Job Description

Responsibilities:

Give oversight on end to end assessments steps for regulatory entities, ie., Identifying submitted control evidence in assessments to validate accuracy

Integrate threat modeling, risk management, security tools, standards, and risk management processes to support ISRM teams and other McKesson stakeholders

Oversee the implementation of information security risk management processes across McKesson

Articulate risk and business impact to stakeholders

Communicate the urgency and need to remediate issues or vulnerabilities commensurate with the risk it presents to McKesson

Develop and maintain security risk and response artifacts systematically to produce security risk metrics that can measure the overall program maturity and progress

Create visibility and awareness at appropriate level including executive leadership teams, CISO and other on security risks that require attention

Demonstrate ability to strike a balance between strategic and tactical activities required to run information risk response and remediation efforts

Cultivate the practice of staying abreast on latest trends and developments in information security risk response and remediation activities followed across industry

Designated Lead and support information security risk assessment program across McKesson

Lead coordination efforts between technology stakeholders and ensure high-quality and accurate reporting and tracking 

Evolve GRC internal tools and processes that manage the information security risks in McKesson, aligning with all involved stakeholders and users of the GRC tool on their needs and input

Build relationships and become a trusted advisor with BU and technology owners to influence change and drive ownership and accountability   

Minimum Requirements:
4+ years’ experience in information security risk in an organization

2+ years’ experience of supervisory and/or management

Critical Skills:

Experience with risk management frameworks along with a solid understanding industry best practices in information security risk management

Subject Matter Expert (SME) in Healthcare regulative entities such as HIPAA, EU GDPR, CCPA, PIPEDA and OCR

Thorough understanding of industry and commonly adopted secure standards, practices (e.g. applicable NIST 800-53; 800-171 (800-39) standards, CIS, ISO27001/2, ISO27005, SANS, CERT), HITRUST, SOC1/SOC2 and PCI DSS Compliance

Administration experience with BWise, RSA Archer or other GRC tool

Participate in strategic planning with regards to program development

Assist with information risk assessments and risk acceptances, ensuring actions and goals are well documented

Expert knowledge of information security and risk management principles, conducting risk impact assessments, vulnerability management and a level of familiarity with threat modelling techniques

Knowledge of cloud-based infrastructures/software and how they affect security needs

Knowledge of implementing security practices in application development and agile environments

Additional Knowledge & Skills:

Knowledge of project and program management

Experience conducting security risk management training

Knowledge regarding healthcare IT and Risk Management Regulations

Familiarity with threat detection, threat intelligence and hacking methods

Experience in large highly segmented and regulated organizations

Experience interacting with security vendors and customers

Self-motivation and the ability to work under minimal supervision are a must

Excellent at multitasking, and open to constant learning

Energetic and positive attitude

Excellent problem solving and analytical skills; outstanding oral and written communication skills