PND NDCHealth Corporation
Position Summary
McKesson is hiring for a Sr. Cyber Risk Assurance Analyst who will be responsible for collaborating across legal, compliance, and technical teams to ensure alignment with regulatory frameworks such as HIPAA, NIST 800-53, FIPS-140, and CMS ARS.
This role requires a strong technical background and deepexpertisein compliance, privacy, and risk management.
The ideal candidate will translate complex government regulatory guidance (e.g.,NIST CVE, CMS ARS) into actionable business and technical requirements,driving toward secure and compliant designs that are compliant with relevant reference architecture frameworks.
Key Responsibilities
Conduct cybersecurity risk assessments for internal systems and third-party applications within the regulated environment.
Drive vulnerability management plan based on strict risk-based classifications across multiple platforms, engaging all asset owners.
Contribute to the formulation of cybersecurity strategies by advising risk reduction priorities related to vulnerability trends.
Ensure compliance with all applicable regulatory frameworks and requirements.
Translate technical frameworks and regulatory guidance (e.g.,NIST CVE, Zero Trust, FIPS-140) into actionable requirements for technical and business teams.
Collaborate with legal, compliance, and engineering business partners to integrate requirements into contracts and system designs.
Support continuous audit readiness, evidence collection, and remediation planning.
Develop and maintain policies and procedures to support regulatory compliance and risk management.
Partner with multiple business units to ensure success in third-partyaudits.
Provide risk insights and recommendations to leadership to improve organizational risk posture.
Foster a culture of accountability and awareness across the business unit.
Minimum Requirements
Degree or equivalent and typically requires 7+ years of relevant experience.
Critical Skills
Bachelor’s degree in Cybersecurity, Information Systems, or related field.
4+ years of experience in cybersecurity risk management or assurance, preferably in an HHS or federally regulated environment.
Strong technical background with the ability to interpret and apply complex regulatory frameworks.
Knowledge of IP network infrastructure, security defense in depth architecture (e.g., firewalls, intrusion detection / prevention, end-point protection), identify and access management, data encryption.
Experience with HIPAA, NIST 800-53, FISMA, FEDRAMP, and FIPS-140.
Strong knowledge of risk frameworks, standards, and authoritative risk categorization sources (e.g., NIST, ISO, FedRAMP, KVE, CVSS, CVE).
Proficiency with enterprise compliance platforms such as OneTrust, RSA Archer, or ServiceNow GRC.
Excellent analytical, documentation, and communication skills.
Additional Skills and Certifications
Certifications such as CISM, CRISC, or CISSP.
Experience conducting vendor risk assessments and contract reviews.
We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please
Our Base Pay Range for this position
$99,800 - $166,300
#J-18808-Ljbffr
This role requires a strong technical background and deepexpertisein compliance, privacy, and risk management.
The ideal candidate will translate complex government regulatory guidance (e.g.,NIST CVE, CMS ARS) into actionable business and technical requirements,driving toward secure and compliant designs that are compliant with relevant reference architecture frameworks.
Key Responsibilities
Conduct cybersecurity risk assessments for internal systems and third-party applications within the regulated environment.
Drive vulnerability management plan based on strict risk-based classifications across multiple platforms, engaging all asset owners.
Contribute to the formulation of cybersecurity strategies by advising risk reduction priorities related to vulnerability trends.
Ensure compliance with all applicable regulatory frameworks and requirements.
Translate technical frameworks and regulatory guidance (e.g.,NIST CVE, Zero Trust, FIPS-140) into actionable requirements for technical and business teams.
Collaborate with legal, compliance, and engineering business partners to integrate requirements into contracts and system designs.
Support continuous audit readiness, evidence collection, and remediation planning.
Develop and maintain policies and procedures to support regulatory compliance and risk management.
Partner with multiple business units to ensure success in third-partyaudits.
Provide risk insights and recommendations to leadership to improve organizational risk posture.
Foster a culture of accountability and awareness across the business unit.
Minimum Requirements
Degree or equivalent and typically requires 7+ years of relevant experience.
Critical Skills
Bachelor’s degree in Cybersecurity, Information Systems, or related field.
4+ years of experience in cybersecurity risk management or assurance, preferably in an HHS or federally regulated environment.
Strong technical background with the ability to interpret and apply complex regulatory frameworks.
Knowledge of IP network infrastructure, security defense in depth architecture (e.g., firewalls, intrusion detection / prevention, end-point protection), identify and access management, data encryption.
Experience with HIPAA, NIST 800-53, FISMA, FEDRAMP, and FIPS-140.
Strong knowledge of risk frameworks, standards, and authoritative risk categorization sources (e.g., NIST, ISO, FedRAMP, KVE, CVSS, CVE).
Proficiency with enterprise compliance platforms such as OneTrust, RSA Archer, or ServiceNow GRC.
Excellent analytical, documentation, and communication skills.
Additional Skills and Certifications
Certifications such as CISM, CRISC, or CISSP.
Experience conducting vendor risk assessments and contract reviews.
We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please
Our Base Pay Range for this position
$99,800 - $166,300
#J-18808-Ljbffr