Information Security Risk Analyst

Job Description

About Us:

As the leader of rehabilitative care, Encompass Health offers both facility-based and home-based patient care through its national network of rehabilitation hospitals that spans 42 states and Puerto Rico. Setting the standard for providing excellent care, Encompass Health has earned its place among Modern Healthcare’s “Best Places to Work in Healthcare” and the Fortune “World’s Most Admired Companies” for 2021 and Becker’s “Top Places to Work in Healthcare” for 2022.


Enjoy competitive compensation and benefits that start day one of employment, including:

  • Affordable medical, dental and vision plans provided to meet the needs of full and part-time employees and their families.
  • Generous paid time off that increases with tenure.
  • Tuition reimbursement and continuing education opportunities.
  • An employee assistance program for counseling and mental health needs.
  • Company-matching 401(k) and employee stock-purchase plans.
  • Flexible spending and health savings accounts.

Position Purpose:

The Information Security (IS) Risk Analyst is responsible for reducing company susceptibility to cybersecurity threats and vulnerabilities and for improving enterprise information security risk management policy, processes, and tools. This position requires familiarity with computing technology, healthcare regulatory requirements, cybersecurity standards, vulnerability scanning, and cybersecurity/risk management/awareness toolsets. The position is responsible for identifying, assessing, prioritizing, and monitoring internal and external risks to information security, including those of 3rd and 4th parties (vendors) and cloud (data, access, and asset) security. The position supports efforts to prepare evidence for audits, assessments, and investigations and coordinates sometimes highly-visible cybersecurity assessments conducted by 3rd parties. The IS Risk Analyst is adept in analyzing complex issues and distilling needed organizational responses into prioritized, easy-to-comprehend, and actionable items.

Responsibilities & Tasks:

  • Validates the security configuration and controls of data and assets, located locally or in the cloud, and prioritizes remediation activities with operational teams.
  • Conducts vulnerability scans and testing in coordination with business units and IT including maintaining vulnerability scan schedules, ensuring timely completion of scans, performing remediation scans as needed, troubleshooting false positive/negative findings and working with system admins as needed to resolve reported findings.
  • Supports and enhances processes to reduce overall information security risks e.g. phishing campaigns and awareness and training.
  • Researches threats and vulnerabilities and, where appropriate, takes action to mitigate threats and remediate security controls and vulnerabilities.
  • Reviews, assesses, and coordinates remediation of penetration test and vulnerability assessment findings on information systems and infrastructure.
  • Monitors security vulnerability information from vendors and third parties.
  • Performs installation and configuration management of security systems and applications, including policy assessment and compliance tools, network security appliances and host-based security systems.
  • Assists and trains others in the application of tools, reports, processes, and the timely resolution of security issues.
  • Analyzes complex issues and distills needed response into easy to comprehend actionable items.
  • Tracks metrics/key performance indicators to communicate status and progress and to build awareness of IS risk management.
  • Coordinates cybersecurity risk/compliance assessments including those conducted by 3rd parties.
  • Conducts security assessments to enable informed decisions on third party engagements/contracts.
  • Researches and develops an understanding of applicable regulatory requirements and standards.
  • Engages with stakeholders to achieve timely remediation of gaps with known standards and practices.
  • Evaluates, procures, and implements tools that assist with process flows, metrics, and reporting.
  • Documents, establishes, and communicates information security policies, procedures, and practices.
  • Gathers and prepares evidence in support of audits, assessments, and investigations.
  • Communicates effectively (business, technical, end user, peer, executive) verbal and written.
  • Coordinates regulatory responses on information security related issues.
  • Coordinates the distribution and implementation of IT-Security policies, standards, and guidelines.


License or Certification:

  • CRISC (Certified Risk and Information System Control) preferred
  • CISSP (Certified Information System Security Professional) preferred

Minimum Qualifications:

  • Associate’s degree or equivalent work experience required; Bachelor's degree preferred
  • Experience in risk management, vulnerability management and tools (e.g., Nessus, Tenable Security Center) tracking and monitoring vulnerabilities, developing and documenting security policies and procedures, applying security control, mapping security controls to known frameworks (MITRE, NIST), and communicating with stakeholders
  • Experience with foundational technical concepts including:
    • vulnerability scanning, penetration testing, asset management, firewalls, networks, router and switches
    • web-based technologies and VPN technology
    • TCP/IP networking
    • user authentication (e.g. Active Directory)
    • multifactor authentication (e.g. Duo, OKTA, Windows Authenticator), encryption, Windows OS
    • Linux/Unix
    • firewalls in high-availability environment and clustering
    • virtualization
    • cloud computing (O365, M365)
    • patch management
    • awareness programs
    • scripting
  • Experience with regulatory compliance, cybersecurity standards, and audits (HIPAA, HITECH, NIST, PCI, Sarbanes-Oxley, and Privacy and Security)
  • Experience in layered security models, information/data security, network/transport security, systems security, application security, email security, cloud computing security, and web security
  • Experience in project management, stakeholder engagement and coordination, a technical environment and support organization processes

Skills and Abilities:

  • Ability to utilize Adobe Pro and Microsoft Office products including Word, PowerPoint, Excel, and Visio.
  • Oral communication, written communication, fluency in English, active listening.
  • Information ordering, deductive reasoning, social perceptiveness, time management, critical thinking.
  • Ability to coordinate, analyze, observe, make decisions, and meet deadlines in a detail-oriented manner.
  • Ability to work independently without continuous supervision.

Address: ,
Schedule: Full-time
Job ID: 2230259