Senior Vendor Security Controls Engineer

  • HCA
  • Nashville, TN, USA
  • Jun 29, 2019
Security | Security Analyst

Job Description

SHIFT: No Weekends

SCHEDULE: Full-time

HCA Healthcare ITG

Please click the link above to Watch our Identity Video to get a closer look at who we are and what we do!

We are IT professionals and are certainly proud of our technical expertise. But what makes us unique as a technology company is that our solutions ultimately impact the care of patients. Although our skills are needed in a number of industries, we in ITG apply them specifically to the noble cause of healthcare.

That's why we say we are "Healthcare Inspired."

It's this guiding vision that pervades and positively influences every level of our organization. It shapes our culture, defines our strategy, and brings our leaders and employees together in a shared enthusiasm for their work, setting ITG apart as a uniquely purpose-driven company in the IT industry.

At HCA Healthcare, we are driven by a single goal: the care and improvement of human life.

We offer you an excellent total compensation package, including competitive salary, excellent benefit package and growth opportunities. We believe deeply in our team and your ability to do excellent work with us. Your benefits package allows you to select the options that best meet the needs of you and your family. Benefits include 401k, paid time off, medical, dental, flex spending, life, disability, tuition reimbursement, employee discount program, and employee stock purchase program.

We would love to talk to you about this fantastic opportunity!

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.


The Security Controls Engineer is a technology and process focused security professional with an emphasis in information security controls, risk assessment, regulatory compliance, and security consultation. Applies information security concepts, knowledge, and skills to support a comprehensive information protection program. The Security Controls Engineer evaluates and monitors the current state of security controls across the organization related to people, process, and technology as well as with 3rd party vendors external to the organization.


• Performs the collection of the top and most pressing IT security risks (regulatory, security of critical enterprise applications and infrastructure, vendors, etc.), analyze, monitor, and derive strategic decisions that balance risk with operation and economic costs of protective measures.
• Performs interviews with company senior management and business owners to confirm anticipated business effects resulting from the actual occurrence of any of the identified enterprise security risks.
• Leverages inventory of key vendors, applications, processes, and infrastructure items and their impact to the top and most pressing IT security risks. Additionally, maps applications, processes, and infrastructure items to appropriate security risks.
• Performs activities to identify key controls (policy, procedure, practice, or organizational structure) that if implemented would provide reasonable assurance that security objectives will be achieved and undesired events will be prevented or detected and corrected
• Performs activities to review, develop, and implement security controls plans, vendor security agreements, and security exceptions to control standards.
• Performs activities to conduct technical security reviews and assessments of vendors, applications, processes, and IT infrastructure.
• Performs activities related to the analysis of data collected during security reviews and assessment of vendors, applications, processes, and IT infrastructure in order to determine current state of security risk across the company.
• Performs activities to develop remediation plans to address issues discovered as result of security reviews and/or assessments of vendors, applications, processes, and IT infrastructure. Works with management to assign remediation responsibilities, actions, and priorities.
• Performs activities to monitor and track remediation activities to address weaknesses and issues discovered through security reviews or audits of vendors, applications, processes, and IT infrastructure.
• Performs activities to develop strategies to ensure compliance with security standards as well as regulatory and audit issues.
• Performs activities to provide periodic reporting including assessment findings and recommendations for improvement to applicable constituencies (e.g., executive management, facility leadership, and governance committee).
• Identifies security related regulatory requirements (ie. PCI-DSS, SOX, HIPAA), and interacts with internal and external assessors and auditors to ensure ongoing compliance.


5+ years of experience are needed for a successful candidate.


College graduate preferred.


Certifications (preferred, not required):
• CISSP Certified Information Systems Security Professional
• GSEC GIAC Security Essentials Certified
• CISA Certified Information Systems Auditor
• PCIP PCI Professional Training
• HCISPP Healthcare Information Security and Privacy Practitioner

Preferred areas of experience:
• Security Technologies / Methodologies
• IT Audit/Risk Management
• Information Security Metrics and Reporting
• Systems Control Review Process
• Application/Infrastructure Control Review Process

Working knowledge of the COSO and COBIT methodologies
Experience with ISO17799, HIPAA, Sarbanes-Oxley, PCI-DSS
Experience with IT risk, regulatory, or compliance responsibilities
Possession of excellent analytical and interpersonal skills
Possession of excellent oral and written communication skills