Job Summary:

As a member of the Information Security team, the Senior Security Analyst (GRC) is responsible for governance oversight, enterprise risk management, and compliance activities supporting the Care New England Health System.

This role ensures security programs are aligned with regulatory requirements, industry standards, and organizational risk tolerance. Primary areas of responsibility include policy governance, enterprise risk register management, audit coordination, third-party risk oversight, security awareness program management, phishing simulation oversight, and governance-level performance monitoring of security controls and tools.

The Senior Security Analyst does not perform direct engineering functions but provides oversight, performance validation, risk analysis, and executive-level reporting to ensure effective security control implementation and regulatory readiness.

Requirements:

Bachelor’s degree in Information Technology, Cybersecurity, Information Assurance, or related field required.

Minimum of five (5) to seven (7) years of IT and/or information security experience, including governance, risk, and compliance responsibilities.

CISSP, CISM, IAM, or equivalent industry certification required.

Experience in a highly regulated environment required; healthcare experience strongly preferred.

Strong knowledge of HIPAA §§164.308, 164.310, and 164.312, HITECH, RI state data protection laws, and PCI DSS.

Demonstrated experience managing governance frameworks and regulatory compliance initiatives.

Strong analytical and problem-solving abilities.

Ability to interpret technical security findings and translate them into business risk terms.

Experience maintaining and tracking enterprise risk registers.

Strong written and verbal communication skills with the ability to present to executive leadership.

Ability to manage multiple priorities and adjust based on risk impact and regulatory deadlines.

Familiarity with EDR, SIEM, vulnerability management, email security, and related platforms from a governance perspective.

Ability to coordinate audit evidence collection and corrective action tracking.

Strong collaboration skills across technical and non-technical teams.

Duties and Responsibilities:

Develop, maintain, and manage lifecycle governance of enterprise security policies, standards, and procedures.

Ensure alignment of administrative, technical, and physical controls with HIPAA and other regulatory frameworks.

Support annual enterprise risk assessments and maintain required compliance documentation.

Maintain and track the enterprise security risk register; coordinate remediation efforts with IT and business stakeholders.

Serve as primary liaison for internal and external audits, coordinating evidence collection and corrective action plans.

Support third-party risk reviews and Business Associate Agreement (BAA) evaluations.

Oversee the security awareness and phishing simulation program; monitor user risk metrics and provide executive reporting.

Monitor governance performance of key security tools (EDR, email security, vulnerability management, SIEM); review findings and validate remediation tracking.

Support incident documentation, post-incident analysis, and governance-based corrective action tracking.

Provide security governance consultation for IT initiatives and third-party engagements.

Participate in professional development and maintain current industry knowledge.

Perform other related duties as assigned.

Additional Information:

Americans with Disability Act Statement: External and internal applicants, as well as position incumbents who become disabled must be able to perform the essential job-specific functions either unaided or with the assistance of a reasonable accommodation, to be determined by the organization on a case-by-case basis.

EEOC Statement: Care New England is an equal opportunity employer. All applicants will be considered for employment without attention to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran or disability status

Ethics Statement: Employee conducts himself/herself consistent with the ethical standards of the organization including, but not limited to hospital policy, mission, vision, and values.