Sr IT Bus Systems Analyst – Security

Medtronic

POSITION DESCRIPTION 
The Global Privacy and Security Office risk assessment team partners with IT, business, and project teams to perform security risk assessments for applications, infrastructure, and vendor / third parties. This position will focus on
performing risk assessments for internal and external partners through reviews of security requirements, policy and technical controls, and tracking of security exceptions and remediation. 
This is an individual contributor role responsible for conducting internal and external information security risk assessments, including identifying and communicating information security risk, providing recommendations for risk 
reduction, and tracking and resolving security issues of advanced complexity. This position requires an ability to analyze complex projects, and to identify relevant risk and security policies and gaps. This role works independently 
with project teams and requires advanced oral and written communication skills.
POSITION RESPONSIBILITIES
Work independently with end-users and business partners to assess the business customer requirements, match these requirements to objectives and guide them to the applicable processes and products including developing specifications and enhancements that will achieve the customers and business goals. 
Perform hands-on IT security risk assessments of both new and existing in house and vendor based systems.
Prepare formal written reports to communicate assessment results
Document and communicate recommended security controls and deficiencies.
Contribute to company standards and policies related to IT security risks.
Monitor third party vendor deficiencies and policy exceptions and provide solutions to mitigate risk and remediate control deficiencies. 
Assess the security controls and residual risks of applications and systems, to effectively communicate those controls and risks, and to work collaboratively across the enterprise to reduce the identified risks. 
Perform interviews, analyze design documents, review output from automated scanning tools, assess threat and vulnerability information to evaluate project and process designs, applications, network infrastructure and information systems, and determine security compliance and overall security risk, based on corporate policies, security requirements documents, industry common practice, and legislative and legal requirements. 
Coordinate and perform holistic security audits and vulnerability assessments to assess internal security procedures and compliance requirements. 
Work with relevant internal IT Application, Infrastructure, Network, Project and Support teams to ensure that appropriate security controls are identified and implemented at all significant and relevant phases of all IT processes. 
Manage the expectations of the customer (i.e. balance their needs with wants and educate as appropriate).
Develop solutions to problems of unusual complexity, which require a high degree of ingenuity, creatively, and innovativeness. Challenges are frequently unique and solutions may serve as precedent for future decisions. 
Analyzes complex issues and significantly improves, changes, or adapts existing methods.
Market and communicate program vision to project teams, key business stakeholders, and executive leadership.
Communication planning, information distribution, performance reporting, and administrative closure.
Oversee the translation of functional business requirements to technical solutions and articulate these solutions to high-level audiences. 
Provide detailed functional knowledge and maintain insight to current industry best practices and how they can be applied to Medtronic. 
Ensure that Medtronic’s systems and the information on them are protected in accordance with Medtronic’s Information
Protection Policies and Standards, as well as best Information Protection practices. 
Works with very little direction towards predetermined long-range goals and objectives.
Work checked through consultation and agreement with others rather than by formal review of superior.
Establishes streamlined processes and structures that accelerate change initiatives; plays a leadership role in change efforts 
Translate business and IT security and privacy requirement to solution designs and implementation plans.
Follow the Medtronic Global IT engagement management model as well as ensure it is aligned with corporate engagement models 
Escalate security and privacy issues as appropriate.
IN ORDER TO BE CONSIDERED FOR THIS POSITION, THE FOLLOWING BASIC QUALIFICATIONS MUST BE EVIDENT ON YOUR RESUME 
BASIC QUALIFICATIONS
EDUCATION REQUIREMENTS:
GED/High School Degree
YEARS OF EXPERIENCE:
12+ years of IT experience with a GED/High School Graduate
8+ years of IT experience with Associate Degree
4+ years of IT experience with a Bachelors Degree
2+ years of IT experience with a Masters Degree
DESIRED/PREFERRED QUALIFICATIONS: 
Bachelors Degree
Experience creating risk mitigation strategies
