IT Governance Risk Compliance @ Blue Cross Blue Shield

Awarded a Healthiest Employer, Blue Cross Blue Shield of Arizona aims to fulfill its mission to inspire health and make it easy. AZ Blue offers a variety of health insurance products and services to meet the diverse needs of individuals, families, and small and large businesses as well as providing information and tools to help individuals make better health decisions.

At AZ Blue, we have a hybrid workforce strategy, called Workability, that offers flexibility with how and where employees work. Our positions are classified as hybrid, onsite or remote. While the majority of our employees are hybrid, the following classifications drive our current minimum onsite requirements:

Hybrid People Leaders: must reside in AZ, required to be onsite at least once per week
Hybrid Individual Contributors: must reside in AZ, unless otherwise cited within this posting, required to be onsite at least once per month
Onsite: daily onsite requirement based on the essential functions of the job
Remote: not held to onsite requirements, however, leadership can request presence onsite for business reasons including but not limited to staff meetings, one-on-ones, training, and team building

Please note that onsite requirements may change in the future, based on business need, and job responsibilities. Most employees should expect onsite requirements and at a minimum of once per month.

PURPOSE OF THE JOB

The GRC specialist is responsible for the administration and development of the GRC platform, associated IT processes, and risk management. Creates, edits, and publishes corporate and desktop policies, procedures, and standards. Serves as IT internal and external audit liaison interface for regulatory issues, IT compliance, and governance. The GRC Specialist will perform analytics, manage remediation items, and report on overall progress and compliance health of projects that have been assigned. This position will be responsible for maintaining a continuous process improvement work environment while leveraging industry standards and best practices.

REQUIRED QUALIFICATIONS

Required Work Experience

Level 1:

·2 years of experience in information technology or computer systems

·1 year of experience in information security and/or compliance

Level 2:

·4 years of experience in information technology or computer systems

·2 years of experience in information security and/or compliance

·1 year of experience in IT audit and/or risk management

Level 3:

·6 years of experience in information technology or computer systems

·4 years of experience in information security and/or compliance

·2 years of experience in IT audit and/or risk management

·1 year of experience in project or team leadership

Level 4:

·8 years of experience in information technology or computer systems

·6 years of experience in information security and/or compliance

·4 years of experience in IT audit and/or risk management

·2 years of experience in project or team leadership

Required Education

High-School Diploma or GED in general field of study

Required Licenses

Required Certifications

PREFERRED QUALIFICATIONS

Preferred Work Experience

Level 1

·2 years of experience in information technology or computer systems

·2 years of experience in information security and/or compliance

Level 2

·6 years of experience in information technology or computer systems

·3 years of experience in information security and/or compliance

·2 years of experience in IT audit and/or risk management

Level 3

·8 years of experience in information technology or computer systems

·6 years of experience in information security and/or compliance

·4 years of experience in IT audit and/or risk management

·2 years of experience in project or team leadership

Level 4

·10 years of experience in information technology or computer systems

·8 years of experience in information security and/or compliance

·6 years of experience in IT audit and/or risk management

·4 years of experience in project or team leadership

Preferred Education

Bachelor’s Degree or higher in computer science, information systems, business, or related field (All Levels)

Preferred Licenses

Preferred Certifications

Certified Information Systems Security Practitioner (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified Risk and Information Systems Control (CRISC), or any security related certification

ESSENTIAL JOB FUNCTIONS AND RESPONSIBILITIES

Strategy, Policies, and Frameworks

In-depth knowledge of information security management frameworks (NIST CSF, NIST 800-53, PCI-DSS, HITRUST, ISO), healthcare industry standards and regulations (HIPAA, CMS, URAC, AHCCCS, NCQA, State Privacy Law), and other legislative documentation requirements.
Partners with leadership, management, and subject matter experts to develop appropriate internal controls in accordance with industry standards and best practices.
Works with the GRC Manager and Chief Information Security Officer (CISO) to ensure policies and content are aligned with approved strategic plan.
Develops and/or facilitates in the development of new procedures and processes that support advancing technologies or capabilities.
Develop and maintain the on-going annual reviews of information security policies, standards, procedures, and processes.
Identifies opportunities to improve procedures and processes that support a culture of information security compliance.
Provide subject matter expertise to business and project teams to define information security governance and compliance policy and technical requirements.
Evaluates high-level project information and components to forecast work effort required.
Participates in large- or complex-technical projects including disaster recovery exercises, scoping, and testing.

