Cybersecurity Risk Analyst

The Privacy & Cyber Risk Analyst will report to the Manager of Corporate Data Governance. This position will assist in reviewing Fujifilm companies' data privacy and governance toolsets to provide recommendations for enhancement to those tools and supporting processes. The incumbent will focus on how to better enable data privacy protection, applicable regulations (e.g., HIPAA (Health Insurance Portability & Accountability Act), GDPR (General Data Protection Regulation), etc.) and cybersecurity capabilities.

The incumbent will review results from security assessments and identify ways of addressing gaps through the deployment or enhancement of additional Fujifilm data governance/privacy policies, procedures, processes, and tools where applicable.

FUJIFILM Holdings America Corporation is the holding company for North American based FUJIFILM companies operating in many states across the US, as well as in Canada, Brazil and Colombia and engaged in the research, development, manufacture, sales and service of FUJIFILM products. The company serves a broad spectrum of industries in the U.S. including medical and life sciences, electronic, chemical, graphic arts, information systems, broadcast, and photography.

External US

Responsibilities

System and Organization Controls 2 (SOC2)

• Lead and manage support for all PCI, SOC 2 and other associated annual attestation programs.
• Conduct process audits and evidence reviews monthly to ensure compliance by Information Technology.
• Conduct procedural audits, checking for effectiveness and compliance with regulations and company policies.
  
  

Risk Assessments

• Conduct and/or coordinate Information Technology security risk assessments for technology and security frameworks implemented by HLUS.
• Organize and maintain the cyber security risk portfolio within Fujifilm’s Risk Register System
• The analyst will research leading practices which will support recommendations on how to appropriately integrate or align Fujifilm’s Data Governance, Data Management, Information Security, Organization and Risk Management policies and procedures as needed.
• The analyst will work directly with application and data owners to drive the risk mitigation process.
• Define and implement risk ratings, models, and hierarchies to identify the impact, severity, and overall risk of identified vulnerabilities.
• Assign a preliminary risk profile by identifying the information security risk factors based on data classification, design, and functional purpose and use.
• Complete a risk assessment evaluation which will articulate risk and impact analysis when security controls cannot be met by an initiative to ensure transparency and appropriate level of acceptance. Prepare and present findings to Information Security management and business sponsors.
• Participate in the strategy and day-to-day operations of the Data Protection team, ensuring risk management process and procedures are aligned.
• Evaluate third-party risks resulting from the requirements of business, customers, partners, vendors, suppliers, and technology or data related products. Prepare and present findings to Information Security management and business sponsors.
• Regularly contribute to executive management reports covering Information Security risk treatment, risk mitigation and risk metrics.
  
  

Track

• Review penetration and vulnerability testing results with key stakeholders. Provide scoring to prioritize remediation efforts.
• Track, measure, validate, and report on risk identification, stakeholder notification, and remediation efforts for penetration and vulnerability testing.
  
  

Analysis

• Assist the Legal Department with litigation matters. Perform eDiscovery searches to extract emails from O365 mailboxes. Assist the IT Infrastructure Helpdesk team with identifying individuals that may need their IT equipment retained for legal matters.
• Determine if compensating controls are necessary due to inability to comply with the primary control requirements. Facilitate and help determine compensating controls when required.
• Maintains Information Security policies, standards, procedures, technical security baselines as required.
• Collaborate and build relationships with IT colleagues’ core business partners for continued security education and awareness.
• Advise and consult with InfoSec team and stakeholders in the following control areas is required: authentication, authorization, access controls (network and user), secure transmission and storage, encryption/key management, segmentation and network zoning, data flows, third party access and connectivity and functional purpose.
  
  

Required Skills/Education

• 2 - 4 years of risk analysis, audit, compliance, or other experience in a similar field of work.
• Computer Science degree is preferred in IT, systems engineering, or related qualifications.
• CISM, PCIP, ISA, or equivalent certifications preferred.
• Experience working in a Shared Service Organization structure, supporting multiple industries/companies.
• Experience working in a Healthcare industry, with strong knowledge in regulatory requirements (e.g., HIPAA, FDA, HITRUST, etc.)
  
  

Desired Skills

• Must possess strong analytical, troubleshooting and organization skills.
• Must be team-oriented with proven skills in influencing people without having direct management authority and motivating them to successfully mitigate risk within required timelines.
• Consistently demonstrates quality and effectiveness in work documentation and organization skills.
• Proven experience or knowledge of data governance and privacy tools such as OneTrust, DLP solutions, and/or others is beneficial to this role.
• Strong understanding of industry frameworks and best practices (ex. NIST, ISO, OWASP, CIS, etc.)
• Detailed understanding of network design, security protocols and cloud integration security
• Understanding of project management skills including design review, threat modeling and risk profiling while working across a large, distributed organization. Must apply understanding to a diverse IT community to include policy, regulations, and compliance requirements.
• The ideal candidate must be able to convey complex security issues and risks while maintaining a positive relationship with key stakeholders.
• Have strong written and verbal communication skills and can summarize highly technical security findings into non-tech savvy responses.
  
  

Expectations

Within 6-9 Months:

• Learn IT systems and operations of the Fujifilm HLUS Shared Service supported operations.
• Demonstrate skills applicable with the responsibilities listed in this job description.
  
  

Within 9-18 Months:

• Learn IT systems and operations of the Fujifilm HLUS Shared Service supported operations.
• Have a firm understanding and working knowledge of all supported Fujifilm group IT operations within the Americas region to make improvement recommendations and ensure that the organization's data and infrastructure are protected by enabling the appropriate security controls.
  
  

Salary and Benefits :

• $75,000 – 80,000 depending on experience.
• Medical, Dental, Vision
• Life Insurance
• 401k
• Paid Time Off
  
  

EEO/AGENCY NOTES

Fujifilm is an equal opportunity employer to all, regardless of age, ancestry, color, disability (mental and physical), exercising the right to family care and medical leave, gender, gender expression, gender identity, genetic information, marital status, medical condition, military or veteran status, national origin, political affiliation, race, religious creed, sex (includes pregnancy, childbirth, breastfeeding and related medical conditions), and sexual orientation, and any other status protected by federal, state, or local law.

To all agencies: Please, no phone calls or emails to any employee of Fujifilm about this requisition. All resumes submitted by search firms/employment agencies to any employee at Fujifilm via-email, the internet or in any form and/or method will be deemed the sole property of Fujifilm, unless such search firms/employment agencies were engaged by Fujifilm for this requisition and a valid agreement with Fujifilm is in place. In the event a candidate who was submitted outside of the Fujifilm agency engagement process is hired, no fee or payment of any kind will be paid.