The purpose of this position is to assist with information security governance, risk management, and compliance. The Information Security Governance (ISG) function sets overarching enterprise information security policy at the direction of executive management while Information Security Risk Management identifies, analyzes, and manages risk through assessments of BCBST’s adherence to security policies, standards and procedures in compliance with current legislative, contractual, and corporate requirements. Successful delivery of these information security services supports the Enterprise Information Security Program and BCBST’s mission and strategic goals.
Job Duties & Responsibilities
Perform activities published in our information security services catalog to include, but not limited to the following:
Identify information security requirements through collection and translation of disparate information sources into actionable control language in support of current and proposed governing citations.
Organize resources to assess technical, physical, and administrative controls. Identify and analyze risks to determine the adequacy of existing security controls. The assessment process includes interviewing personnel, reviewing and testing security controls, evaluating audit reports, vulnerability scans and penetration test results.
Coordinate self-assessments and report on findings.
Routinely interface with IT and business unit management to assure security initiatives are aligned with business needs. Analyze business and security needs alongside requirements and communicate risks to management.
Provide guidance and assistance to operational teams to remediate security deficiencies identified in risk assessments.
Monitor and triage information security requests through various intake mechanisms.
Identify, analyze, and transition information risks through our risk management workflow.
Measure, collect, and report on key information security services and risk indicators.
Develop and communicate information security policies, standards, and procedures so control requirements are understood and integrated throughout the enterprise.
Evaluate and respond to requests for information security attestations.
Identify and analyze vendor risks through established workflows.
Serve as a member of Security Incident Response Team (SIRT.).
Research regulatory guidance and prepare policy/standard gap assessments for management.
Assess knowledge and behavior gaps to build, deliver, and support information security awareness assessments and communication activities,
Identify process gaps and support process improvement.
Mentor and consult with the Information Security Services Team and fellow BCBST employees.
Bachelor's degree in Computer Science, Information Systems or a related field or equivalent work experience.
Incumbent must demonstrate knowledge and experience in Information Security Risk Management, Compliance and Governance
2 years of relevant, information security experience in Governance, Risk, and Compliance programs or similarly a related field with similar job duties - required.
Knowledge and experience with applicable Information Security Authoritative Sources (legislation, business regulators, and audit standards) including:
CMS (Centers for Medicare & Medicaid Services)
PCI (Payment Card Industry)
MAR o SSAE 16 o GLBA
Knowledge and preferred experience with Information Technology, Security, and Service Management Frameworks including:
Knowledge and experience with information systems infrastructure and applications.
Professional certification including CISSP, CISM, CISA, GIAC, CRISC or similar security certification.
Analytical, troubleshooting and problem resolution skills.
Ability to evaluate and test new techniques and technologies.
Excellent written and oral communication skills.
Excellent relationship and team building skills.
Ability to communicate technical concepts in individual, group, and large audience settings.
Ability to interact and be a liaison with multiple departments.
Ability to build a business case for change and influence decisions
Ability to complete tasks timely and within scope.
Ability to develop trust with peers in information security
Ability to build new initiatives appropriate to Information Security Governance, Risk, and Compliance.
Knowledge of BCBST’s business operations is highly desirable.
Job Specific Requirements:
Experience with Factor Analysis of Information Risk (FAIR) is highly preferred.
Risk management experience with proven ability to effectively apply risk principles is preferred.
Operational risk/operational loss experience is desired.
Data Analytics experience is desired.
Bachelor's in math, engineering or audit/legal is a plus.
Number of Openings Available:
BCBST BlueCross BlueShield of Tennessee, Inc.
BCBST is an Equal Opportunity employer (EEO), and all employees and applicants will be entitled to equal employment opportunities when employment decisions are made. BCBST will take affirmative action to recruit, hire, train and promote individuals in all job classifications without regard to race, religion, color, age, sex, national origin, citizenship, pregnancy, veteran status, sexual orientation, physical or mental disability, gender identity, or membership in a historically under-represented group.
BlueCross BlueShield of Tennessee is not accepting unsolicited assistance from search firms for this employment opportunity. All resumes submitted by search firms to any employee at BlueCross BlueShield of Tennessee via-email, the Internet or any other method without a valid, written Direct Placement Agreement in place for this position from BlueCross BlueShield of Tennessee HR/Talent Acquisition will not be considered. No fee will be paid in the event the applicant is hired by BlueCross BlueShield of Tennessee as a result of the referral or through other means.
Tobacco-Free Hiring Statement
T o further our mission of peace of mind through better health, effective 2017, BlueCross BlueShield of Tennessee and its subsidiaries no longer hire individuals who use tobacco or nicotine products (including but not limited to cigarettes, cigars, pipe tobacco, snuff, chewing tobacco, gum, patch, lozenges and electronic or smokeless cigarettes) in any form in Tennessee and where state law permits. A tobacco or nicotine free hiring practice is part of an effort to combat serious diseases, as well as to promote health and wellness for our employees and our community. All offers of employment will be contingent upon passing a background check which includes an illegal drug and tobacco/nicotine test. An individual whose post offer screening result is positive for illegal drugs or tobacco/nicotine and/or whose background check is verified to be unsatisfactory, will be disqualified from employment, the job offer will be withdrawn, and they may be disqualified from applying for employment for six (6) months from the date of the post offer screening results.
Resources to help individuals discontinue the use of tobacco/nicotine products include smokefree.gov or 1-800-QUIT-NOW.