Product Security Analyst

Date: Mar 6, 2023

Location: Rochester, NY, US

Company: Carestream Health

Carestream Health Inc. 

Innovation that sparks imagination. Continue on to your next challenge with us. 

Carestream is a worldwide provider of medical imaging systems and solutions; x-ray imaging systems for non-destructive testing; manufacturing of film and precision contract coating services for a wide range of industrial, medical, electronic and other applications—all backed by a global service and support network. Carestream’s diagnostic imaging technology systems are at work in 90 percent of hospitals worldwide.  

At Carestream, we offer a global perspective and a world of opportunities for people who have the desire to make a positive impact. Join our global team of 4,000+ professionals!

Position Summary:

The Product Security Analyst - Governance, Risk & Compliance is responsible for the following information security services:

  • Governance services
  • Risk Management services
  • Compliance services
  • Secure by Design services

The Product Security Analyst, Governance Risk & Compliance scope of responsibility is global and covers all areas impacting Carestream including product, customer and third/fourth party information security risk.

Position Responsibilities:

Governance Services

  • Create and maintain metrics in support of the product security GRC function. These metrics will be provided in support of the security governance.
  • Develop and maintain all information security policies and standards for product and vendor information security controls.
  • Develop and maintain product information security education, training and awareness materials for employees/contractors and customers.

Risk Management Services

  • Perform Carestream risk assessments (especially product related) and the oversight, prioritization and tracking of required risk mitigation actions.
  • Perform Customer required product security risk assessments and the review, approval, prioritization and tracking of customer contractual obligations.
  • Perform product supplier security risk assessments.
  • Maintain the product content of the information security risk register.
  • Maintain the shared product security requirements specification.
  • GRC tool management and integration.

Compliance Services

  • Maintain awareness of global cybersecurity and privacy medical device regulations.
  • Ensure compliance with all global information security laws and regulations applicable to Carestream’s products or data.
  • Prioritize and coordinate and track action plans to address compliance gaps and incorporate them into the risk register and the corrective action plan.

Secure by Design Services

  • Duties in support of Secure by Design for Carestream products, including post-market management / patching.

Required Skills & Education:

  • Bachelor’s Degree in IT, Engineering, Computer Science, Management or commensurate experience
  • Minimum 6 months cybersecurity and/or software product development experience (Co-op/intern experience will be considered.)
  • Ability to collect and analyze facts from multiple sources and quickly develop and communicate hypotheses and recommendations to peers and senior leaders in an effort to facilitate rapid decision making and reach consensus
  • Ability to determine and evaluate risks
  • Demonstrate excellent written, oral and interpersonal skills with personnel at all levels.
  • Excellent technical writing skills
  • Exhibits a high degree of integrity, initiative and motivation

Preferred Additional Skills:

  • Knowledge of global standards related to cyber security and privacy, such as NIST or ISO
  • Knowledge of industry specific regulations, such as healthcare and medical devices
  • Understanding of product and application security concerns, such as OWASP application security risks
  • CISSP or Similar Certification 

Knowledge of specific regulations and frameworks:

  • NIST Cybersecurity Framework 800-53 & 800-171
  •  ISO 27000 Series
  •  ISO 62443 & 62304
  •  Privacy regulations, such as GDPR & CCPA
  •  U.S. Department of Defense Risk Management Framework (RMF) ATO process
  •  FDA Medical Device Regulations, such as their Pre and Post Market Guidance of Cybersecurity
  •  FDA submissions with cybersecurity requirements for medical device hardware and software.
  •  EU MDR (Medical Device Regulations)

Work Environment:


Carestream is an Equal Opportunity Employer

Carestream is an equal opportunity organization. We recruit, employ, train, compensate, and promote without regard to race, religion, creed, color, national origin, age, gender, sexual orientation, gender identity, marital status, disability, veteran status, or any other basis protected by applicable federal, state or local law.

Applying for a job with Carestream

All applicants must complete the on-line application process. Carestream is committed to working with and providing reasonable accommodations to individuals with disabilities. If you require assistance or an accommodation because of a disability to participate in the application process, please click accommodations

Requisition ID: 2722 

Nearest Major Market: Rochester