Information Security Governance, Risk and Compliance Analyst

Menlo Park, CA | Direct Hire

Post Date: 12/15/2017 Job ID: 7000 Industry: Software/Hardware

Job Description

Under the direction of the Information Security Governance, Risk and Compliance Manager, The Information Security Governance, Risk and Compliance Analyst will support risk management, training and awareness and governance efforts to mitigate risks to Stanford Children’s Health and the Packard Children’s Health Alliance. The analyst will be part of a small dedicated team and is expected to be a hands-on, team player.
The analyst interacts with IT and business stakeholders to identify and mitigate risks to critical infrastructure conducting compliance assessments and applying effective mitigation strategies to ensure Information security controls are in place and being complied with. The analyst will be experienced in risk identification, tracking and mitigation. They will be exceptionally imaginative, collaborative, and truly excited about to managing risk and enabling Stanford Children’s Health to achieve our mission of providing Extraordinary Care. Continual Learning and Breakthrough Discoveries.
Essential Functions:
The Information Security Governance, Risk and Compliance Analyst will support four primary sub-programs:  1. Information Security Risk Identification, Tracking and Mitigation, 2. Management of Policies, Standards & Guidelines, 3. Security Training and Awareness and 4. Special Projects (as directed by the Information Security leadership team).
Risk Management

  • Provide support to the governance risk and compliance management program to achieve certifications such as ISO 27001/27002, HiTRUST, NIST and others as appropriate
  • Participate in the risk assessment process, and track and report on gaps to closure and final resolution.
  • Interface as the primary audit/assessment auditor
  • Maintain and report out on the Stanford Children’s Health Information Security Risk Register
  • Working in collaboration with the IT and business operations teams, provide oversight to risk mitigations
  • Provide recurring risk reports to the CISO, Information Security Governance, Risk and Compliance Manager, Business Stakeholders and IT leadership teams as directed


  • Responsible for developing, promulgating, and maintaining department cybersecurity policies and standards. Represents policy changes at OAT and the Change Management Committee (CMC).
  • Participates in the Standards and Guidelines Infrastructure Review Committee (SGIRC)
  • Promotes training, awareness and best practices within de-centralized operations teams with regard to needed processes and procedures to maintain a secure operating model.


  • Conduct recurring IT compliance audit and testing (process and technical) engagements and track activities to completion.  Maintain history of testing and audit activities attestations for future reference
  • Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas
  • Keep existing policies and procedures aligned with audit and security requirements
  • Participate in planning, scheduling and preliminary analysis for all internal and external audit projects.
  • Coordinate audit activities including notification and scheduling for all affected parties of audit timing, scope, objectives, approach and deliverables
  • Establish agreement and support documentation efforts for process improvements related to security and compliance management


Minimum Qualifications:
Any combination of education and experience that would likely provide the required knowledge, skills and abilities as well as possession of any required licenses or certifications is qualifying.
Education: BA or BS in Computer Science, Management Information Systems, or related field, from an accredited college or university. CISSP, GIAC, or other security certifications preferred (willingness to obtain CISSP within first year is desirable).
Knowledge, Skills, and Abilities:

  • 3 plus years in IT Systems/Information Assurance experience.
  • Demonstrated experience working with regulatory requirements and standards (PCI-DSS, SOC, ISO, BSI, GDPR etc.) and frameworks (ISO, NIST, OWASP, etc.).
  • The ability to communicate complex security risks to non-technical staff
  • Work with business owners on remediation plans that address identified gaps.
  • Strong verbal and written communication skills and ability to influence others
  • Demonstrated experience in identifying, assessing, and mitigating, regulatory and compliance risk
  • Strong project management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion.
  • Ability to use independent judgment to make sound, decisions and take action to solve problems
  • Technical understanding of cloud infrastructure, networking, access controls, and change management.
  • Strong analytical and problem solving skills are required.
  • Ability to plan, organize, prioritize, work independently and meet deadlines.
  • Ability to work in a collaborative, team environment.

Preferred Qualifications:
Experience in network security and systems certifications. CISSP and/or CISA certifications desired.

Not ready to apply?

Send an email reminder to:

Share This Job:

Related Jobs: