University of Massachusetts Medical School

Information Security and Compliance Analyst

2 weeks ago(12/4/2017 9:03 AM)
Requisition Number
# of Openings
Exempt/Non-Exempt Status




Under the general direction of the Information Security Officer (ISO), the Information Security and Compliance Analyst primary role is to design, implement, and support information security programs that further the strategic goals of the University. This position is responsible for the development of, and adherence to, information security risk management objectives and solutions that protect the University’s information and resources while offering tangible “business” value. 


This is a critical role in UMASS Medical School’s efforts to build a world-class Information Security organization.  This position is an outstanding opportunity and will play an integral role in revitalizing the way that UMASS Medical School ensures that our information is protected against threats.  We are seeking an innovative and critical thinker who thrives in an environment where their ideas and actions have an immediate and positive impact.  You will be joining our Information Security Team, helping to align efficient and customer-focused solutions with cutting edge security tools.  You will work closely with key stakeholders within business, research and academic areas, leading the effort to ensure data security governance in ways that ensure best in class security protection while enabling our employees and students to excel.  This individual should be comfortable with leading efforts that address existing information security challenges.  You will play a critical role in revamping how we provide security services, with a focus on enabling our Academic, Research and Business Stakeholders.



  • Develop, communicate, and implement information security programs that address people, process and technology risks
  • Develop and manage University-wide risk management, assessment, and remediation programs that meets University requirements and federal and state regulations
  • Coordinate the University’s security compliance management and response initiatives
  • Develop and manage information security policies and standards based on industry best practices and compliance requirements
  • Develop and enhance risk management processes and play a lead role in publishing and communicating policies that provide clear direction and guidance
  • Develop and manage a security information response process which will standardize and streamline how requests for University information security control information is captured and disseminated
  • Inform and educate University students and employees of their responsibility for protecting sensitive assets and resources
  • Develop, implement, and maintain a University-wide information security awareness and education programs that define enterprise-wide risk assessment, classification and remediation requirements and processes while focusing on continuous improvement
  • Facilitate internal and third-party information security risk assessments and work closely with functional groups or departments to prioritize and remediate findings
  • Drive the implementation of a framework to support Governance, Risk and Compliance (“GRC”) objectives. Realize significant, measurable gains in GRC practice maturity
  • Act as a risk and compliance thought leader within the University, provide end-to-end expert guidance on how to manage relevant security risks, influence priorities and decisions across the organization
  • Communicate strategic vision and agenda to key stakeholders to ensure proper alignment and support, provide insightful advice and skillful execution
  • Provide end-to-end expert leadership on how to effectively achieve and sustain compliance with regulatory, industry and contractual obligations, as well as information security policies and practices
  • Ensure that contracts provide adequate protection in the areas of legal/regulatory compliance and information security
  • Direct security risk assessments and manage testing of information security controls
  • Participate in internal / external audits involving information security controls. Assist stakeholders in providing audit responses and remediating security control findings;
  • Work closely with attorney’s, regulators and third-parties while representing the University’s security position;
  • Drive continuous improvement in information security risk and compliance based on expert knowledge in domain areas, industry best practices, business objectives and risk tolerances;
  • Lead initiatives to regularly assess the adequacy and effectiveness of information security controls, security policies, direct remediation activities, compliance as related to process and workflows, and initiate actions to ensure that compliance and security gaps are successfully addressed
  • Represent the IT organization in interactions with internal / external auditors, attorneys, regulators and other 3rd parties within the scope of their domain expertise
  • Partner with IT and program management teams to define and implement a secure SDLC framework
  • Perform other duties as required.



  • Bachelor’s degree in an Information Technology, Information Security, Compliance discipline or equivalent experience
  • 7 years of experience in an information security / privacy / compliance, thought leadership role
  • Experience in the successful development and implementation of enterprise-wide information security programs which reduce risk
  • Experience in implementing a risk management program which defines risk assessment and remediation requirements, in conducting information security risk assessments which map to ISO/IEC 27000, NIST, BITs, etc., and in defining and implementing SDLC security requirements
  • Experience in developing an information security policy, writing effective information security policies and standards, and in protecting PHI in compliance with HIPAA, HITECH, FISMA, etc.
  • Ability to collaborate with IT, executive management, and business stakeholders towards achieving business and security objectives
  • Excellent oral and written communication skills
  • Ability to travel to off-site locations


  • Additional information security management qualifications such as GSEC, CISM or CISA
  • Experience in a higher education environment
  • Demonstrative knowledge of information security standards such as ISO/IEC 27000, NIST, FISMA, PCI, etc.

Additional Information



Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed