Rush University Medical Center
Cybersecurity Third Party Risk Manager-21450
Rush University Medical Center, Chicago, Illinois, United States, 60290
Overview
Cybersecurity Third Party Risk Manager – Rush University Medical Center Location: Chicago, Illinois / Remote Business Unit: Rush Medical Center Hospital: Rush University Medical Center Department: Cybersecurity Operations Work Type: Full Time (Total FTE between 0.9 and 1.0) Shift: Shift 1 Work Schedule: 8 Hr (8:00:00 AM - 5:00:00 PM) Pay Range: $55.75 - $93.66 per hour Rush salaries are determined by many factors including, but not limited to, education, job-related experience and skills, as well as internal equity and industry specific market data. The pay range for each role reflects Rush’s anticipated wage or salary reasonably expected to be offered for the position. Offers may vary depending on the circumstances of each case. Responsibilities
Collaborates with Cybersecurity leadership to develop and mature RUSH’s overall Third-Party Risk Management (TPRM) program through effective governance, comprehensive vendor analysis and review processes, and implementation and monitoring of vendor management security controls. Manages a team of cybersecurity analysts responsible for execution of the TPRM program vision. Ensures the TPRM team adheres to RUSH’s third-party risk management policies and standards. Manages and maintains TPRM technology and toolsets that support the TPRM program. Owns and oversees RUSH’s TPRM program charged with performing security reviews of all new and existing technology vendors on a regularly scheduled basis. Third-party Risk Management Will Include
Development of a TPRM program vision and methodology. Management of RUSH’s vendor information security questionnaires. Interpretation and analysis of vendor input. Reporting results of vendor security profiles; and Where necessary, managing security gaps to ensure technology vendors meet RUSH’s minimum-security requirements through enhancement or remediation of their security capabilities. Preparing regular governance reports to various cross-functional stakeholders and management concerning the current state of information security measures. Making recommendations for improvement, as required. Additional Responsibilities
Make meaningful risk mitigating recommendations to directly improve the third party risk posture. Foster relationships with internal and external stakeholders. Collaborate with security experts to understand requirements and standards. Coordinate with Cybersecurity GRC to track vendor risks and risk exceptions to TPRM policies and standards. Identify and provide input on information security awareness training related to the TPRM program; collaborate with RUSH training and cybersecurity awareness teams to develop and implement training. Develop roadmaps for TPRM maturity at RUSH and lead TPRM projects to implement and execute the roadmap. Work with IT management, risk managers, corporate compliance, and in-house legal counsel to perform and maintain TPRM risk assessments concerning potential vendor cyber risks to RUSH, including capacity, data privacy, geography, vendor ethics, sanctions, insurance, performance, and continuity concerns. Provide support in developing and implementing mitigating security controls where vendor controls may fall short of requirements. Maintain relationships with clinical and business management to ensure third-party reviews are completed timely and in accordance with policies and standards. Stay informed regarding new and emerging information security trends in TPRM. Required Job Qualifications
Bachelor’s degree. 8+ years of relevant experience in security policy creation and lifecycle management, auditing methodology, technology risk management, and/or third-party risk management. Excellent verbal and written communications skills. Self-starter with ability to work independently to create, build, and manage frameworks and programs. Ability to analyze and present critical information to all levels of staff, including Board-level reporting metrics. Ability to source, analyze, negotiate, select and manage third-party vendors to achieve program deliverables. Excellent interpersonal skills to communicate with hospital personnel, vendors, IT personnel, and direct reports. Strong prioritization, multi-tasking, and time management skills. Explicit knowledge of cybersecurity controls, implementation, compliance, and governance. Thorough understanding of vendor risk analysis. Ability to deliver clear, concise communications and presentations; ability to train others on key cybersecurity concepts. Knowledge of Federal and State regulations including HIPAA, SOX, and FERPA. Knowledge of industry-leading frameworks including NIST, HITRUST, PCI, ISO, SOC 2, ITIL, and COSO. Preferred Job Qualifications
3+ years of relevant and progressive GRC experience in a healthcare setting. Security industry certifications such as CISM, CISSP, ISSMP or CCISO are desirable. Rush is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics.
