Portland IT Jobs

It’s raining opportunity in Portland

The tech industry in Portland market is characterized by many small, highly nimble firms at the leading edge of innovation—and a booming job market. Come grow with us in Portland: check out our Portland IT jobs.

Information Risk Program Advisor
Job Order #13638
Portland-Vancouver-Beaverton, Oregon - Added Nov 7, 2017

Full Description:

Primary Job Purpose

This position is part of a team that develops, maintains and enhances the companies information risk program. The scope of this program includes the security, privacy, regulatory compliance, and contractual obligations relating to the information systems and sensitive data managed by the company. Accordingly, the candidate works with team members to design and implement related policies, procedures, controls, and standards. The candidate will apply extensive technical skills (e.g., network, SDLC, cloud operations, etc.) to consult on the reengineering of business processes to meet control frameworks while minimizing business friction. The candidate also collaborates with team members to represent the company’s information risk program to external auditors, customers, and other third parties.

Minimum Requirements

Competencies and Knowledge:

All Levels

Must be able effectively adapt to rapidly changing technologies and methodologies and apply them to technological and/or business needs.

Demonstrated leadership skills for projects in a technology-oriented field with a high emphasis on communicative and interpersonal relationship skills.

Excellent oral communication skills including the ability to express complex technical concepts in terms that are understandable to the business and simultaneously ensures confidentiality. Ability to present and discuss technical information in a way that establishes rapport, persuades others, and enhances understanding of technical and non-technical audiences.

Excellent written communication skills including the ability to exercise judgement to determine the correct level of detail, content and context for formal and informal documentation (e.g. information risk reviews, procedures, presentations, emails, etc.). Able to distil complex topics into concise, easy-to-understand documents.

Familiarity with industry standard tools and technology, which may include application development languages and packages, client/server systems, Web servers and applications, and various third-party utilities and tools for integrating applications with databases and legacy systems.

Must be able to work effectively with other team members across the IT organization, management and business customers. Demonstrated ability to be flexible when changes in work are introduced, and be focused on finding solutions to meet the business needs.

Understanding of information risk related laws and regulations governing personal information, particularly HIPAA.
Understanding of information security industry and privacy best practices (HIPAA, SOC 2, NIST, HiTrust, CSA, PCI, etc.).

Experience with IT audit concepts and control frameworks.

Understanding of Cloud security (AWS preferred) standards and controls.

Familiarity with information risk controls relating to
• SaaS applications and supporting microservices.
• Continuous integration and deployment of changes.
• System development life cycle.
• Remediation of SAST, DAST, SCA, and network vulnerability scan results.
• Vulnerability scanning and automated patching architectures.
• Digital (public/private key) certificates.

Familiarity with network security, including OSI model, subnetting, firewalls (AWS security groups), etc.

Familiarity with complex systems integration issues involving many disparate data sources.

Experience logging and monitoring for information risk events.

In addition, the Senior and Lead levels would have:

Knowledge of regulatory and legal chain-of-evidence protocols.
Knowledge of information security and privacy incident handling, including:
• Developing processes and procedures.
• Roles and responsibilities of a security incident response team.
• Communication, escalation, and status reporting.

Deep understanding of information risk related laws and regulations governing personal information, particularly HIPAA.
Deep understanding of information security industry and privacy best practices (HIPAA, SOC 2, NIST, HiTrust, CSA, PCI, etc.).

Deep understanding of cloud security (AWS preferred) standards and controls.

Deep understanding of network security, including OSI model, subnetting, firewalls (AWS security groups), etc.

Knowledge of and experience with complex systems integration issues involving many disparate data sources.

Knowledge and experience implementing information risk controls relating to
• SaaS applications and supporting microservices.
• Continuous integration and deployment of changes.
• System development life cycle.
• Remediation of SAST, DAST, SCA, and network vulnerability scan results.
• Vulnerability scanning and automated patching architectures.
• Digital (public/private key) certificates.

