Sr. Information Security Analyst Internal Review

Job Summary

The Primary responsibility is to review the security controls in place at Milliman global office locations (aka Practices) to ensure implementation is in place and security threats are identified and remediated within established timeframes. Reviews are conducted either remotely through video calls, or in-person visits to the office being assessed. This will entail assessment preparation work, fieldwork (i.e., conducting meetings with the Practice leadership and IT resources), requesting and reviewing supporting evidence of compliance, and preparing reports and recommendations. This position is part of a team of collaborative reviewers, located in the US and India. This position functions as a member of the Information Security team and reports to the Information Security Manager in India.

In addition to the Information Security Review Program, this role has adjunct responsibilities to assist the US Governance, Risk, and Compliance (GRC) team with the review of contract terms (and other legal agreements), respond to client information security questionnaires, and support various ad-hoc GRC projects.

Job Requirements

1. (70%) Internal Security Reviews (ISR)

• Utilize industry knowledge and technical expertise to help management and effectively address risks associated with their business.
• Identify key risks and controls, controls optimization, including security configuration controls, and business processes across diverse environments.
• Apply understanding of the Milliman Information Security Policy and applicable security standards within the context of local business operations.
• Ability to review and understand client contracts and incorporate client requirements into assessment reviews.
• Prepare comprehensive assessment reports detailing findings and actionable recommendations for IT support and senior management.
• Ensure timely completion of tasks per project phase.
• Proactively identify and escalate project risks and/or delays to management.
• Oversee remediation efforts, track progress, and follow up with practice offices where ISRs have been conducted.
• Support and maintain aggregate risk reporting to be delivered to the CISO, CIO and Audit Committee (bi-weekly, quarterly, annually).
• Provide input and assistance in maintaining ISR templates, checklists, and reports, particularly when updates to policies and standards impact the team's documentation.

2. (20%) Support Review of Information Security Terms (Contract Review) & Response to Client's Information Security Questionnaires

• Complete review and response of legal agreements, RFP requests, and IS questionnaires within the GRC Team's SLAs to ensure consistency with the Milliman Information Security Policy and established guidelines.
• Task includes regular collaboration with internal Legal and GRC Teams.

3. (10%) Ad-hoc GRC Projects

• Examples include annual projects such as reviewing and recommending control updates for the Milliman Information Security policy and security Standards updating supporting documents due to changes in policies and/or standards, assisting in providing training related to compliance activities such as BCDR documentation or testing.
• Improving processes or implementing automation to manage routine tasks.
• Obtain and provide artifacts for external auditors as requested by internal stakeholders, to support Milliman's HITRUST certification, and SOC2/SOC1 Practice audits.

Skills & Qualifications Required

• 7+ years of experience in a range of roles including information technology, information security, and/or information technology/security audit roles.
• Appropriate education such as a Bachelor's degree in Computer Science or Cyber Security (or equivalent years of relevant professional hands-on work experience).
• Excellent English verbal and written communication skills.
• Experience with information security frameworks and standards, including ISO 27001/2, NIST SP 800-53, and compliance requirements such as HIPAA and HITRUST, GDPR, as well as industry frameworks like SOC 2 and COBIT.
• Ability to interpret information security data and processes to identify potential compliance issues.
• Ability to integrate AI tools into work primary workflow resulting in a reduction of time spent on routine tasks such as data analysis, report generation, or ISR report writing.
• Strong technical knowledge of information systems and their security areas such as networking, operating systems, and identity access management.
• Ability to clearly and effectively communicate Information Security matters to executives, IT administrators, and end users.
• Advanced skills in Microsoft Office applications (e.g., O365, Word, Excel, PowerPoint).
• Excellent project management skills, including the ability to prepare, prioritize and complete work plans independently.
• Decision-making and problem-solving skills, including the ability to clearly define and resolve issues.
• Engage other team members and managers when there is capacity to take on more assignments.
• Ability to work within a globally distributed organization.
• Willingness to travel (generally in the Asia region up to 20-25% annually) may be required to support the Information Security Review program.

Skills & Qualifications Preferred:

• CISSP, CISA, CRISC, CISM or equivalent certification.
• Willingness to pursue professional growth pursuits such as attending seminars, conferences or obtaining additional certifications.
• Experience with secure software development lifecycle (SDLC).
• Understanding of cloud security controls, hands-on security configuration experience a plus.
• Familiarity with reviewing legal agreements and related security terms.
• Experience with insurance, finance, or professional services industries.
• Microsoft SharePoint administration experience.
• Experience with reporting and automation tools such as: Power BI, Fabric, and Power Automate.