Roche Information Solutions (RIS) is responsible for the development and provision of the NAVIFY Decision Support portfolio - a suite of cloud-based workflow tools and applications that empower personalised healthcare. NAVIFY solutions facilitate the aggregation of patient-specific detail with relevant, curated scientific and medical data from an ever-expanding knowledge base, allowing clinicians to make better decisions across the care continuum.
The Position:
The Privacy and Compliance manager works out of Basel or Rotkreuz and supports EMEA and APAC regions customer enablement. Supports risk management privacy and security activities in the European time zone: GDPR, Customer Data Risk Management, research, and strategic initiatives, risk reporting, and tracking risk items to remediation.
Tasked with building meaningful reporting and KPIs around customer enablement, security, compliance support, and service and self-service interface for customer support with automation for tender fulfillment, security whitepapers, compliance attestations, etc. Responsibilities can include overseeing security compliance of local or country-specific regulations on data privacy and personal employee data. Can conduct training.
Your Responsibilities
Risk Management Responsibilities
Develop and maintain an information risk assessment schedule for all information assets in the Roche Information Solutions organization
Work with groups within and outside RIS to identify and categorize areas of information risk involving customer/confidential data, systems, and processes.
Assist in gathering risk-related data from internal and external resources.
Prepare information risk assessments based on the Information Risk Management Program guidelines.
Direct and coordinate efforts to formulate risk mitigation plans based on the findings in the assessments.
Track, measure, and report on the status of risk mitigation efforts based on the mitigation plans.
Produce and provide reports and presentations that outline findings, explain risk positions, and recommend changes.
Assist in the development of policies and procedures to integrate risk management practices into daily operations.
Recommend ways to effectively manage or reduce information risk.
Security Risk and Compliance Responsibilities
Perform general and application control reviews for RIS products and environments
Knowledge of information security and data privacy best practices and familiarity with security policies as applicable to Cloud
Experience with cloud security and compliance tools.
Perform information control reviews to include system development standards, operating procedures, system security, programming controls, communication controls, backup and disaster recovery, and system maintenance.
Perform internal control procedures and security review for systems under development and/or enhancements to current systems
Draft and present audit finding memoranda w. working papers, concise controls assessment, and systems testing reports (both narrative and table based).
Validate proper documentation for completed audit and assessment results.
Assess and revise client documented information security and technology policies, procedures, and practices
Maintain and modify assessment methodology in accordance with applicable standards.
Manage vendor assessment response process, facilitate compliance and acquire/maintain related certifications as dictated by the business needs
Maintain a current understanding of relevant technology, equipment, systems, and the cybersecurity threat landscape.
Develop and manage internal policies, procedures, and process to ensure compliance
Interact with customers/customer support teams in response to inquiries, concerns, and service requests.
Build positive working relationships with customers
Serve as a liaison with vendors and other 3rd party providers.
Your Skills & Qualifications:
Bachelor’s degree in Information Systems, Computer Science, or related field or experience
Certified Information Systems Auditor (CISA) and/or Certified in Risk and Information Systems Control (CRISC) strongly preferred. Other certifications add value, such as Certified in Governance of Enterprise IT (CGEIT), Certified Information Security Manager (CISM), Certified Information Security Professional (CISSP), CPA, and/or CIA.
Minimum 3 years of internal or external audit experience with Big 4 Audit Firms, with exposure to some of the following security compliance frameworks HITRUST AT101 Type2 SoC1 and SoC2 (SSAE16), ISO2700x, FedRAMP, ITIL, NIST, and regulations such as HIPPA, GDPR, CCPA.
Technical skills related to controlling and securing system platforms (including Unix and Windows), database platforms, endpoint platforms, and network infrastructures are preferred.
Understanding of Cloud industry technologies and IaaS, PaaS, SaaS platforms preferred. The ability to quickly acquire and apply knowledge of changing technologies implemented is essential.
Good understanding of audit process/methodology and risk management/advisory ability.
Ability to adapt to a changing environment, meet deadlines and handle multiple projects.
Experience in using a risk-based audit approach in evaluations of and recommendations for management processes.
Ability to present audit findings and recommendations in a manner that will be understood and accepted by all responsible parties.
Possess the tenacity to pursue complex and sensitive issues to an acceptable conclusion
Excellent communication, interpersonal, time management, and issue resolution skills.
Excellent analytical skills, organizational skills, ingenuity, and the ability to work as part of a team
Healthcare experience preferred
Nice to Have:
Ability to effectively promote ideas and collaboration at the various levels of the organization
Demonstrated ability to learn quickly and take on new challenges.
Motivated, self-driven, and passionate about your work
Innovative thinker
Ability to solve complex problems