General Functions and Outcomes

All levels

Evaluates existing policies, processes, procedures, and standards to identify and document information risks.

Performs formal information risk assessments.

Helps identify, design, refine, and implement controls to mitigate information risk to an acceptable level.

Suggests enhancements to the verbiage of existing policies, procedures, controls, etc. to improve the clarity, completeness, and accuracy of this documentation.

Performs formal (documented) reviews of changes to existing application and supporting systems to determine the impact on the companies information risk profile. Such reviews must consider related and/or connected systems.

Diagrams logical data flows and map those flows to physical (systems, network) infrastructure.

Operates controls designed to mitigate information risk to an acceptable level.

Assists with customer audits and respond to customer requests for information regarding the companies information security and compliance programs.

Collaborates with internal teams (e.g., Technical Operations, Development Operations, Software Engineering) and external auditors to successfully complete audits and assessments, such as SOC 2 and HiTrust.

Liaises with the corporate information security and privacy offices to facilitate alignment and synergy with requirements and processes.

Researches, interprets and understands laws, regulations and other regulatory and compliance guidance.

Additional General Functions & Outcomes for Senior level

Reviews and negotiates business associate agreements, master services agreements, and other customer contracts, particularly as they relate to the organization’s security and privacy obligations.

Stays current on industry and regulatory trends.

Works with various technical (e.g., IT Operations, Development Operations, Software Engineering, etc.) and non-technical departments to:
• Understand their practices relating to information risk.
• Understand the impact to information risk of various software development life cycle approaches and implementation nuances.
• Guide and manage the refinement of their practices to better align with the companies policies, processes and procedures that mitigate information risk to an acceptable level.
• Develop configuration standards for various technologies.
• Guide and manage remediation of compliance program (e.g. SOC 2, HiTrust, etc.) control gaps, including information risks identified by various security tools (SAST, DAST, network vulnerability scans, IDS/IPS, etc.).

Reviews operation of the team’s controls designed to mitigate information risk to an acceptable level.

Manages customer audits and respond to customer requests for information regarding HealthSparq’s information security and compliance programs.

Partners with other teams to evaluate third-party products (e.g., IDS/IPS, anti-virus) that facilitate information risk program objectives.

Manages third-party risk-mitigation service engagements (e.g., penetration testing, risk assessments).

Triages and coordinates response to information security and privacy incidents.

Able to work with little to no direction; manage own workload; resolve conflicting priorities and deliver on commitments.

Competencies and Knowledge requirements:

Normally to be proficient in the competencies listed above:

Information Risk Advisor would have a Bachelor’s degree in Computer Science, Information Systems, or a related field. A Juris doctorate degree is a plus. 4+ years of experience in audit, legal, project management, security and/or other information risk management activities; developing related policies, standards, or procedures; or equivalent combination of education and experience.

Senior Information Risk Advisor would have a Bachelor’s degree in Computer Science, Information Systems, or a related field. A Juris doctorate degree is a plus. 6+ years of experience in audit, legal, project management, security and/or other information risk management activities; developing related policies, standards, or procedures; or equivalent combination of education and experience.

Required Licenses, Certifications, Registration, Etc.

Information Risk Advisor and Senior Information Risk Advisor require a Network certification or equivalent, HCISPP or equivalent within one year of hire and CISSP is preferred.

CISA and project management certification are preferred.

Work Environment

No unusual working conditions
May be required to work outside normal working hours
Work is primarily performed in an office environment

Apply for Information Risk Program Advisor

Fill out the form below to submit your information for this opportunity. Please upload your resume as a doc, pdf, rtf or txt file. Your information will be processed as soon as possible.


Return to IT Job Search

Search Open Jobs

Job Number:
Desired Job Category:
Position Title:
Keywords:
Location:

Featured Hot Jobs

WHAT OUR CLIENTS ARE SAYING

“Mainz Brady Group is a first-rate recruiting agency that I consider a strategic partner whose creative solutions allow me to maximize my recruiting budget, without sacrificing candidate quality.”

More Testimonials