Advertised Summary Job Description: The Information Security Risk Auditor will report to the Information Security Risk Manager within the Information Security Office (ISO). The auditor will conduct reviews of Certified IT Group information systems, platforms, and processes in accordance with established regulations and organizational standards. They will ensure compliance with these standards by examining records, reports, operating practices, and documentation, and completes audit work papers by documenting audit tests and findings.
They will evaluate risk to the organization and establish controls to mitigate loss of data, confidentiality, integrity and availability, while aligning those initiatives to the core organizational mission of Research, Care and Education. They will determine and recommend improvements in current risk management framework and controls.
Responsibilities include: conducting IT audits on the Certified IT Group Program, IT assets and processes as it pertains to the CUIMC's Risk Analysis Program; evaluating and proposing solutions to mitigate risks under the established risk management strategies; assisting IT Groups with remediation planning and ensuring identified gaps have been appropriately managed in order to achieve certification; performing testing of controls for assurance and validation of IT asset compliance; reviewing compliance regulations and assisting with updating organizational compliance initiatives; assisting in the development of internal processes for streamlining risk analysis techniques; IT Groups training content and initiatives; tracking information metrics as pertains to the audit program, including dashboards, reports, and executive "roll-ups", including the Risk Assessment Program's Key Performance Indicators (KPI), and Key Risk Indicators (KRI); maintaining ongoing awareness of shifts in CUMC's compliance and threat landscape and recommending appropriate changes to the risk management program to identify and assess new risks; being an active member of the broader information security risk management community; maintaining understanding of current best practices by participating in peer groups, attending or presenting at appropriate industry conferences, and researching literature and security news sources; other duties as required.
General Minimum Qualifications: Requires a bachelor's degree or equivalent in education and experience, plus four years of related experience.
Additional Specific Minimum Qualifications: Candidate should have: strong background in IT risk analysis, auditing and/or information security practices with significant experience in a complex, multiplatform, higher education or healthcare IT environment; understanding of regulatory compliance and industry best practices towards maintaining compliance with HIPAA/HITECH, 21 CFR Part 11, PCI, FERPA and GLBA. Familiarity with IT frameworks such as ISO, HITRUST, ITIL or COBIT; ability to prepare both executive and detailed reports on risk findings and status; ability to develop remediation plans and guide departments with remediation strategy; strong service commitment, and verbal, writing, and reporting skills.; high level of integrity, and sound judgment concerning security and privacy; ability to plan and execute project plans; ability to understand and work with healthcare professionals, educators and researchers; ability to work independently with minimal supervision as well as be creative and innovative at conducting a high volume of risk analyses while reporting accurate and relevant risks to the appropriate constituents; CISA/CISM, or GIAC certified penetration tester (GPEN), or Certified Ethical Hacker (CEH), or any relevant GIAC certifications, CISSP, or CISA.
Preferred Qualifications: Experience working in a HIPAA/HITECH/OMNIBUS-regulated environment; functional knowledge of other relevant compliance regulations (PCI, FERPA, Data Breach Acts, FISMA) and security standards (HITRUST, PCI-DSS, ISO 27001/2, NIST); and experience working in an academic medical center or hospital environment is a plus.
As a member of the National Collegiate Athletic Association (NCAA) and the Council of Ivy Group Presidents (Ivy League), it is imperative that members of the Columbia University community, in all matters related to the intercollegiate athletics program, exhibit the highest professional standards and ethical behavior with regard to adherence to NCAA, Conference, University, and Department of Intercollegiate Athletics and Physical Education rules and regulations.
Columbia University is an Equal Opportunity/Affirmative Action employer.
Internal Number: 126_173650
About Columbia University
Columbia University is one of the world's most important centers of research and at the same time a distinctive and distinguished learning environment for undergraduates and graduate students in many scholarly and professional fields. The University recognizes the importance of its location in New York City and seeks to link its research and teaching to the vast resources of a great metropolis. It seeks to attract a diverse and international faculty and student body, to support research and teaching on global issues, and to create academic relationships with many countries and regions. It expects all areas of the university to advance knowledge and learning at the highest level and to convey the products of its efforts to the world.