GRC Tools Support

Administer GRC tools including uploading, updating, and managing content, and overall system management.
Conduct GRC tool user training sessions, develop training materials, and provide ongoing support to end users to ensure efficient tool use.
Assist with tools configuration and updates to align with organizational needs, participating in testing before production deployment

Risk Management

Performs risk and control effectiveness tests, risk analyses, and assessments.
Collaborate with internal stakeholders to drive implantation of effective risk treatment plans of identified risks from external assessments, internal scans, and third parties.
Analyze and prepare routine GRC metrics and effectiveness testing relating to ongoing measurement.
Works the GRC Manager and CISO to prepare executive- and board-level metrics and reporting.

Third-Party Cyber Risk Management

Assist in enhancing third-party risk management activities through refined assessment methodologies, process innovation, and comprehensive vendor risk analysis.
Perform vendor security and privacy risk assessments for third-party suppliers
Review and analyze content of the security and privacy risk questionnaire of third-party suppliers
Monitor the ongoing security and privacy risk of third-party suppliers and prepare reports for management

Training and Awareness

Develop and maintain security awareness training for new hires and annual refreshers.
Educate workforce on compliance and governance practices through individual training, Intranet articles, etc.
Consults with workforce members on information security governance and compliance issues, documentation standardization, and other related concerns or questions.

Audit and Compliance Support

Collaborate with internal and external auditors to facilitate security audits and assessments and control testing for in-scope applications.
Support audit readiness by organizing and maintain accurate and current data in GRC tools.
Partner with legal and compliance teams to analyze new and upcoming industry regulations related to cybersecurity controls, risk management and reporting, and external reporting requirements for compliance.

ALL LEVELS

Each progressive level includes the ability to perform the essential functions of any lower levels and mentor employees in those levels.
The position requires a full-time work schedule. Full-time is defined as working at least 40 hours per week, plus any additional hours as requested or as needed to meet business requirements.
Perform all other duties as assigned.

COMPETENCIES

REQUIRED COMPETENCIES

Required Job Skills (Applies to All Levels)

Proficient in spreadsheet, database and word processing software
Strong knowledge of information security frameworks and standards, including NIST, HITRUST, ISO, PCI-DSS
Extensive knowledge of data security and privacy laws and regulations, including HIPAA and other regulations related to data security and privacy.
Experience with server and endpoint hardware components
Experience with current cloud technologies
Strong knowledge of Microsoft Visio, PowerPoint, Excel, and SharePoint

Required Professional Competencies (Applies to All Levels)

Strong analytical skills and attention to detail
Intermediate knowledge or power user of Microsoft Visio, PowerPoint, Excel, and SharePoint
Effective interpersonal skills and ability to maintain positive working relationship with others
Verbal and written communication skills and the ability to interact professionally with diverse groups, including executives, managers, and subject matter experts
Ability to write and present business intelligence documentation
Analytical knowledge necessary to generate reports and make decisions based on available data
Ability to maintain confidentiality and privacy

Required Leadership Experience and Competencies

Work experience with 3rd party consulting firms, and/or Big 4 firms
Facilitate and resolve customer requests and inquiries for all levels of management. (Applies to Levels 2 - 4)
Build synergy with a diverse team in an ever changing environment. (Applies to Levels 3 - 4)

PREFERRED COMPETENCIES

Preferred Job Skills (Applies to All Levels)

Knowledge of current and upcoming governance, risk, and compliance technologies, platforms, and best practices
Ability to use critical judgment to make decisions and solve problems involving various levels of complexity, ambiguity, and risk.
- Ability to prioritize tasks and work with multiple priorities, sometimes under limited time constraints.

Preferred Professional Competencies (Applies to All Levels)

Minimum 6 years’ experience within a GRC role working with information security frameworks and standards including NIST, PCI-DSS, HITRUST, ISO 27001.
Minimum 6 years’ experience working with all phases of audit life cycle in IT Auditor Role or GRC Audit Liaison role

Preferred Leadership Experience and Competencies (Applies to All Levels)

Extensive experience and progressive responsibilities at 3rd party consulting firms, and/or Big 4 advisory firms
Ability to develop key working relationships to support the strategic direction, both internally and external to the department and company.
Provide leadership, promote teamwork, meet objectives and exercise independent judgement.
Ability to prioritize tasks and work with multiple priorities, sometimes under limited time constraints.

Our Commitment

AZ Blue does not discriminate in hiring or employment on the basis of race, ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status or any other protected group.

Thank you for your interest in Blue Cross Blue Shield of Arizona. For more information on our company, see azblue.com. If interested in this position, please apply.

IT Governance Risk Compliance

GRC, Specialist

Blue Cross Blue Shield

PURPOSE OF THE JOB

ESSENTIAL JOB FUNCTIONS AND RESPONSIBILITIES

COMPETENCIES

Keyword Match

Simplify's Take

What believers are saying

What critics are saying

What makes Blue Cross Blue Shield unique

Benefits