The Information Technology Risk Analyst supports the IT Risk Management Program within UPMC Enterprises (UPMCE). The candidate will identify, monitor and perform quantitative analysis against current and potential risks that may negatively affect all or a subset of Stage 2+ opportunities in the UPMC Enterprises opportunity pipeline. Support UPMC with strategic assessments and provide tactical analysis and advice for Business Units and Executive Management through the use of automated tools, execution of IT risk management processes and reportingResponsibilities:
•Maintain current knowledge of security techniques and technologies.
•Provide timely updates to the UPMC IT Risk Management Team on process improvements, changes in technologies and other significant changes at UPMC Enterprises.
•Support the processes and strategies of the UPMC enterprise IT Risk Management Program.
•Be a liaison between UPMC Enterprises and the UPMC enterprise IT Risk Management Team.
•Ensure that all applicable UPMC Policies and Standards are strictly adhered to in the execution of their duties.
•Ensures controls and recommendations align with regulatory and UPMC organization frameworks (i.e. FAIR, HITRUST, and SOC2).
•Help facilitate root cause analysis, gap analysis and other process improvement approaches.
•Conduct Cybersecurity policy and compliance audits, which may include liaising with UPMC internal audit and external auditors.
•Collaborate with IT and business owners to mitigate risk and drive recommendations that are achievable and cost effective.
•Risk reporting to EMG. (Educating EMG about the most significant risks to the business; ensuring business heads understand the risks that might affect their departments; ensuring individuals understand their own accountability for individual risks).
•Establish and maintain excellent relationships with business owners and IT contacts to elicit their input and feedback on risk initiatives.
•Obtain thorough understanding of the FAIR methodology for Quantifying Information Risk.
•Perform quantitative IT risk assessments by analyzing current risks and identifying potential risks that are affecting all or a subset of Stage 2+ opportunities in the UPMC Enterprises opportunity pipeline from planning through fieldwork and reporting.
•Build risk awareness amongst staff by providing support and training within UPMC Enterprises.
•Manage the UPMC Enterprises Vulnerability Management exceptions process, which includes communication of existing threats to EMG.
•Design, develop, implement and maintain a risk management program for UPMC Enterprises.
- 4-year academic degree includes courses in computer science, management information systems, cyber security, data analysis, statistics OR has acquired Core IT skills and knowledge via practical experience.
- Requires knowledge of security issues, techniques and implications across all existing computer platforms.
- Understand key technology concepts such as access control, asset lifecycle management, encryption, business continuity, vulnerability management, and third-party vendor risk.
- Strong oral and written communication skills to work effectively with employees at all levels of the organization.
- Ability to drive conversations with teams with varied backgrounds and purpose, as well as effectively communicate to management.
- Ability to multi-task, strong attention to detail, self-motivated willingness to take initiative and ownership.
- Excellent problem-solving skills and the ability to be highly productive, both working alone and as part of a team.
- Working knowledge of a cyber risk management software platform is a plus.
Licensure, Certifications, and Clearances:
Analysts will be required to become or maintain one or more certifications, including but not limited to:Open FAIR Certification Certified in Risk and Information Systems Control (CRISC)Certified Information Systems Security Professional (CISSP)Certified Information Systems Auditor (CISA)
UPMC is an Equal Opportunity Employer/Disability/Veteran