The Senior IT Security Risk and Policy Analyst executes processes across the organization to conduct the required IT security risk assessment program to reduce information security risk, address threats and vulnerabilities to information assets, monitor compliance to policy, and improve the overall security posture of the University. The incumbent serves as technical resource on external security audits and accreditation processes and conducts internal security audits on customer networks/systems. The position provides recommendations for security controls and ensures remediation of any deficiencies to ensure compliance with campus policy and regulatory requirements such a PCI, HIPAA, FERPA, etc. IT security Risk Assessments and adherence to organizational information security policies are required elements for HIPAA compliance. Assessments are used to identify threats and vulnerabilities to information systems and prioritize remediation activities. Auditing compliance with implementing security controls is required to ensure that the risks are being managed to the degree that university policy requires. This is a fundamental component of an Information Security Program and drives the security improvement activities across the organization. Significant fines have been associated with not having through documented risk assessments and compliance programs in place by OCR. Analyst is also responsible for fulfilling legal requests as required in support of investigations and legal activities as directed by the proper UC authority while maintaining strict confidentiality.

• Nine (9) years of related experience, education/training, OR a Bachelor's degree in related area plus five (5) years of related experience/training.

• Advanced interpersonal skills sufficient to work effectively with both technical and non-technical personnel at various levels in the organization.

• Advanced experience using IT security systems and tools.

• Demonstrated skills applying security controls to computer software and hardware.

• Demonstrated skill at administering complex security controls and configurations to computer hardware, software and networks.

• Advanced knowledge of data encryption technologies and experience selecting and applying appropriate data encryption technologies.

• Advanced knowledge of IT security.

• Demonstrated knowledge of secure hardware, software and network design techniques.

• Demonstrated skill at analyzing and preventing security incidents of high complexity.

• In-depth knowledge of computer hardware, software and network security issues and approaches.

• Advanced experience in incident response and digital forensics including reporting.

• Experienced information security risk analyst in an academic medical center.

• Experience as an information security risk practitioner doing vendor/technology assessments in a healthcare environment.

• Must be able to work various hours and locations based on business needs.

• Employment is subject to a criminal background check and pre-employment physical.