McKesson requires new employees to be fully vaccinated for COVID-19 as defined by the CDC, subject to applicable, verified accommodation requests.

Title: Senior Analyst, Information Security Risk Management

Location(s): Dallas, TX; Alpharetta, GA; Scottsdale, AZ

The Role:

The Senior Analyst, Information Security Risk Management will be a lead role responsible for the delivery of the McKesson enterprise Information Security risk management program, including owning and maintaining associated policies, standards, and Standard Operating Procedures (SOPs). They will be responsible for the development, maintenance and design of security risk management reporting, cyber risk registers; effective management of information security risk management efforts aligned to security policies and standards; and the completion of appropriate industry compliance requirements and responses to the Businesses and security by design processes across the enterprise to assure risks are adequately reported.

In addition, the role is responsible supporting the identification, assessment, evaluation, and reporting of information security risks, issues and exceptions to include risk acceptance workflows in ways that meet compliance and regulatory requirements and build business confidence in the cybersecurity program. This requires proactive collaboration with teams across McKesson to ensure alignment and application of practices that both support business goals and meet defined policies and standards for information security and the Information Protection Program (IPP).

The role will include management and oversight of the McKesson Governance, Risk & Compliance (GRC) tool, working with supporting partners and other McKesson stakeholders to improve and maintain service offerings.

The type of activities encompassed in the role include but are not limited to:

Deployment of a harmonized cybersecurity risk framework and program; evaluation of internal and external influences and risks affecting policies and standards; support of BISOs in risk assessment and acceptance processes; reporting of risk status; management of team members; and security risk consulting.

Responsibilities:

• Give oversight on end to end assessments steps for regulatory entities, ie., Identifying submitted control evidence in assessments to validate accuracy
• Integrate threat modeling, risk management, security tools, standards, and risk management processes to support ISRM teams and other McKesson stakeholders
• Oversee the implementation of information security risk management processes across McKesson
• Articulate risk and business impact to stakeholders
• Communicate the urgency and need to remediate issues or vulnerabilities commensurate with the risk it presents to McKesson
• Develop and maintain security risk and response artifacts systematically to produce security risk metrics that can measure the overall program maturity and progress
• Create visibility and awareness at appropriate level including executive leadership teams, CISO and other on security risks that require attention
• Demonstrate ability to strike a balance between strategic and tactical activities required to run information risk response and remediation efforts
• Cultivate the practice of staying abreast on latest trends and developments in information security risk response and remediation activities followed across industry
• Designated Lead and support information security risk assessment program across McKesson
• Lead coordination efforts between technology stakeholders and ensure high-quality and accurate reporting and tracking
• Evolve GRC internal tools and processes that manage the information security risks in McKesson, aligning with all involved stakeholders and users of the GRC tool on their needs and input
• Build relationships and become a trusted advisor with BU and technology owners to influence change and drive ownership and accountability

Minimum Requirements:
4+ years' experience in information security risk in an organization

2+ years' experience of supervisory and/or management

Critical Skills:

• Experience with risk management frameworks along with a solid understanding industry best practices in information security risk management
• Subject Matter Expert (SME) in Healthcare regulative entities such as HIPAA, EU GDPR, CCPA, PIPEDA and OCR
• Thorough understanding of industry and commonly adopted secure standards, practices (e.g. applicable NIST 800-53; 800-171 (800-39) standards, CIS, ISO27001/2, ISO27005, SANS, CERT), HITRUST, SOC1/SOC2 and PCI DSS Compliance
• Administration experience with BWise, RSA Archer or other GRC tool
• Participate in strategic planning with regards to program development
• Assist with information risk assessments and risk acceptances, ensuring actions and goals are well documented
• Expert knowledge of information security and risk management principles, conducting risk impact assessments, vulnerability management and a level of familiarity with threat modelling techniques
• Knowledge of cloud-based infrastructures/software and how they affect security needs
• Knowledge of implementing security practices in application development and agile environments

Additional Knowledge & Skills:

• Knowledge of project and program management
• Experience conducting security risk management training
• Knowledge regarding healthcare IT and Risk Management Regulations
• Familiarity with threat detection, threat intelligence and hacking methods
• Experience in large highly segmented and regulated organizations
• Experience interacting with security vendors and customers
• Self-motivation and the ability to work under minimal supervision are a must
• Excellent at multitasking, and open to constant learning
• Energetic and positive attitude
• Excellent problem solving and analytical skills; outstanding oral and written communication skills

Education:

• 4-year degree in computer science or related field or equivalent experience,
• MBA preferred

Certifications:
Any of the following preferred but not required: CISSP, CISA, CISM

Physical Requirements:
General Office Demands with occasional travel

Career Level:

Senior Analyst- P4

McKesson is an Equal Opportunity/Affirmative Action employer.

All qualified applicants will receive consideration for employment without regard to race, color, religion, creed, sex, sexual orientation, gender identity, national origin, disability, or protected Veteran status.Qualified applicants will not be disqualified from consideration for employment based upon criminal history.

McKesson is committed to being an Equal Employment Opportunity Employer and offers opportunities to all job seekers including job seekers with disabilities. If you need a reasonable accommodation to assist with your job search or application for employment, please contact us by sending an email to [email protected] . Resumes or CVs submitted to this email box will not be accepted.

Current employees must apply through the internal career site.

Join us at McKesson!