#J-18808-Ljbffr
Cybersecurity Third Party Risk Manager – Rush University Medical Center Location: Chicago, Illinois / Remote Business Unit: Rush Medical Center Hospital: Rush University Medical Center Department: Cybersecurity Operations Work Type: Full Time (Total FTE between 0.9 and 1.0) Shift: Shift 1 Work Schedule: 8 Hr (8:00:00 AM - 5:00:00 PM) Pay Range: $55.75 - $93.66 per hour Rush salaries are determined by many factors including, but not limited to, education, job-related experience and skills, as well as internal equity and industry specific market data. The pay range for each role reflects Rush’s anticipated wage or salary reasonably expected to be offered for the position. Offers may vary depending on the circumstances of each case. Responsibilities
Collaborates with Cybersecurity leadership to develop and mature RUSH’s overall Third-Party Risk Management (TPRM) program through effective governance, comprehensive vendor analysis and review processes, and implementation and monitoring of vendor management security controls. Manages a team of cybersecurity analysts responsible for execution of the TPRM program vision. Ensures the TPRM team adheres to RUSH’s third-party risk management policies and standards. Manages and maintains TPRM technology and toolsets that support the TPRM program. Owns and oversees RUSH’s TPRM program charged with performing security reviews of all new and existing technology vendors on a regularly scheduled basis. Third-party Risk Management Will Include
Development of a TPRM program vision and methodology. Management of RUSH’s vendor information security questionnaires. Interpretation and analysis of vendor input. Reporting results of vendor security profiles; and Where necessary, managing security gaps to ensure technology vendors meet RUSH’s minimum-security requirements through enhancement or remediation of their security capabilities. Preparing regular governance reports to various cross-functional stakeholders and management concerning the current state of information security measures. Making recommendations for improvement, as required. Additional Responsibilities
Make meaningful risk mitigating recommendations to directly improve the third party risk posture. Foster relationships with internal and external stakeholders. Collaborate with security experts to understand requirements and standards. Coordinate with Cybersecurity GRC to track vendor risks and risk exceptions to TPRM policies and standards. Identify and provide input on information security awareness training related to the TPRM program; collaborate with RUSH training and cybersecurity awareness teams to develop and implement training. Develop roadmaps for TPRM maturity at RUSH and lead TPRM projects to implement and execute the roadmap. Work with IT management, risk managers, corporate compliance, and in-house legal counsel to perform and maintain TPRM risk assessments concerning potential vendor cyber risks to RUSH, including capacity, data privacy, geography, vendor ethics, sanctions, insurance, performance, and continuity concerns. Provide support in developing and implementing mitigating security controls where vendor controls may fall short of requirements. Maintain relationships with clinical and business management to ensure third-party reviews are completed timely and in accordance with policies and standards. Stay informed regarding new and emerging information security trends in TPRM. Required Job Qualifications
Bachelor’s degree. 8+ years of relevant experience in security policy creation and lifecycle management, auditing methodology, technology risk management, and/or third-party risk management. Excellent verbal and written communications skills. Self-starter with ability to work independently to create, build, and manage frameworks and programs. Ability to analyze and present critical information to all levels of staff, including Board-level reporting metrics. Ability to source, analyze, negotiate, select and manage third-party vendors to achieve program deliverables. Excellent interpersonal skills to communicate with hospital personnel, vendors, IT personnel, and direct reports. Strong prioritization, multi-tasking, and time management skills. Explicit knowledge of cybersecurity controls, implementation, compliance, and governance. Thorough understanding of vendor risk analysis. Ability to deliver clear, concise communications and presentations; ability to train others on key cybersecurity concepts. Knowledge of Federal and State regulations including HIPAA, SOX, and FERPA. Knowledge of industry-leading frameworks including NIST, HITRUST, PCI, ISO, SOC 2, ITIL, and COSO. Preferred Job Qualifications
3+ years of relevant and progressive GRC experience in a healthcare setting. Security industry certifications such as CISM, CISSP, ISSMP or CCISO are desirable. Rush is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics.
#J-18808-Ljbffr