems Auditor (CISA) or
• Healthcare Information Security Privacy Professional (HCISPP)
