At Houston Methodist, the Information Security Governance, Risk, and Compliance (GRC) Analyst is responsible for managing risks related to information security, privacy, and regulatory compliance within an organization. This role involves developing and implementing policies, assessing risks, ensuring compliance with industry standards and regulations, and implementing control measures to mitigate risks. Key responsibilities include conducting risk assessments, developing risk mitigation strategies, monitoring compliance with frameworks such as ISO 27001, GDPR, NIST, and SOX, conducting vendor risk assessments, and collaborating with different departments to manage risks and ensure compliance. The GRC Analyst also creates and maintains information security standards, conducts gap analyses, and prepares for regulatory examinations.

PATIENT AGE GROUP(S) AND POPULATION(S) SERVED
Refer to departmental "Scope of Service" and "Provision of Care" plans, as applicable, for description of primary age groups and populations served by this job for the respective HM entity.

HOUSTON METHODIST EXPERIENCE EXPECTATIONS

• Provide personalized care and service by consistently demonstrating our I CARE values:
  • INTEGRITY: We are honest and ethical in all we say and do.
  • COMPASSION: We embrace the whole person including emotional, ethical, physical, and spiritual needs.
  • ACCOUNTABILITY: We hold ourselves accountable for all our actions.
  • RESPECT: We treat every individual as a person of worth, dignity, and value.
  • EXCELLENCE: We strive to be the best at what we do and a model for others to emulate.

• Practices the Caring and Serving Model

• Delivers personalized service using HM Service Standards

• Provides for exceptional patient/customer experiences by following our Standards of Practice of always using Positive Language (AIDET, Managing Up, Key Words)

• Intentionally collaborates with other healthcare professionals involved in patients/customers or employees' experiential journeys to ensure strong communication, ease of access to information, and a seamless experience.

• Involves patients (customers) in shift/handoff reports by enabling their participation in their plan of care as applicable to the given job

• Displays cultural humility, diversity, equity and inclusion principles

• Actively supports the organization's vision, fulfills the mission and abides by the I CARE values

PEOPLE ESSENTIAL FUNCTIONS

• Gathers feedback for continuous improvements on established employee and technology policies from IT and business partners.

• Communicates risk findings and recommendations that are clear and actionable to all stakeholders.

SERVICE ESSENTIAL FUNCTIONS

• Creates, maintains, and communicates information security standards.

• Facilitates the remediation of control gaps and escalates critical issues to leadership.

• Prepares for and facilitates examinations by security assessors for regulations.

QUALITY/SAFETY ESSENTIAL FUNCTIONS

• Assesses and reports on the risks and benefits for the business, as well as the mandates for the supplier compliance.

• Evaluates the effectiveness of the information security program by developing and analyzing compliance metrics.

FINANCE ESSENTIAL FUNCTIONS

• Advises leadership on risk management strategies, including risk mitigation and risk transfer.

• Maintains and registers relevant suppliers/vendors, controls, and risks for ongoing vendor risk management activities.

GROWTH/INNOVATION ESSENTIAL FUNCTIONS

• Identifies, analyzes, evaluates, and documents information security risks and controls based on established risk criteria.

• Conducts third-party risk assessments and recommends control to mitigate identified risks.

• Coordinates architecture reviews as part of third-party risk assessments.

• Designs and documents technical, administrative, and physical controls to ensure compliance.

• Assists with the review of information security sections within supplier contract and recommends necessary changes.

• Takes a best practice approach to information security to balance secure operations with innovation.

This job description is not intended to be all-inclusive; the employee will also perform other reasonably related business/job duties as assigned. Houston Methodist reserves the right to revise job duties and responsibilities as the need arises.

EDUCATION

• Bachelor's degree in information security, information technology, computer science or other related technology degree

WORK EXPERIENCE

• Five years of Risk and/or Governance, Risk & Compliance experience. An additional three years of experience required in lieu of level 2 certification in assigned area of concentration

LICENSES AND CERTIFICATIONS - REQUIRED

• CISSP - Certified Information Systems Security Professional (IISSCC) OR
• CRISC - Certified Risk and Information Systems Control (ISACA)

KNOWLEDGE, SKILLS, AND ABILITIES

• Demonstrates the skills and competencies necessary to safely perform the assigned job, determined through on-going skills, competency assessments, and performance evaluations

• Sufficient proficiency in speaking, reading, and writing the English language necessary to perform the essential functions of this job, especially with regard to activities impacting patient or employee safety or security

• Ability to effectively communicate with patients, physicians, family members and co-workers in a manner consistent with a customer service focus and application of positive language principles

• Understanding of relevant laws, regulations, and standards

• Knowledge of best practices for developing and implementing compliance programs

• Ability to analyze complex data and identify trends or discrepancies related to compliance and risk

• Proficient in both written and verbal communication to convey compliance issues and policies clearly

SUPPLEMENTAL REQUIREMENTS

WORK ATTIRE

• Uniform No
• Scrubs No
• Business professional Yes
• Other (department approved) No

ON-CALL*
*Note that employees may be required to be on-call during emergencies (ie. DIsaster, Severe Weather Events, etc) regardless of selection below.

• On Call* No

TRAVEL**
**Travel specifications may vary by department**

• May require travel within the Houston Metropolitan area Yes
• May require travel outside Houston Metropolitan area Yes

Houston Methodist (HM) is one of the nation’s leading health systems and academic medical centers.  HM consists of eight hospitals: Houston Methodist Hospital, its flagship academic hospital in the heart of the Texas Medical Center, and seven community hospitals throughout the greater Houston metropolitan area.  HM also includes an academic institute, a comprehensive residency program, a global business division, numerous physician practices and several free-standing emergency rooms and outpatient facilities.  Overall, HM employs over 25,000 employees.   Houston Methodist is supported by a wide variety of business functions that operate at the system level to help enable clinical departments to provide the best patient care and service in a spiritual environment.

 

In 2019 Houston Methodist and its physicians treat more than 6,333 international patients from more than 76 countries. Houston Methodist Global Health Care Services’ consulting and education divisions also provide advisory services and training and development to health care organizations around the world.