Cyber Security Analyst I/II/III/IV- 015293

Summary:

The Cybersecurity Analyst is responsible for delivering routine day-to-day administration, security request queue prioritization, simple and complex problem resolution, support for internal and external audits, as well as compliance, governance, and risk management functions. This position interfaces with various stakeholders to govern security controls, frameworks, regulation requirements for information security processes, and practices throughout the Health Plan business. This role performs standard request processes as well as various reviews with business owners to assess Information Security. The Cybersecurity Analyst manages standard requests, audits, risk assessments, and/or assurance controls aligning within cross-functional groups in support of Health Plan compliance needs.

Additionally, the Cybersecurity Analyst partners closely with Corporate Audit, Corporate Compliance, and Human Resources related to information security controls, standards, and policy requirements.

Essential Responsibilities/Accountabilities

Level I:
• Completes standard access request processing through pre-defined procedures and within agreed Service Level Agreements (SLAs) to ensure rights assigned or modified are properly granted.
• Resolves problem tickets related to corporate applications and assists other Analysts.
• Contributes input to the Organization's Cybersecurity program performance metrics.
• Responds to internal customer queries, reports and/or requests relating to IT controls, policies, and standards.
• Assists with issues relating to information security controls including the development of procedures, plans, and security forms to aid the information security program, as well as monitoring and response to unexpected information security control changes across the environment.
• Communicates and collaborates proactively with external and internal customers to gather and business and functional requirements in alignment to Corporate Policies.
• Creates and updates standard operating procedures for assigned security controls, applications, and platforms.
• Executes and supports Cybersecurity program initiatives, such as maintaining processes and workflows.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies' mission and values, adhering to the Corporate Code of Conduct, and Leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

Level II (in addition to Level I essential responsibilities/accountabilities):
• Develops Cybersecurity program performance metrics, monitors program performance and produces required program reports.
• Proactively identifies process improvement and/or automation opportunities for security controls, policies, and practices.
• Performs advanced security requests and guidance to lower-level Analysts.
• Works with system users and data owners to identify necessary control approval requirements for Health Plan information protection.
• Develops and publishes access listings to support key stakeholder requests.
• Develops, publishes, and manages the lifecycle of Information Security policies, standards, procedures, and guidelines in collaboration with other internal staff members
• Promotes compliance with Information Security policies, standards, procedures, and guidelines including the development of communications throughout the business, facilitating information sessions, and developing guidance documents.
• Informs management of potential Information Security/Technology issues that may impact the Company's compliance or initiatives.
• Assists with the design, development, and delivery of the Organization's Security Awareness program.
• Conducts periodic security risk assessments to ensure alignment with Information Technology/Security policies, processes, and procedures.
• Performs quality assurance activities for compliance-related collateral.
• Coordinates and assists in the execution of internal and external audits of information technology systems or controls.
• Conducts evaluations of information system internal controls and works collaboratively with management to identify and facilitate corrective actions.
• Identifies audit and compliance related issues to reduce the risk of security exposures on the support systems and works with various teams to implement the improvements.
• Mentors and trains Level I Analysts.

Level III (in addition to Level II essential responsibilities/accountabilities):
• Provides guidance and direction on security controls, policy, and practices to key stakeholders.
• Plans and executes complex audits of technology platforms, evaluates information systems' internal controls, and works collaboratively with management to identify and facilitate corrective actions.
• Performs as the Subject Matter Expert for majority Information Security Identity management technologies, controls, processes, and practices internally to the Health Plan, and externally in the industry
• Performs third party questionnaires for information management controls related to cybersecurity.
• Assists stakeholders with complex security risk assessments.
• Mentors and trains Level I and II Analysts.

Level IV (in addition to Level III essential responsibilities/accountabilities):
• May act as Team Leader in management's absence.
• Performs as the Subject Matter Expert for Information Security Identity management technologies, controls, processes, and practices internally to the Health Plan, and externally in the industry.
• Conducts complex security risk assessments

NOTE:

Minimum Qualifications:

We include multiple levels of classification differentiated by demonstrated knowledge, skills, and the ability to manage increasingly independent and/or complex assignments, broader responsibility, additional decision making, and in some cases, becoming a resource to others. In addition to using this differentiated approach to place new hires, it also provides guideposts for employee development and promotional opportunities.

