At Duke Health, we're driven by a commitment to compassionate care that changes the lives of patients, their loved ones, and the greater community. No matter where your talents lie, join us and discover how we can advance health together. Occupational Summary The Information Security Analyst provides support for a variety of operational and consultative functions as part of a Duke Information Security Office (ISO). The Information Security Analyst helps design, implement, manage, and monitor technical, administrative, and physical controls to protect the confidentiality, integrity, and availability of the organization's information assets. The Information Security Analyst will carry out these responsibilities in collaboration with IT, clinical, research, and management staff from across Duke. Duke Health Information Security Office analysts will perform work across multiple domains of information security but will have primary duties assigned specifically from analyst Working Titles. Work Performed This position has the Working Title of Governance and Risk Security Analyst. Duties specific to this position will primarily reside in the Governance and Risk/Vendor Risk Assessment area with the primary objective of review of vendor security posture utilizing standardized measures to ensure that vendor meets Duke minimum security requirements. Governance and Risk Security Analyst: ? Vendor risk assessment; ? Exception management; ? Security Policy management; ? Regulatory Compliance aligned with HIPAA, NIST CSF, CIS, and other security frameworks. IAM Security Analyst: ? Assists in providing access support for the implementation and administration of IAM supported platforms to include Epic Maestro Care, Active Directory and disconnected applications; ? Ensures IAM solutions adhere to regulatory, compliance and internal requirements; ? Provides Break/Fix and enhancement support following existing change management ? Provides guidance on the implementation and usage of IAM capabilities in enterprise systems Penetration Test Security Analyst: ? Conduct comprehensive penetration tests and security assessments of web applications, networks, systems, and infrastructure to identify security vulnerabilities, weaknesses, and exposures; ? Perform manual and automated penetration testing techniques, including but not limited to network penetration testing, static and dynamic application security testing, and device security testing; ? Analyze and interpret penetration test results, prioritize identified vulnerabilities based on risk severity, and provide actionable recommendations for remediation; ? Collaborate with cross-functional teams, including developers, system administrators, and security engineers, to address identified security issues and implement effective security controls and measures; ? Document and report findings, recommendations, and remediation steps in clear and concise reports tailored to technical and non-technical audiences. Vulnerability Security Analyst: ? Identify and prioritize security vulnerabilities, weaknesses, and exposures based on risk severity, impact, and exploitability; ? Analyze and interpret vulnerability scan results, including vulnerability assessment reports, scan findings, and threat intelligence feeds, to identify emerging threats and potential security issues; ? Collaborate with cross-functional teams, including system administrators, network engineers, and software developers, to address identified vulnerabilities and implement appropriate remediation measures and security controls; ? Monitor and track the progress of vulnerability remediation efforts, escalate critical issues as needed, and ensure timely resolution of identified security risks; ? Develop and maintain comprehensive documentation, including vulnerability assessment reports and standards, security policies and procedures. Tools, Architecture and Engineering Security Analyst: ? Deploy, configure and maintain security solutions and tools such as Endpoint Detection & Response, Web Gateway, Vulnerability Management, Data Loss Prevention, etc.; ? Act as an escalation point for issues, incidents and questions related to the security tool portfolio; ? Ensure that security tools are providing expected outcomes and that operational process and procedure are in place to utilize tools; ? Consult with partner IT teams to assist application owners in deploying solutions securely, choosing appropriate security measures and documentation of system security plans; ? Work with other IT architects and technical leads as the primary security liaison on large IT infrastructure and application projects. Incident Response Security Analyst: ? Analyze findings from security monitoring systems to identify and respond to potential security incidents and data breaches; ? Participate in incident response activities. Conduct forensic investigations, isolate malware, threat modelling and identify attack vectors; ? 24x7 on-call support rotation may be required. Awareness and Training Security Analyst: ? Design and deliver awareness training for the organization's staff. Promote Security Culture activities; ? Design and deliver simulated phishing. Business Continuity/Disaster Recovery Security Analyst: ? Coordinate completion of Business Impact Assessments (BIA), identify Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and assign Criticality based on organizational priorities; ? Conduct continuity focused risk assessments with stakeholders, provide Criticality-appropriate recommendations focused on reduction of identified risks; ? Facilitate development and exercise of continuity, recovery, and restoration plans and track completion of any corrective actions identified throughout the process. Core Competencies: Across all analysts in the Duke Information Security Office, the following Core Competencies are established. In addition, all analysts are expected to perform other related duties incidental to the work described herein. LEVEL 1: ? Directed work on individual tasks as assigned by manager with direct supervision, oversight and guidance by manager; ? Assess risk and provide guidance on remediation planning using pre-established operating procedures and decision trees; ? Commitment to customer satisfaction; ? Strong written and oral communication skills; ? Attention to detail and organization. LEVEL 2: In addition to the duties described for the Level 1, the Level 2 will: ? Independent work on individual tasks and projects as assigned by manager with limited supervision, oversight and guidance by manager; ? Assess risk and provide guidance on remediation planning using additional professional judgment and institutional knowledge. As requested by management, provide input for reports and analysis; ? Participate in activities that could have significant impact for operational, financial and/or risk improvement as directed by management; ? Lead and influence initiatives within the Duke Health ISO; ? Strong critical thinking, analytical, and problem solving skills; ? Ongoing knowledge of latest security trends, emerging threats and industry best practices; ? Strong interpersonal skills and the ability to build relationships with colleagues, customers, vendors, and other third parties. Qualifications: Education/Training: Level 1, 2 and 3 - Bachelor's degree in a related clinical or technical field, or four years of equivalent technical experience required. LICENSURE/CERTIFICATION: LEVEL 1: Security+ or equivalent is preferred. LEVEL 2: In addition to the requirements described for the Level 1: One or more information security industry certifications (e.g. CISSP, CISM, CISA, CEH, or equivalent) are preferred. ________________________________________ Experience: Level 1 - No experience required beyond the minimum education (or equivalency) requirement. Level 2 - Two years of related experience is required. ________________________________________ Skills: All Levels: Must have conceptual familiarity with the majority of the following information security practices, standards, and systems: - Data Loss Prevention (DLP) - Intrusion Detection and Prevention Systems (IDS/IPS) - Security Information Event Management (SIEM) systems - Virtual Private Network (VPN) systems - Encryption technologies and standards - Endpoint security - Firewalls - Cloud security platforms and tools - Incident response - Forensic investigation - Network and/or application penetration testing - Vulnerability management - Vulnerability scanning tools - Governance, Risk, Policy and Exception Management - Business Continuity and Disaster Recovery (BCDR) - Identity and Access Management (IAM) - Risk assessment practices - Security Awareness and Training Must have a working knowledge of at least one of the following regulatory compliance requirements and IT management frameworks: - FISMA - NIST information security standards - HIPAA Security and/or Privacy Rules - HITECH and Meaningful Use - HITRUST Common Security Framework (CSF) - ISO 27000-series standards - PCI DSS ________________________________________ The intent of this job description is to provide a representative and level of the types of duties and responsibilities that will be required of positions given this title and shall not be construed as a declaration of the total of the specific duties and responsibilities of any particular position. Employees may be directed to perform job-related tasks other than those specifically presented in this description. ________________________________________ Duke University is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status. Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas-an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure and welcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values. ________________________________________ Essential Physical Job Functions Certain jobs at Duke University and Duke University Health System may include essential job functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department. Duke is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status. Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas-an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure and welcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values. Essential Physical Job Functions: Certain jobs at Duke University and Duke University Health System may include essentialjob functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department. |