At Bon Secours Mercy Health, we are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence.
**Summary of Primary Function**
The Cybersecurity Assurance Assessor proactively evaluates the system and network enterprise environments of the health system and uses technical knowledge and analytical skill to determine the optimum mix of technology, policy, procedures, and education to implement effective cybersecurity programs and strategies. The Assurance Assessor determines security controls, configurations, procedures, and policies based off industrial standards, best practices, federal, and state regulations, and contractual requirements. The Assurance Assessor establishes and manages program control processes, compliance assessments to determine deviations from acceptable configurations, policy, or standards, and provides expertise in compliance requirements for internal and external reviews of requirements. The Assurance Assessor conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls.
**Essential Job Functions**
+ Communicates and ensures programs are in compliance with applicable laws, regulations, policies, and standards
+ Serve as subject matter expert to internal business and technology teams on range of compliance standards as influenced by regulatory mandates (HIPAA, FTC) and industry best practices (e. g. NIST CSF, HITRUST, ITIL, PCI, SOC2 Type2I, etc.)
+ Actively participate and manage various assessments such as HITRUST, PCI Compliance, HIPAA Risk Assessment, SOC2 Type2, etc.
+ Verify that application software/network/system security postures are implemented as stated, documented deviation, and recommend required actions to correct those deviations.
+ Document best practices for security and information assurance based on business and user requirements
+ Perform security reviews, identify gaps in security architecture and develop a security risk management plan.
+ Perform risk analysis (i.e. threat, vulnerability and probability of occurrence) whenever an application or system undergoes a certification process.
+ Provide input into the Risk Management Framework process activities and related documentation
+ Participate in Risk Governance process to provide security risks, mitigations and input on other technical risks.
+ Develop methods to monitor and measure risk, compliance, and assurance efforts
+ Perform internal control testing.
+ Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
+ Contribute to other Information Risk and Assurance programs and functions as needed.
+ Accountable for the reporting of key metrics as defined by the program in a timely manner.
+ All other duties as assigned.
This document is not an exhaustive list of all responsibilities, skills, duties, requirements, or working conditions associated with the job. Employees may be required to perform other job related duties as required by their supervisor, subject to reasonable accommodation.
**Education Qualifications**
Bachelors Degree (required)
Specialty/Major- Business, Computer Science, Information Systems or healthcare related field
**Licensing/ Certification**
HITRUST CCSFP and/or PCI-P (required)
PCI-ISA, CISSP, CRISC, CISM or GSLC. SANS GIAC certifications (preferred)
**Minimum Qualifications**
+ 5+ years relevant work experience in information security and/or services in a multi-facility organization.
+ 2+ years experience as a Security Control Assessor
+ 2+ years experience managing external assessments such as HITRUST, PCI Compliance, HIPAA Risk Assessment, SOC2 Type2.
+ 1+ years experience with project management
+ 1+ years working remotely
**Additional Skills**
+ Exceptional organizational skills with ability to manage multiple priorities in a rapidly changing environment and maintain composure under pressure.
+ Ability to work independently or as part of a team.
+ Advanced knowledge of IT systems and processes and experience evaluating internal and external technical control systems.
+ Skilled at preparing and delivering briefings, presentations, and project plans.
+ Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
+ Advanced knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage and transmission of information or data.
+ Excellent knowledge of current data security best practices, including relevant information security legal requirements (HIPAA, OIG, Sarbanes-Oxley, GLBA).
**Combination of post-secondary education and experience in lieu of a degree is accepted.**
Many of our opportunities reward* your hard work with:
Comprehensive, affordable medical, dental and vision plans
Prescription drug coverage
Flexible spending accounts
Life insurance w/AD&D
Employer contributions to retirement savings plan when eligible
Paid time off
Educational Assistance
And much more
*Benefits offerings vary according to employment status
All applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, sexual orientation, gender identity, age, genetic information, or protected veteran status, and will not be discriminated against on the basis of disability. If you’d like to view a copy of the affirmative action plan or policy statement for Mercy Health Youngstown, Ohio or Bon Secours Franklin, Virginia; Petersburg, Virginia; and Emporia, Virginia, which are Affirmative Action and Equal Opportunity Employers, please email . If you are an individual with a disability and would like to request a reasonable accommodation as part of the employment selection process, please contact The Talent Acquisition Team at
Verbal communication itil Computer Science data-security HIPAA licensing Certified Information Security Manager (CISM) Certified Information Systems Security Professional (CISSP) Information security remote work pci risk management project-planning Written communication skills Information Systems Presentation skills Healthcare industry Cybersecurity business Project management Risk analysis Organizational skills Management