State of Washington
IT Security Risk and Compliance Manager
State of Washington, Olympia, Washington, United States, 98502
The mission of Washington Health Benefit Exchange (Exchange) is to radically improve how Washington residents secure health insurance through innovative and practical solutions, an easy‑to‑use customer experience, and our values of integrity, respect, equity and transparency, while providing undeniable value to the health care community.
The Exchange is a public‑private partnership that operates Washington Healthplanfinder, the eligibility and enrollment portal used by one in four Washington residents to obtain health and dental coverage. Through this platform, and with support from a Customer Support Center and statewide network of in‑person navigators and brokers, individuals and families can shop, compare and enroll in private, qualified health plans (as defined in the Affordable Care Act) or enroll in Washington Apple Health, the state Medicaid program.
Equity Statement Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti‑racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange’s area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.
SUMMARY
Manage, oversee and coordinate the work of team members and activities in IT security compliance, risk management and other duties as defined by the Chief Information Security Officer (CISO).
Develop the strategic direction for regulatory compliance and manage the risk of WAHBE data and information systems.
Continuously assess security controls, create and implement IT security policy, procedures and standards, and maintain IT security compliance deliverables to ensure agency compliance with federal and state regulations.
Provide supervision, guidance and oversight of the WAHBE IT Security Risk and Compliance Team, ensuring effective execution of responsibilities and alignment with organizational goals.
Develop, maintain and implement cybersecurity compliance deliverables, ensuring they are regularly updated to meet evolving CMS, IRS and WAHBE requirements (System Security Plan, Safeguard Security Report, Annual Attestation, etc.).
Conduct comprehensive and complex cybersecurity risk assessments and perform thorough risk analysis to evaluate threats, vulnerabilities and the effectiveness of security controls.
Ensure security controls align with WAHBE IT Security standards and policies while maintaining compliance with applicable federal regulations.
Develop and implement an information security risk management framework, including gap analysis, remediation timelines, regular reviews and updates.
Develop risk management metrics and reports to communicate remediation efforts, risk treatment progress and enhancements to WAHBE’s overall security posture.
Track, coordinate and manage risk mitigation plans for federal reporting (Corrective Action Plan, Plan of Action and Milestones).
Validate and verify completion of remediation activities and reevaluate control effectiveness as needed to ensure ongoing risk mitigation.
Collaborate with Compliance Officer, Information Security Manager, Cloud/Infrastructure Manager, Lead Product Owner, Tech Ops and other IT stakeholders for risk mitigation and control implementation.
Manage CMS and IRS security audits and safeguard reviews.
Manage and support third‑party security risk assessment as mandated by federal regulations and coordinate resulting mitigation plans.
Maintain and update WAHBE’s information security policies and procedures with evolving CMS, IRS and WAHBE requirements.
Review laws, regulations and legal agreements for security and privacy language to protect PII and FTI.
Foster innovation and manage risk during major transformations.
Provide regular briefings and updates to the CISO and engage with the Enterprise Risk and Compliance Committee.
Communicate obstacles that hinder delivery of compliance deliverables and work promptly with the CISO.
Collaborate with external partners to align technology, processes and procedures with WAHBE policy, state and federal regulations.
Act as liaison for technical, business and external partners for audits, assessments and reviews.
Recruit, hire, lead, mentor and retain talented risk and compliance staff.
Other duties as assigned by the CISO.
QUALIFICATIONS (Required)
Bachelor’s degree in engineering or technology‑related major and ten years of experience with increasing management responsibilities (minimum of five years’ experience in staff management).
Five years of experience leading and managing staff and contractor resources within IT risk and compliance domains.
Excellent understanding of standards and guidelines including CMS standards (MARS‑E 2.2, ARC‑AMPE) and IRS standards (Publication 1075).
Excellent understanding of audit processes, standards and procedures.
Strong understanding of best practices in testing methods and metrics.
Upholds the highest ethical standards, demonstrates honesty, transparency and consistency, maintains confidentiality and adheres to organizational policies and regulatory requirements.
Motivated self‑starter with initiative to take independent action and accept responsibility for decisions.
Excellent project management skills and ability to set clear timelines, define roles and practice effective change management.
Ability to prioritize and manage multiple projects simultaneously and follow through on issues in a timely manner.
Strong interpersonal skills; ability to work with all levels of internal management and staff, as well as outside clients, vendors, diverse populations, stakeholder groups and customers.
