Vendor Security Controls Engineer II

  • HCA
  • Nashville, TN, USA
  • Sep 19, 2018
Security | Security Analyst

Job Description

Job Code: 10207-24404


No Weekends


At its founding in 1968, Nashville-based HCA was one of the nation's first hospital companies. Today, one of the nation's leading providers of healthcare services, HCA is comprised of locally-managed facilities that include more than 250 hospitals and freestanding surgery centers in 20 states and the United Kingdom, employing approximately 230,000 people. Approximately four to five percent of all inpatient care delivered in the country today is provided by HCA facilities resulting in more than 26M patient encounters each year. HCA is committed to the care and improvement of human life and strives to deliver high quality, cost effective healthcare in the communities we serve. Building on the foundation provided by our Mission & Values, HCA puts patients first and works to constantly improve the care we provide by implementing measures that support our caregivers, help ensure patient safety and provide the highest possible quality.

Additional Facts:

• Ranked 63 in Fortune 500
• Competitive Fortune 100, industry matched salaries and yearly merit increase
• Computerworld Top 50 Best Places to Work in IT since 2009
• Named one of the "World's Most Ethical Companies" since 2010
• 106 HCA hospitals are on The Joint Commission's list of top performers on key quality measures.


The Security Controls Engineer is a technology and process focused security professional with an emphasis in information security controls, risk assessment, regulatory compliance, and security consultation. Applies information security concepts, knowledge, and skills to support a comprehensive information protection program. The Security Controls Engineer evaluates and monitors the current state of security controls across the organization related to people, process, and technology as well as with 3rd party vendors external to the organization.


• Performs the collection of the top and most pressing IT security risks (regulatory, security of critical enterprise applications and infrastructure, vendors, etc.), analyze, monitor, and derive strategic decisions that balance risk with operation and economic costs of protective measures.
• Performs interviews with company senior management and business owners to confirm anticipated business effects resulting from the actual occurrence of any of the identified enterprise security risks.
• Leverages inventory of key vendors, applications, processes, and infrastructure items and their impact to the top and most pressing IT security risks. Additionally, maps applications, processes, and infrastructure items to appropriate security risks.
• Performs activities to identify key controls (policy, procedure, practice, or organizational structure) that if implemented would provide reasonable assurance that security objectives will be achieved and undesired events will be prevented or detected and corrected
• Performs activities to review, develop, and implement security controls plans, vendor security agreements, and security exceptions to control standards.
• Peforms activities to conduct technical security reviews and assessments of vendors, applications, processes, and IT infrastructure.
• Performs activities related to the analysis of data collected during security reviews and assessment of vendors, applications, processes, and IT infrastructure in order to determine current state of security risk across the company.
• Performs activities to develop remediation plans to address issues discovered as result of security reviews and/or assessments of vendors, applications, processes, and IT infrastructure. Works with management to assign remediation responsibilities, actions, and priorities.
• Peforms activities to monitor and track remediation activities to address weaknesses and issues discovered through security reviews or audits of vendors, applications, processes, and IT infrastructure.
• Performs activities to develop strategies to ensure compliance with security standards as well as regulatory and audit issues.
• Performs activities to provide periodic reporting including assessment findings and recommendations for improvement to applicable constituencies (e.g., executive management, facility leadership, and governance committee).
• Identifies security related regulatory requirements (ie. PCI-DSS, SOX, HIPAA), and interacts with internal and external assessors and auditors to ensure ongoing compliance.


3-5 years of experience is needed for a successful candidate.


College degree is needed however in lieu of a degree experience may be a substitute.


Certifications (preferred, not required):
• CISSP Certified Information Systems Security Professional
• GSEC GIAC Security Essentials Certified
• CISA Certified Information Systems Auditor
• PCIP PCI Professional Training
• HCISPP Healthcare Information Security and Privacy Practitioner

Preferred areas of experience:
• Security Technologies / Methodologies
• IT Audit/Risk Management
• Information Security Metrics and Reporting
• Systems Control Review Process
• Application/Infrastructure Control Review Process

Working knowledge of the COSO and COBIT methodologies
Experience with ISO17799, HIPAA, Sarbanes-Oxley, PCI-DSS
Experience with IT risk, regulatory, or compliance responsibilities
Possession of excellent analytical and interpersonal skills
Possession of excellent oral and written communication skills

Last Edited: 09/18/2018