Fred Hutchinson Cancer Center
GRC Engineer
Fred Hutchinson Cancer Center, Seattle, Washington, us, 98127
GRC (Governance, Risk, and Compliance) Engineer
The GRC Engineer is responsible for participating in the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected. The GRC engineer is responsible for identifying, evaluating, and reporting on information security risk to information assets. The GRC engineer will proactively work with business units and partners to assess and design controls to reduce information security risk. The GRC engineer should understand and articulate the impact of information security controls on the business and be able to communicate this to stakeholders. The GRC engineer must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations.Responsibilities
Governance and AwarenessAssist in managing a targeted information security awareness training program for all staff and affiliates; establish metrics to measure the effectiveness of this security training program for the different audiences.Understand and interact with other business units to ensure the consistent application of policies and standards across all technology projects, systems and services, including risk management and compliance.Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.OperationsParticipate in a risk-based process for the assessment and mitigation of any information security risk in the organization (including vendors, business partners and other third parties).Assist in managing a governance, risk, and compliance platform to facilitate risk management and incident management.Facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of remediation efforts.Consult with project managers to ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines.Act as a member of the IIRP during information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the organization's reputation.Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.Facilitate periodic security compliance reviews and audits of on-premises and hosted environments, including AWS and Azure.Maintain compliance documentation, including managing and tracking policy exceptions.Assist in managing security awareness training.Assist in the assessment and review of new and existing technology infrastructure to ensure adequate levels of control are in place to address identified risks and develop risk mitigation techniques and processes when necessary.Assist in the development and ongoing oversight of a robust vulnerability management program.Conduct risk assessments on business and IT operational processes, procedures, and policies; interpret audit results and make conclusions on the adequacy and reliability of controls; prepare and present reports, as necessary.Stay informed about current security and privacy laws and provide guidance to the team when evaluating new projects; and perform other duties as assigned.Qualifications
MINIMUM QUALIFICATIONS:Bachelor's degree or equivalent work experience in a technical discipline related to Information TechnologyMinimum 7 years hands-on information security experience, including experience conducting technical and non-technical risk assessmentsStrong knowledge of information security risk management and information security technologies (e.g. SIEM, vulnerability management, data loss prevention, and/or endpoint protection)Proven track record and experience interpreting information security policies and procedures and successfully communicating with non-security workforce.Excellent interpersonal skills, presentation skills, and verbal / written communication skillsUnderstanding of compliance and regulatory requirements such as HIPAA and PCIKnowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity FrameworkOrganized, responsive, and thorough problem solverAbility to work collaboratively with a broad range of staffHigh degree of initiative, dependability, and ability to work with little supervision while being resilient to changeExcellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectivesHigh level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturityPREFERRED QUALIFICATIONS:Experience hardening/securing virtualization technologies, databases, and operating systems (Windows/Linux) utilizing industry best practicesKnowledge of networking concepts (routing, switching, VLANs, ACLs), systems administration or development.Familiarity with information security policies, standards, industry best practices, and frameworks. (ISO 27K, NIST 800-53, CIS, HITRUST, etc.)General information security certification (e.g., CISSP, CISA, etc.)Experience with Infrastructure as a Service (IaaS), such as AWS or AzureKnowledge of industry best practices related to security concepts
#J-18808-Ljbffr
The GRC Engineer is responsible for participating in the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected. The GRC engineer is responsible for identifying, evaluating, and reporting on information security risk to information assets. The GRC engineer will proactively work with business units and partners to assess and design controls to reduce information security risk. The GRC engineer should understand and articulate the impact of information security controls on the business and be able to communicate this to stakeholders. The GRC engineer must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations.Responsibilities
Governance and AwarenessAssist in managing a targeted information security awareness training program for all staff and affiliates; establish metrics to measure the effectiveness of this security training program for the different audiences.Understand and interact with other business units to ensure the consistent application of policies and standards across all technology projects, systems and services, including risk management and compliance.Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.OperationsParticipate in a risk-based process for the assessment and mitigation of any information security risk in the organization (including vendors, business partners and other third parties).Assist in managing a governance, risk, and compliance platform to facilitate risk management and incident management.Facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of remediation efforts.Consult with project managers to ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines.Act as a member of the IIRP during information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the organization's reputation.Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.Facilitate periodic security compliance reviews and audits of on-premises and hosted environments, including AWS and Azure.Maintain compliance documentation, including managing and tracking policy exceptions.Assist in managing security awareness training.Assist in the assessment and review of new and existing technology infrastructure to ensure adequate levels of control are in place to address identified risks and develop risk mitigation techniques and processes when necessary.Assist in the development and ongoing oversight of a robust vulnerability management program.Conduct risk assessments on business and IT operational processes, procedures, and policies; interpret audit results and make conclusions on the adequacy and reliability of controls; prepare and present reports, as necessary.Stay informed about current security and privacy laws and provide guidance to the team when evaluating new projects; and perform other duties as assigned.Qualifications
MINIMUM QUALIFICATIONS:Bachelor's degree or equivalent work experience in a technical discipline related to Information TechnologyMinimum 7 years hands-on information security experience, including experience conducting technical and non-technical risk assessmentsStrong knowledge of information security risk management and information security technologies (e.g. SIEM, vulnerability management, data loss prevention, and/or endpoint protection)Proven track record and experience interpreting information security policies and procedures and successfully communicating with non-security workforce.Excellent interpersonal skills, presentation skills, and verbal / written communication skillsUnderstanding of compliance and regulatory requirements such as HIPAA and PCIKnowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity FrameworkOrganized, responsive, and thorough problem solverAbility to work collaboratively with a broad range of staffHigh degree of initiative, dependability, and ability to work with little supervision while being resilient to changeExcellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectivesHigh level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturityPREFERRED QUALIFICATIONS:Experience hardening/securing virtualization technologies, databases, and operating systems (Windows/Linux) utilizing industry best practicesKnowledge of networking concepts (routing, switching, VLANs, ACLs), systems administration or development.Familiarity with information security policies, standards, industry best practices, and frameworks. (ISO 27K, NIST 800-53, CIS, HITRUST, etc.)General information security certification (e.g., CISSP, CISA, etc.)Experience with Infrastructure as a Service (IaaS), such as AWS or AzureKnowledge of industry best practices related to security concepts
#J-18808-Ljbffr