InfoSec Analyst 2 (Contract Support Analyst)


The InfoSec Contract Analyst ensures that Change Healthcare's customer and vendor agreements protect its employees, customers, etc.

The Information Security Contract Analyst ensures that Change Healthcare’s customer and vendor agreements protect Change Healthcare, employees, customers, and the security of sensitive data under our care.  This person interacts primarily with internal team members (e.g., attorneys, legal specialists, procurement staff, information security staff, information technology (IT) staff, account management, sales staff, product subject matter experts, senior management) and with external parties (e.g., customers and vendors). 
Principal Responsibilities
  • Reviewing the security requirements within customer and vendor contracts, and negotiating terms within approved limits.
  • Maintaining play books to be utilized by all internal parties (e.g., legal, procurement) involved with the security requirements of customer and vendor contracts
  • Project managing and driving the resolution of unresolved terms
  • Assessing and presenting risks associated with contract terms to the appropriate stakeholders.
  • Collaborating and providing guidance on how risks should be addressed.
  • Facilitating and executing, as needed, the development and maintenance of policies, standards, procedures, and security-related templates based upon changing business, regulatory, and customer requirements and technologies
  • Maintaining and presenting appropriate metrics that would support decisions around resources, roadmaps, finance, and strategy
  • Maintaining, supporting, and escalating, as needed, the tracking data of one-off or unique customer/vendor commitments
  • Driving and supporting the continuous maturity of our policies, standards, procedures, and tools for relevant areas of the company
Primary Duties/Responsibility 1:  Reviewing and Negotiating Contract Terms
Primary Duties/Responsibility 2:  Maintaining Policies, Procedures and Tools
Primary Duties/Responsibility 3:  Administration
Assessing and editing InfoSec related contracts to ensure they align with our standard policies and procedures is a critical component of this role to reduce the risk of breach of contract and ensure CHC is not overcommitting to customers or taking on too much risk with vendors. There is more art than science in executing this even though we do have some high level guidelines in a documented run book for the role to follow.
Identifying ways to empower our Legal team to edit InfoSec agreements without InfoSec SME consultation is an ongoing priority this role. In addition, finding a win-win during editing/negotiations with customers or vendors drives a constant need to be innovative.
Identifying, escalating and articulating risks and how they should be mitigated or remediated to senior leadership is a critical component of this role. It requires good judgment and sound decision making to properly manage risk for our company.
  • Customer mindset: Proven ability to engender client trust and build relationships through partnering with clients for innovation and providing high quality products and services.
  • Strategic thinking: capable of providing clear, balanced advice/counsel on a broad range of strategic and complex management, product and go to market issues.
  • Driving results: results-oriented style with a high degree of analytical ability and proven problem-solving skills.
  • Collaborating and influencing: effectively builds strong relationships and partnerships within and outside of the company. Able to effectively navigate within a matrixed corporate structure.
  • Ability to communicate effectively at all levels of the organization with an open, honest and direct communication style that establishes an empathetic and effective relationship.
  • Strong track record of leading, managing and improving people and processes
  • Detail-oriented work habits and strong typing and computer skills, including fluency with word processing, spreadsheet, database, Sharepoint and Powerpoint programs
  • Knowledge of and/or experience with United States healthcare security laws and regulations, especially the Health Information Portability and Accountability Act of 1996 (HIPAA) or with well-known security control frameworks, e.g. the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), the Payment Card Industry (PCI) Data Security Standard (DSS), National Institute of Standards and Technology (NIST) Cybersecurity-related publications and frameworks, International Standards Organization (ISO) 27001/27002.

Bachelor's degree, Paralegal or Juris Doctor (JD)  a plus
  • 2-5 years corporate legal experience in a law firm or in-house legal department (IT Services, Application, Hosting, or healthcare company preferred)
  • 2-5 years experience in IT Risk Management, e.g. IT Auditor or Assessor.
  • Experience reviewing and negotiating contracts
  • Technology-related degree or certifications, or at least five years technology experience preferred
  • Certified Information Systems Security Professional (CISP), Certified Information Systems Auditor (CISA), or Certified Information Security Manager (CISM) Certification preferred