Level I:
• Related internship, co-op or professional experience preferred.
• High School Diploma or equivalent required. Associate's degree preferred.
• Basic knowledge of multi-platform operating systems, programming languages, databases, and security structures
• Basic knowledge of IT and IS GRC best practices and regulatory/industry requirements.
• Basic knowledge preferred with various information security regulations, frameworks, and/or industry standards, such as but not limited to:

o Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations

o Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF)

o Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST
• Strong planning and organizational skills.
• Strong customer service skills.
• Able to work both independently and as part of a team.

Level II (in addition to Level I minimum qualifications):
• Three (3) years of related work experience in IT technical or security controls, security technology, policy, risk practices, access management or related field.
• Strong ability to articulate business risks relating to technical issues for both technical and non-technical audiences.
• Strong knowledge of IT and IS Governance Risk and Compliance (GRC) best practices and regulatory/industry requirements
• Proven ability to recognize performance improvement opportunities.
• Intermediate knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to:

o Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations

o Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF)

o Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST
• Experience in the design and evaluation of internal controls or similar project controls.
• Experience in the creation, review, and lifecycle management of IT policies, processes, and procedures.
• Demonstrated skill in risk assessment, both quantitative and qualitative.
• Familiarity with maturity models as aids to gap assessment and remediation planning.
• Effective communicator at all levels of an organization.
• Strong problem-solving skills.
• Ability to act independently and exercise good judgment, as well as the ability to work cross-functionally and create virtual teams.
• One information security certification preferred such as but not limited to:

o Security +

o CISSP

o CISM

o CISA

o CDPSE

o CRISC

Level III (in addition to Level II minimum qualifications):
• Six (6) years of related work experience in IT technical or security controls, security technology, policy, risk practices, access management or related field.
• Advanced knowledge required of various information security regulations, frameworks, and/or industry standards such as but not limited to:

o Regulation: HIPAA/HITECH, GLBA/FFIEC Examination Handbook, NAIC MAR/SOX, NYS DFS Cybersecurity Regulations

o Framework: COSO, COBIT, NIST Cybersecurity Framework (CSF)

o Industry Standard: PCI/DSS, NIST SP 800-53/30, SSAE 18, ISO, HITRUST
• Strong leadership or mentorship experience preferred.
• Ability to work - and to motivate others to work - under pressure and within tight timelines.
• At least one or more certifications listed above preferred (Under Level II).

Level IV (in addition to Level III minimum qualifications):
• Ten (10) years of related work experience in IT technical or security controls, security technology, policy, risk practices, access management or related field.
• Experience providing work direction for one or more individual's specific projects and initiatives.
• Experience providing guidance and mentorship to more junior team members.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.

Physical Requirements:
• Ability to complete work in a traditional office environment under fluorescent lighting.
• Must be able to function while sitting at a desk viewing a computer and using a keyboard and mouse for 3 or more hours at a time.
• Must be able to travel across the enterprise.
• Ability to work in a home office for continuous periods of time for business continuity.
• May require working outside normal business hours, on an on-call responsibility

The Lifetime Healthcare Companies aims to attract the best talent from diverse socioeconomic, cultural, and experiential backgrounds, to diversify our workforce and best reflect the communities we serve.

Our mission is to foster an environment where diversity and inclusion are explicitly recognized as fundamental parts of our organizational culture. We believe that diversity of thought and background drives innovation which enables us to provide leading-edge healthcare insurance and services. With that mission in mind, we recruit the best candidates from all communities, to diversify and strengthen our workforce.

OUR COMPANY CULTURE:

Employees are united by our Lifetime Way Values & Behaviors that include compassion, pride, excellence, innovation and having fun! We aim to be an employer of choice by valuing workforce diversity, innovative thinking, employee development, and by offering competitive compensation and benefits.

In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.

In support of the Americans with Disabilities Act, this job description lists only those responsibilities andqualifications deemed essential to the position.

Equal Opportunity Employer

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)