Job Description :
Information Security Risk & Compliance Lead


The Information Security Risk &Compliance Lead is a senior member of the Information Security Office, providing program leadership and expertise in the area of Risk Management and Compliance.


1. Risk Management Compliance Program Responsibilities

Develops and maintains a consistent, repeatable process for identifying risks, qualitatively and quantitatively assessing risks, determining risk treatment, and managing associated findings and remediation plans. Scope of risk management domain includes but is not limited to asset risk management, third party risk management, and vulnerability risk management.

Develops and reports security risk and compliance metrics for the institution, departments and processes, and individual assets.

Develops information security policies, standards, procedures, and guidelines in accordance with the overarching Information Security Risk Framework.

Supports ongoing compliance activities and monitoring efforts across applicable Regulations and Standards (e.g. HIPAA, PCI

Serves as a GRC subject matter expert for information risk by supporting complex analysis and leading risk management capability improvement.

Manages SJCRH policy exceptions, identifies rationale and risks underlying exception requests, weighs effectiveness of compensating controls, and makes recommendations around exception requests.

Influences technical and strategic direction of the Risk Management and Compliance program.

Information Security Operational Support

Designs and optimizes institutional systems, processes, services.

Coordinates resources for projects and operational support.

Develops and implements complex data queries and reports as needed.

Provides Level 3 support for large, complex institutional systems.

Provides advanced system coding and programming as required.

Develops customer and system documentation as required.

Provides troubleshooting, problem analysis, debugging, and resolution of assigned problems.

3. Project Management

Plans, organizes, controls and leads medium to large cross functional projects and programs.

Leads project teams through all phases of the project lifecycle (initiate, plan, execute, close

Contributes to the definition of program and project goals, alignment of those goals with institutional and department goals, ensuring that critical success factors are defined during initiation.

Develops and maintains the accuracy of a project plan with input from key stakeholders, the project team members, resource managers, and vendors.

Develops communication plans and delivers communications clearly and effectively with all project stakeholders.

Teamwork, Collaboration, Professionalism, and Leadership

Sets an example and provides leadership when working with other IS staff in functional or cross-functional teams to meet goals, objectives, and fulfill responsibilities.

Sets an example in establishing and maintaining a professional demeanor and being accountable for performance.

Sets an example for establishing a team atmosphere within IS and other SJCRH departments by interacting with others in an honest and straightforward manner, listening to and valuing the opinions and ideas of others, sharing knowledge, and helping others to accomplish goals.

Develops and maintains expert level knowledge and skills in technical and professional areas.

Mentors and trains IS staff members in areas of specialty.

Sets an example in representing SJCRH, the InfoSec team, and Information Services as one Team. Exemplifies the IS Core Values of focusing on service, celebrating team, appreciating hard work, pursuing knowledge, and seeking humility.

5. Performs other related duties as assigned or directed in order to meet the goals and objectives of the department and the institution.

6. Maintains regular and predictable attendance.

Bachelor's degree in Management of Information Systems or related field is required.

Master's Degree or MBA is preferred.

Minimum Experience:

Six (6) years' progressive experience in information security is required

Must have experience and demonstrated proficiency in IT Security Risk Management and Compliance program leadership and execution, managing complex and large process change projects, and advanced knowledge of cybersecurity threats

Required Credentials:

One or more of the following certifications is required:

Certified Information Systems Security Professional OR

Certified Information Systems Auditor

Certified Information Security Manager

Certified in Risk and Information Systems Control

Project Management Professional (PMP) or equivalent is preferred.

Client : St. Jude Children's Research Hospital