Senior Specialist - Information Security Risk Management

The charter of the Information Security Office (ISO) is to partner with AmerisourceBergen’s business units, other corporate support functions, and user community to protect the corporate brand, data and assets.

The ISO is responsible for the design, implementation, operation and maintenance of an information security framework, processes and systems, that protect AmerisourceBergen’s business, services, information and systems against unauthorized use, disclosure, modification, damage and loss.

Under general direction of the ISO, this position is responsible for implementation and management of multiple services, capabilities, controls and relevant components of the Information Security management framework at the enterprise level supporting one or more assigned AmerisourceBergen business units and affiliates.

Specific areas of responsibility include but are not limited to:

Driving implementation and management of appropriate processes and controls which help to assure that information, created, acquired or maintained by authorized users, is used in accordance with its intended purpose.

Proactive identification of information security risks and protecting information and infrastructure from external / internal threats by implementing processes which help to manage and reduce the overall risk impact.

Contributing to initiatives which help to ensure compliance with contractual, statutory and regulatory requirements, regarding information availability, integrity and confidentiality.

Operational responsibility for the development, implementation and delivery of appropriate security services and solutions to IT and directly to the business units and affiliates.

Executing actions to enforce policies, guidelines, standards, processes, procedures, best practices and services in the areas of application, infrastructure, systems and services security.

PRIMARY DUTIES AND RESPONSIBILITIES:

Leads and reviews application security risk assessments for new or updated internal or third-party applications.

Works directly with the customers, third parties and other internal departments and organizations to facilitate information security risk analysis and risk management processes and to identify acceptable levels of residual risk.

Monitors compliance with security policies, standards, guidelines and procedures.

Defines, recommends and manages security controls for information systems.

Monitors risk mitigation and coordinates policy and controls to ensure that other managers are taking effective remediation steps.

Manages the oversight of technical risks assessments, such as vulnerability scanning and penetration testing.

Reviews risk assessments, analyzes the effectiveness of information security control activities, and reports on them with actionable recommendations.

Develops processes and procedures for the information security governance program, including control document reviews, participant assessment preparation, meeting coordination, assessment finding mediation, assisting control owner with remediation plan development, tracking findings through remediation, progress monitoring, reporting and escalation.

Works with customers to identify security requirements using methods that may include risk and business impact assessments.

Consults with other business and technical staff on potential business impacts of proposed changes to the security environment.

Participates in the development of a Global Risk Framework.

Assesses threats and vulnerabilities regarding information assets and recommends the appropriate information security controls and measures.

Assists/performs or leads the security assessments and performs security attestations.

Participates in or leads the security investigations and compliance reviews as requested.

Conducts and reports on internal investigations of possible security violations.

Monitors and analyzes information security performance reports and escalates issues as needed.

Maintains contact with vendors regarding security system updates and technical support of security products.

Serves in an advisory role in application development and infrastructure projects to assess security requirements and controls and ensures that security controls are implemented as planned.

Collaborates on project managers to ensure that security risks are addressed throughout the project life cycle.

Informs stakeholders about compliance and security risks and activities affecting the assigned area or project.

Interfaces with business and IT leaders communicating security issues and responding to requests for assistance and information.

ADDITIONAL DUTIES AND RESPONSIBILITIES:

Assists in managing the budgets, controls and measurements to monitor progress

EXPERIENCE AND EDUCATIONAL REQUIREMENTS:

In one of the following areas: Information Security, Cyber Security, Security Governance and Solutions or Identity and Access Management

3-5 years progressively responsible experience in the implementation and management of Information Security Shared services for a global corporation (Fortune 500)

Experience working in functional business and technical teams in a large and complex environment to deliver related capabilities and services.

Demonstrated success in professional contribution to an Information Security Framework, solution and service for a cross functional corporation.

Extensive experience with Healthcare regulatory and information security guidelines, audits as well as external audit processes and requirements

Demonstrated successful implementation of security control frameworks and standards such as ISO 27001, ISO 17799, COBIT, ITIL, NIST and PCI.

Certification in Information Security relevant areas such as Audit (CISA), Security Management (CISM), Security Professional (CISSP) and/or equivalent business experience in a matrix Organization desired.

Directly applicable International / Global Experience desired.

Good understanding of IT Security & Risk Management, strategic planning and the related tactical initiatives needed to achieve the plan.

MINIMUM SKILLS, KNOWLEDGE AND ABILITY REQUIREMENTS:

Demonstrated ability to meet objectives, deliver quality results in a high performance environment

Good skills interacting and mediating sensitive situations at all levels of the organization and with external customers and auditors.

Ability to easily defuse critical situations and manage actions appropriately.

Ability to communicate effectively both orally and in writing; ability to communicate with customers, associates and management in a cross functional matrix organization; solid teamwork and interpersonal skills

Strong presentation skills, ability to present and discuss business issues as well as technical information in a manner that establishes rapport, persuades others, and gains understanding at all levels of the organization

Ability to establish solid relationships with vendors in support of initiatives; ability to negotiate and manage outside vendors against deliverables.

Good business and financial planning, analytical, and conceptual skills to evaluate business risks and apply knowledge to identify appropriate solutions

Solid knowledge of information security principles and practices

Excellent interpersonal, communication and collaboration skills to successfully interact and influence employees and key business partners and providers at all levels

Good track record communicating and influencing others, in a diversified and international matrix organization. Adept at proposing, implementing and managing change while prepared to question the Status Quo

High level of personal integrity with the ability to professionally handle highly sensitive and confidential situations with Executives, Customers and 3rd parties

Ability to deal with ambiguity in dynamic and high speed and complex business environment

Demonstrated ability to serve as a respected member of a team of professionals and effectively communicate security-related concepts to a broad range of technical and non-technical management and staff.

We offer a competitive annual bonus, life insurance from day 1 and a best-in-class health insurance package. As our employee you have the benefit of our referral bonus scheme, our boundless learning opportunities including language training and our global employee assistance program. We provide up to 6 fully paid benefit days a year and a wonderful office in Quadrum, equipped with everything you need for a small break at work and fresh snacks at all time.

Become part of our purpose-driven, multicultural team now and help us create healthier futures.