Skilled in resolving conflicts and addressing disagreements by active listening and fostering open dialogue.
Creative, proactive problem solver with independent decision‑making ability.
Well organized, flexible, proactive, resourceful and efficient with strong attention to detail.
Strong understanding of contracting processes and procedures and contract management.
Ability to maintain a high level of confidentiality.
DESIRED QUALIFICATIONS
Excellent understanding of NIST security guidelines (SP 800‑53 Rev 5) and NIST RMF (SP 800‑37 Rev.).
Proven ability to develop and implement change management strategies, including stakeholder engagement, communication plans and training programs.
Excellent verbal and written communication skills.
Demonstrates composure and resilience in fast‑paced, high‑pressure environments, consistently delivering results.
Fosters a positive and collaborative approach to risk management within a dynamic, fast‑paced organizational culture.
APPLICATION INSTRUCTIONS This position will be open until we find a suitable number of candidates to review. If interested, please submit an application as soon as possible. The Exchange reserves the right to close the recruitment at any time.
SALARY INFORMATION Full Salary Range: $109,719.00 to $164,579.00 annually, with midpoint at $137,149.00. Hiring Range: $126,177.00 and $137,149.00 annually. This is an estimate of where a qualified candidate can expect to receive an offer. The actual salary offer will consider candidate experience, skills, qualifications, internal equity and the market. Our compensation policy reserves the salary range above the midpoint for employees who are meeting and exceeding expectations and for growth and development, up to the maximum.
BENEFITS Take a peek at our benefits package.
WORKING CONDITIONS Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. Irregular hours may be required. The preferred duty station is our Olympia, Washington headquarters. The role relies heavily on remote and in‑person collaboration, with hybrid remote and on‑site scheduling considered. Travel may be required for meetings or trainings, and the employee may need to work irregular hours. Duties require standard office furniture and equipment, including setup for remote work. The employee is responsible for providing and maintaining a safe, ergonomic, and secure workspace at their remote location. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions.
SPECIAL REQUIREMENTS A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The result of this background screen must meet the Exchange’s eligibility standards.
OTHER INFORMATION The above statements describe the general nature and levels of work being performed. They are not intended to be construed as an exhaustive list of responsibilities, duties and skills of personnel so classified. This is not an employment agreement or contract. Management has the exclusive right to alter this job description at any time without notice.
The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.
We participate in E-Verify. You can view the Department of Justice's Right to Work poster here.
#J-18808-Ljbffr
The Exchange is a public‑private partnership that operates Washington Healthplanfinder, the eligibility and enrollment portal used by one in four Washington residents to obtain health and dental coverage. Through this platform, and with support from a Customer Support Center and statewide network of in‑person navigators and brokers, individuals and families can shop, compare and enroll in private, qualified health plans (as defined in the Affordable Care Act) or enroll in Washington Apple Health, the state Medicaid program.
Equity Statement Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti‑racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange’s area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.
SUMMARY
Manage, oversee and coordinate the work of team members and activities in IT security compliance, risk management and other duties as defined by the Chief Information Security Officer (CISO).
Develop the strategic direction for regulatory compliance and manage the risk of WAHBE data and information systems.
Continuously assess security controls, create and implement IT security policy, procedures and standards, and maintain IT security compliance deliverables to ensure agency compliance with federal and state regulations.
Provide supervision, guidance and oversight of the WAHBE IT Security Risk and Compliance Team, ensuring effective execution of responsibilities and alignment with organizational goals.
Develop, maintain and implement cybersecurity compliance deliverables, ensuring they are regularly updated to meet evolving CMS, IRS and WAHBE requirements (System Security Plan, Safeguard Security Report, Annual Attestation, etc.).
Conduct comprehensive and complex cybersecurity risk assessments and perform thorough risk analysis to evaluate threats, vulnerabilities and the effectiveness of security controls.
Ensure security controls align with WAHBE IT Security standards and policies while maintaining compliance with applicable federal regulations.
Develop and implement an information security risk management framework, including gap analysis, remediation timelines, regular reviews and updates.
Develop risk management metrics and reports to communicate remediation efforts, risk treatment progress and enhancements to WAHBE’s overall security posture.
Track, coordinate and manage risk mitigation plans for federal reporting (Corrective Action Plan, Plan of Action and Milestones).
Validate and verify completion of remediation activities and reevaluate control effectiveness as needed to ensure ongoing risk mitigation.
