Product Security Analyst

Position Summary:

The Product Security Analyst - Governance, Risk & Compliance is responsible for the following information security services:

• Governance services
• Risk Management services
• Compliance services
• Secure by Design services

The Product Security Analyst, Governance Risk & Compliance scope of responsibility is global and covers all areas impacting Carestream including product, customer and third/fourth party information security risk.

Position Responsibilities:

Governance Services

• Create and maintain metrics in support of the product security GRC function. These metrics will be provided in support of the security governance.
• Develop and maintain all information security policies and standards for product and vendor information security controls.
• Develop and maintain product information security education, training and awareness materials for employees/contractors and customers.

Risk Management Services

• Perform Carestream risk assessments (especially product related) and the oversight, prioritization and tracking of required risk mitigation actions.
• Perform Customer required product security risk assessments and the review, approval, prioritization and tracking of customer contractual obligations.
• Perform product supplier security risk assessments.
• Maintain the product content of the information security risk register.
• Maintain the shared product security requirements specification.
• GRC tool management and integration.

Compliance Services

• Maintain awareness of global cybersecurity and privacy medical device regulations.
• Ensure compliance with all global information security laws and regulations applicable to Carestream’s products or data.
• Prioritize and coordinate and track action plans to address compliance gaps and incorporate them into the risk register and the corrective action plan.

Secure by Design Services

• Duties in support of Secure by Design for Carestream products, including post-market management / patching.

Required Skills & Education:

• Bachelor’s Degree in IT, Engineering, Computer Science, Management or commensurate experience
• Minimum 6 months cybersecurity and/or software product development experience (Co-op/intern experience will be considered.)
• Ability to collect and analyze facts from multiple sources and quickly develop and communicate hypotheses and recommendations to peers and senior leaders in an effort to facilitate rapid decision making and reach consensus
• Ability to determine and evaluate risks
• Demonstrate excellent written, oral and interpersonal skills with personnel at all levels.
• Excellent technical writing skills
• Exhibits a high degree of integrity, initiative and motivation

Preferred Additional Skills:

• Knowledge of global standards related to cyber security and privacy, such as NIST or ISO
• Knowledge of industry specific regulations, such as healthcare and medical devices
• Understanding of product and application security concerns, such as OWASP application security risks
• CISSP or Similar Certification 

Knowledge of specific regulations and frameworks:

• NIST Cybersecurity Framework 800-53 & 800-171
•  ISO 27000 Series
•  ISO 62443 & 62304
•  HIPAA / HITRUST
•  Privacy regulations, such as GDPR & CCPA
•  U.S. Department of Defense Risk Management Framework (RMF) ATO process
•  FDA Medical Device Regulations, such as their Pre and Post Market Guidance of Cybersecurity
•  FDA submissions with cybersecurity requirements for medical device hardware and software.
•  EU MDR (Medical Device Regulations)

Work Environment:

Office/hybrid