McKesson requires new employees to be fully vaccinated for COVID-19 as defined by the CDC, subject to applicable, verified accommodation requests.
Title : Senior Analyst, Information Security Risk Management
Location(s) : Dallas, TX; Alpharetta, GA; Scottsdale, AZ
The Role :
The Senior Analyst, Information Security Risk Management will be a lead role responsible for the delivery of the McKesson enterprise Information Security risk management program, including owning and maintaining associated policies, standards, and Standard Operating Procedures (SOPs). They will be responsible for the development, maintenance and design of security risk management reporting, cyber risk registers; effective management of information security risk management efforts aligned to security policies and standards; and the completion of appropriate industry compliance requirements and responses to the Businesses and security by design processes across the enterprise to assure risks are adequately reported.
In addition, the role is responsible supporting the identification, assessment, evaluation, and reporting of information security risks, issues and exceptions to include risk acceptance workflows in ways that meet compliance and regulatory requirements and build business confidence in the cybersecurity program. This requires proactive collaboration with teams across McKesson to ensure alignment and application of practices that both support business goals and meet defined policies and standards for information security and the Information Protection Program (IPP).
The role will include management and oversight of the McKesson Governance, Risk & Compliance (GRC) tool, working with supporting partners and other McKesson stakeholders to improve and maintain service offerings.
The type of activities encompassed in the role include but are not limited to:
Deployment of a harmonized cybersecurity risk framework and program; evaluation of internal and external influences and risks affecting policies and standards; support of BISOs in risk assessment and acceptance processes; reporting of risk status; management of team members; and security risk consulting.
Give oversight on end to end assessments steps for regulatory entities, ie., Identifying submitted control evidence in assessments to validate accuracy
Integrate threat modeling, risk management, security tools, standards, and risk management processes to support ISRM teams and other McKesson stakeholders
Oversee the implementation of information security risk management processes across McKesson
Articulate risk and business impact to stakeholders
Communicate the urgency and need to remediate issues or vulnerabilities commensurate with the risk it presents to McKesson
Develop and maintain security risk and response artifacts systematically to produce security risk metrics that can measure the overall program maturity and progress
Create visibility and awareness at appropriate level including executive leadership teams, CISO and other on security risks that require attention
Demonstrate ability to strike a balance between strategic and tactical activities required to run information risk response and remediation efforts
Cultivate the practice of staying abreast on latest trends and developments in information security risk response and remediation activities followed across industry
Designated Lead and support information security risk assessment program across McKesson
Lead coordination efforts between technology stakeholders and ensure high-quality and accurate reporting and tracking
Evolve GRC internal tools and processes that manage the information security risks in McKesson, aligning with all involved stakeholders and users of the GRC tool on their needs and input
Build relationships and become a trusted advisor with BU and technology owners to influence change and drive ownership and accountability
Minimum Requirements : 4+ years' experience in information security risk in an organization
2+ years' experience of supervisory and/or management
Critical Skills :
Experience with risk management frameworks along with a solid understanding industry best practices in information security risk management
Subject Matter Expert (SME) in Healthcare regulative entities such as HIPAA, EU GDPR, CCPA, PIPEDA and OCR
Thorough understanding of industry and commonly adopted secure standards, practices (e.g. applicable NIST 800-53; 800-171 (800-39) standards, CIS, ISO27001/2, ISO27005, SANS, CERT), HITRUST, SOC1/SOC2 and PCI DSS Compliance
Administration experience with BWise, RSA Archer or other GRC tool
Participate in strategic planning with regards to program development
Assist with information risk assessments and risk acceptances, ensuring actions and goals are well documented
Expert knowledge of information security and risk management principles, conducting risk impact assessments, vulnerability management and a level of familiarity with threat modelling techniques
Knowledge of cloud-based infrastructures/software and how they affect security needs
Knowledge of implementing security practices in application development and agile environments
Additional Knowledge & Skills :
Knowledge of project and program management
Experience conducting security risk management training
Knowledge regarding healthcare IT and Risk Management Regulations
Familiarity with threat detection, threat intelligence and hacking methods
Experience in large highly segmented and regulated organizations
Experience interacting with security vendors and customers
Self-motivation and the ability to work under minimal supervision are a must
Excellent at multitasking, and open to constant learning
Energetic and positive attitude
Excellent problem solving and analytical skills; outstanding oral and written communication skills
4-year degree in computer science or related field or equivalent experience,
Certifications : Any of the following preferred but not required: CISSP, CISA, CISM
Physical Requirements : General Office Demands with occasional travel
Career Level :
Senior Analyst- P4
McKesson is an Equal Opportunity/Affirmative Action employer.
All qualified applicants will receive consideration for employment without regard to race, color, religion, creed, sex, sexual orientation, gender identity, national origin, disability, or protected Veteran status.Qualified applicants will not be disqualified from consideration for employment based upon criminal history.
McKesson is committed to being an Equal Employment Opportunity Employer and offers opportunities to all job seekers including job seekers with disabilities. If you need a reasonable accommodation to assist with your job search or application for employment, please contact us by sending an email to McKessonTalentAcquisition@mckesson.com . Resumes or CVs submitted to this email box will not be accepted.
Current employees must apply through the internal career site.
Join us at McKesson!
Internal Number: JR0050069
About McKesson Corporation
We deliver careers with purpose and potential. Our focus on better health starts with creating an inclusive environment with strong values where you can build a fulfilling career. You can count on us to provide you with resources and opportunities to grow and be your best, while contributing to our pursuit of improving lives. Every day, McKesson’s employees deliver products to healthcare providers that make a difference in the care and life of a patient. We work to distribute medical supplies, bandages, syringes, vials of flu vaccine, and pharmaceutical drugs to help real patients like Jack, an eight-year-old boy battling cancer. We take that job seriously. Together, the work we do is shaping the future of healthcare. If you are passionate about combining a meaningful career with a balanced life, join us on this journey and apply for a job with McKesson today. Every day, McKesson’s employees deliver products to healthcare providers that make a difference in the care and life of a patient.