Responsibilities:
Give oversight on end to end assessments steps for regulatory entities, ie., Identifying submitted control evidence in assessments to validate accuracy
Integrate threat modeling, risk management, security tools, standards, and risk management processes to support ISRM teams and other McKesson stakeholders
Oversee the implementation of information security risk management processes across McKesson
Articulate risk and business impact to stakeholders
Communicate the urgency and need to remediate issues or vulnerabilities commensurate with the risk it presents to McKesson
Develop and maintain security risk and response artifacts systematically to produce security risk metrics that can measure the overall program maturity and progress
Create visibility and awareness at appropriate level including executive leadership teams, CISO and other on security risks that require attention
Demonstrate ability to strike a balance between strategic and tactical activities required to run information risk response and remediation efforts
Cultivate the practice of staying abreast on latest trends and developments in information security risk response and remediation activities followed across industry
Designated Lead and support information security risk assessment program across McKesson
Lead coordination efforts between technology stakeholders and ensure high-quality and accurate reporting and tracking
Evolve GRC internal tools and processes that manage the information security risks in McKesson, aligning with all involved stakeholders and users of the GRC tool on their needs and input
Build relationships and become a trusted advisor with BU and technology owners to influence change and drive ownership and accountability
Minimum Requirements:
4+ years’ experience in information security risk in an organization
2+ years’ experience of supervisory and/or management
Critical Skills:
Experience with risk management frameworks along with a solid understanding industry best practices in information security risk management
Subject Matter Expert (SME) in Healthcare regulative entities such as HIPAA, EU GDPR, CCPA, PIPEDA and OCR
Thorough understanding of industry and commonly adopted secure standards, practices (e.g. applicable NIST 800-53; 800-171 (800-39) standards, CIS, ISO27001/2, ISO27005, SANS, CERT), HITRUST, SOC1/SOC2 and PCI DSS Compliance
Administration experience with BWise, RSA Archer or other GRC tool
Participate in strategic planning with regards to program development
Assist with information risk assessments and risk acceptances, ensuring actions and goals are well documented
Expert knowledge of information security and risk management principles, conducting risk impact assessments, vulnerability management and a level of familiarity with threat modelling techniques
Knowledge of cloud-based infrastructures/software and how they affect security needs
Knowledge of implementing security practices in application development and agile environments
Additional Knowledge & Skills:
Knowledge of project and program management
Experience conducting security risk management training
Knowledge regarding healthcare IT and Risk Management Regulations
Familiarity with threat detection, threat intelligence and hacking methods
Experience in large highly segmented and regulated organizations
Experience interacting with security vendors and customers
Self-motivation and the ability to work under minimal supervision are a must
Excellent at multitasking, and open to constant learning
Energetic and positive attitude
Excellent problem solving and analytical skills; outstanding oral and written communication skills
Irvine, CA
McKesson Corporation provides pharmaceuticals and medical supplies in the United States and internationally. It operates in three segments: U.S. Pharmaceutical and Specialty Solutions, European Pharmaceutical Solutions, and Medical-Surgical Solutions. The company distributes branded, generic, specialty, biosimilar, and over-the-counter pharmaceutical drugs, as well as other healthcare-related products; and offers practice management, technology, clinical support, and business solutions to community-based oncology and other specialty practices.
It also provides distribution and services to wholesale, institutional, and retail customers and serves patients and consumers in 13 European countries through approximately 2,000 own pharmacies and 6,900 participating pharmacies; and medical-surgical supply distribution, logistics, and other services to healthcare providers. In addition, the company provides software and analytics, network solutions, and technology-enabled services; automation solutions to its retail and hospital customers; health information exchange solutions; and innovative technologies that support retail pharmacies and manufacturers.
It serves retail national accounts, including national and regional chains, food and drug combinations, mail order pharmacies, and mass merchandisers; independent, and small and medium retail pharmacies; and institutional healthcare providers, such as hospitals, health systems, integrated delivery networks, and long-term care providers, as well as pharmaceutical manufacturers. McKesson Corporation was founded in 1833 and is headquartered in Irving, California.