Strong demonstrated knowledge of IT risk management gained as a practitioner
Five years of experience with Information Security and Risk related processes, technologies and toolsets
Proven experience performing controls testing in compliance and vendor related audits or assessments for a large organization 
Knowledge of security and privacy law/regulations, especially SOX, PCI, GLBA, HIPAA
Knowledge of Industry Information Technology Standards and Control Frameworks (NIST, ISO 27000 series, COBIT, COSO, etc) 
Broad knowledge of many aspects of information security with in-depth understanding and hands on experience of many of the following areas: Firewalls, IDS/IPS, VPN, Authentication technologies, Web Filtering, Proxy Firewalls, network taps and tap aggregators 
Information Security, Privacy and Governance, Risk & Compliance (GRC) certifications a plus (SSCP, CIA, CISA, CISSP, CRISC, CISM, CIPP, GIAC etc.) 
Extensive background in all aspects of information security, technology governance and compliance processes.
Expert knowledge in risk assessment methodologies, security frameworks and relevant global regulations.
Possess highly developed skills in information security risk management in a complex, networked environment.
Expert knowledge of security techniques and technologies.
Strong capability to research and evaluate emerging technologies.
Strong understanding of the software/hardware/tools to support and manage the IT Security environment
Strong written and oral communication skills, including facilitation and an ability to explain complex concepts to technical and non-technical areas in the organization 
Ability to work independently with minimal supervision.
Creative problem solving skills and capability to understand complex technical issues and new technologies in a fast paced work environment. 
Knowledge of a broad range of technologies including, but not limited to:Endpoints – Desktop, Laptop, Servers, and Mobile – Hardware and OS, Networking – Voice and Data, Storage and Databases, Virtualization, Middleware and Web, Cloud – Internal and External/Public – Infrastructure and Software Identity and Access Management – Active Directory & LDAP – Federation & SSO 
Vulnerability Scanning and Penetration Testing
Knowledge and understanding of different security products (web/email filtering, disk encryption, IDS/IPS, antivirus, vulnerability scanning, DLP, firewall, SIEM etc.) 
In-depth knowledge of networks and systems with ability to understand security requirements documents for such assets as routers, switches, firewalls, Windows and UNIX systems, database systems, applications, and security architectures 
Understanding of IT Health regulatory environment including HIPP, PHI and PCI-DSS
Demonstrated knowledge of information security and privacy concepts, best practices, and strategies
Excellent judgment and decision making skills when under pressure
Sound business and technical acumen
Experience with Lockpath Keylight or other GRC tools (i.e. Archer, Agilliance, BWise, BPS, Chase Cooper, Paisley, etc.) to understand, evaluate and quantify risk. 
Familiarity with Risk Assessment methodologies
Knowledge of software development methodologies, application security, and OWASP guidelines
Experience with incident response and forensics
An understanding of ITIL concepts (foundation knowledge or above) and procedures.
PHYSICAL JOB REQUIREMENTS:
The physical demands described within the Responsibilities section of this job description are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
While performing the duties of this job, the employee is regularly required to be independently mobile.
The employee is also required to interact with a computer, and communicate with peers and co-workers.
ABOUT MEDTRONIC:
Together, we can change healthcare worldwide.  At Medtronic, we push the limits of what technology can do to help alleviate pain, restore health and extend life.  We challenge ourselves and each other to make tomorrow better than 
yesterday.  It is what makes this an exciting and rewarding place to be.
We can accelerate and advance our ability to create meaningful innovations – but we will only succeed with the right people on our team.  Let’s work together to address universal healthcare needs and improve patients’ lives.  Help us shape the future.
EEO STATEMENT: 
It is the policy of Medtronic to provide equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status or any other characteristic protected by federal, state or local law.  In addition, Medtronic will provide reasonable accommodations for qualified individuals with disabilities.
This employer participates in the federal E-Verify program to confirm the identity and employment authorization of all newly hired employees. For further information about the E-Verify program, please click here:  
http://www.uscis.gov/e-verify/employees
 
DISCLAIMER:
The above statements are intended to describe the general nature and level of work being performed by employees assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of employees assigned to this position.