Collaborate with Compliance Officer, Information Security Manager, Cloud/Infrastructure Manager, Lead Product Owner, Tech Ops and other IT stakeholders for risk mitigation and control implementation.
Manage CMS and IRS security audits and safeguard reviews.
Manage and support third‑party security risk assessment as mandated by federal regulations and coordinate resulting mitigation plans.
Maintain and update WAHBE’s information security policies and procedures with evolving CMS, IRS and WAHBE requirements.
Review laws, regulations and legal agreements for security and privacy language to protect PII and FTI.
Foster innovation and manage risk during major transformations.
Provide regular briefings and updates to the CISO and engage with the Enterprise Risk and Compliance Committee.
Communicate obstacles that hinder delivery of compliance deliverables and work promptly with the CISO.
Collaborate with external partners to align technology, processes and procedures with WAHBE policy, state and federal regulations.
Act as liaison for technical, business and external partners for audits, assessments and reviews.
Recruit, hire, lead, mentor and retain talented risk and compliance staff.
Other duties as assigned by the CISO.
QUALIFICATIONS (Required)
Bachelor’s degree in engineering or technology‑related major and ten years of experience with increasing management responsibilities (minimum of five years’ experience in staff management).
Five years of experience leading and managing staff and contractor resources within IT risk and compliance domains.
Excellent understanding of standards and guidelines including CMS standards (MARS‑E 2.2, ARC‑AMPE) and IRS standards (Publication 1075).
Excellent understanding of audit processes, standards and procedures.
Strong understanding of best practices in testing methods and metrics.
Upholds the highest ethical standards, demonstrates honesty, transparency and consistency, maintains confidentiality and adheres to organizational policies and regulatory requirements.
Motivated self‑starter with initiative to take independent action and accept responsibility for decisions.
Excellent project management skills and ability to set clear timelines, define roles and practice effective change management.
Ability to prioritize and manage multiple projects simultaneously and follow through on issues in a timely manner.
Strong interpersonal skills; ability to work with all levels of internal management and staff, as well as outside clients, vendors, diverse populations, stakeholder groups and customers.
Skilled in resolving conflicts and addressing disagreements by active listening and fostering open dialogue.
Creative, proactive problem solver with independent decision‑making ability.
Well organized, flexible, proactive, resourceful and efficient with strong attention to detail.
Strong understanding of contracting processes and procedures and contract management.
Ability to maintain a high level of confidentiality.
DESIRED QUALIFICATIONS
Excellent understanding of NIST security guidelines (SP 800‑53 Rev 5) and NIST RMF (SP 800‑37 Rev.).
Proven ability to develop and implement change management strategies, including stakeholder engagement, communication plans and training programs.
Excellent verbal and written communication skills.
Demonstrates composure and resilience in fast‑paced, high‑pressure environments, consistently delivering results.
Fosters a positive and collaborative approach to risk management within a dynamic, fast‑paced organizational culture.
APPLICATION INSTRUCTIONS This position will be open until we find a suitable number of candidates to review. If interested, please submit an application as soon as possible. The Exchange reserves the right to close the recruitment at any time.
SALARY INFORMATION Full Salary Range: $109,719.00 to $164,579.00 annually, with midpoint at $137,149.00. Hiring Range: $126,177.00 and $137,149.00 annually. This is an estimate of where a qualified candidate can expect to receive an offer. The actual salary offer will consider candidate experience, skills, qualifications, internal equity and the market. Our compensation policy reserves the salary range above the midpoint for employees who are meeting and exceeding expectations and for growth and development, up to the maximum.
BENEFITS Take a peek at our benefits package.
WORKING CONDITIONS Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. Irregular hours may be required. The preferred duty station is our Olympia, Washington headquarters. The role relies heavily on remote and in‑person collaboration, with hybrid remote and on‑site scheduling considered. Travel may be required for meetings or trainings, and the employee may need to work irregular hours. Duties require standard office furniture and equipment, including setup for remote work. The employee is responsible for providing and maintaining a safe, ergonomic, and secure workspace at their remote location. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions.
SPECIAL REQUIREMENTS A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The result of this background screen must meet the Exchange’s eligibility standards.
OTHER INFORMATION The above statements describe the general nature and levels of work being performed. They are not intended to be construed as an exhaustive list of responsibilities, duties and skills of personnel so classified. This is not an employment agreement or contract. Management has the exclusive right to alter this job description at any time without notice.
The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.
We participate in E-Verify. You can view the Department of Justice's Right to Work poster here.
#J-18808-Ljbffr