- Must possess excellent (English) written and verbal communication skills and capable of creating clear, well-written documentation, recommendations, and reports/communications.
- Has sufficient experience and knowledge to plan and execute work with limited direction and supervision.
- 3-5 years of experience managing security audits, such as, ISO 27001, HITRUST, SOC 2 including preparing control owners for audits, interpreting control requirements, reviewing control evidence for appropriateness, testing control effectiveness, presenting control evidence to external auditors, and audit planning with external auditors.
- Appropriate candidate has in-depth knowledge of security controls, interpreting control requirements for SOC 2, ISO, or HITRUST audits, reviewing control evidence for completeness an accuracy, and ensuring evidence provided to auditors satisfies control requirements.
- Candidate must be capable of planning and leading meetings with control owners and external auditors. They are capable of clearly defining control requirements to control owners or explaining control evidence to external auditors.
- Extensive experience reviewing ISO, SOC 2, HITRUST, Pen Test, and other forms of security assessment reports.
- Must be capable of performing effective interviews of business owners and vendors, assessing risk, and documenting a report the summary of the vendor services provided, findings, and risks presented by the solution.
- Manages and tracks the delivery of Security Training and Awareness campaigns.
- Assists in the development of content for Security Awareness campaigns.
- Develops an internal knowledge base of Security controls that is well written, searchable and logically organized.
- Actively contributes to the Security knowledgebase to enable internal knowledge sharing and facilitates efficient audits and questionnaire responses.
- Supports the Security Audit function by reviewing evidence submissions for accuracy and completeness, following up on audit requests, and helping to establish a continuous monitoring function.
- Manages and performs quarterly access reviews ensuring completeness and accuracy of results and consistent evidence collection.
- Assist the Cotiviti vendor risk management function in the review, evaluation, and reporting related to vendors to ensure security requirements for proposed solutions, technologies, services and capabilities are properly considered.
- Supports the Risk Management function by reviewing and documenting Security exceptions and recommending appropriate actions.
- Assist in testing and verification of all offshore controls and formulating reports documenting findings.
- Recommends and assists in the definition and implementation of security controls in accordance with enterprise policies, standards, and procedures.
- Assist in the planning, coordination, and management of client assessments at offshore locations.
- Act as interface between assigned business unit and security organization. Develop trusted adviser relationships with key stakeholders and internal groups.
- Assist assigned business units with solution development activities to ensure security requirements are appropriately identified, considered, and addressed. These services will include but will not be limited to security education, control identification and development.
- Identify exceptions to security control standards and assist in management and tracking of risk acceptance and/or remediation for identified exceptions.
Competencies
Communicates With Impact: Presents information and ideas in a thoughtful and compelling manner. Is clear and concise in verbal and written communications. Shares information freely and speaks openly and honestly. Seeks to understand the perspectives of others.
Drives and Delivers Results: Sets clear priorities, takes action, stays focused, and overcomes barriers to deliver expected results.
Solves Problems and Makes Good Decisions: Evaluates critical information needed to understand problems, determine probable causes, and develop workable solutions. Accurately assesses the costs, benefits, and risks associated with alternative courses of action and makes high quality and timely decisions.
Leads Change: Sees emerging patterns and opportunities. Adapts quickly and easily to new information, changing conditions or unexpected events. Facilitates and communicates change across the team or organization to drive adoption.
Lives Our Values: Behaves in a way that consistently demonstrates commitment to Cotiviti values (Integrity, Passionate Client Service, Teamwork, Accountability, Performance Excellence, and Continuous Improvement)
Information Security and Compliance: Demonstrates understanding of Cotiviti security policies, standards, procedures, and external regulatory and customer requirements. Maintains a strong working knowledge of risk and security related concepts, technologies, and industry leading practices. Assures confidentiality, integrity, and availability of Cotiviti business process and supporting information infrastructure and data when appropriate. Demonstrates the skills, knowledge, and ability to ensure a risk-based approach to security is being consistently applied.
Collaborates Effectively – Partners with internal customers, stakeholders, and interested parties to ensure positive outcomes and experiences. Ensures security is viewed as a valued asset by internal customers and stakeholders.