Information Security Risk Management Assessment
About the Position
Information security risk management is an integral component of Lilly’s information security strategy, program and operations. One critical aspect of risk management is information security risk and compliance assessments across business processes, 3rd parties, and IT systems enterprise-wide. The Assessor is responsible for driving the information security’s efforts to proactively identify, assess, and communicate the information security risks through critically analyzing the probable frequency and probable magnitude of future loss. The assessor will work in close partnership with business representatives to scope assessments, gather documentation, interview clients, identify risks, document findings, and ensure transparent management of risks by following a structured risk assessment methodology. This position will be expected to complete high-quality assessments across a diverse set of technologies, business functions, and complexity. As a member of the team, this position will also be expected to support proactive process improvements, overcome barriers to success, and build professional relationships across the company.
- Identify and recommend appropriate measures to treat risks that reduce potential impacts on information resources to a level acceptable to the senior management of the company.
- Identify and report on new and emerging security risks and risk trends, including participating in risk remediation solution discussions and updates to compliance policy and standards.
- Fully understand business requirements and work with business areas to define appropriate solutions that satisfy security objectives while meeting business needs.
- Manage the review of changes in processes, standards and technology to ensure the effectiveness of security controls to meet compliance requirements.
- Integrate security risk reporting and management activities into day to day processes.
- Partner with all areas of the business, including internal auditors, legal, IT and business partners.
- Respond to and assist with audits, assessments and compliance requests.
- Serve as liaison as needed on matters pertaining to Risk Management.
- Other duties as assigned.
Support Management & Decision Making:
- Works closely with and influences decision makers in other departments to identify, recommend, develop, implement, and support a risk informed decision and action framework.
- Initiates and implements continuous improvements in all areas of responsibility.
Business Partner Management
- Acts as a Change Catalyst for a risk-based approach to delivery of services and systems.
- Partners with others in their organization to set and manage expectations; continually seeks opportunities to be a thought partner and increase internal business partner satisfaction and deepen relationships.
- Adapts communication approach for audiences at multiple internal and external levels.
- Conduct assessments for various IT systems, 3rd parties, and business processes across Lilly which handle Red CI as well as other risks including data integrity and availability risks (e.g. risks that could enable unauthorized modification of critical clinical data or cyber-attacks on systems enabling connected care devices such as diabetes pumps)
- Contribute knowledge and learnings for the team on best practices for security controls, facilitation, partnering, and engagement to provide quality service. The focus and tone of the assessments will serve as an enabling partner to help make it easy to have the right security controls (whether automated or manual)
- Successfully establish and maintain relationships with key stakeholders across Lilly to help facilitate assessments across IT systems, process owners, and 3rd parties.
Cyber Security Hygiene
- Partner with Information Security service owners to understand security services and how they may help to reduce risks associated with business processes, underlying systems and/or 3rd parties that are being assessed.
- Promote services and guidance with business and application owners to help them understand the Security service value proposition for consumption in their area(s).
- Continuously provide service and process improvement feedback from assessments through service delivery to increase efficiency and value to Lilly business stakeholders.
General Project Management
- Continuously improve processes used for assessment, findings management, risk communication, and remediation.
- Work with other IS teams as an Assessment SME for various projects related to improvements with controls, tools, or risk services.
- Bachelor’s Degree
- 5+ years of IT experience, ideally at least 3 of which are in a security domains
- Qualified candidates must be legally authorized to be employed in the United States. Lilly does not anticipate providing sponsorship for employment visa status (e.g., H-1B or TN status) for this employment position
Interested in applying to this career opportunity?
Please email Taylor Frank, firstname.lastname@example.org, and include Information Security Risk Management Assessment in the subject line.
About Eli Lilly and Company
At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our 39,000 employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.
Lilly is an EEO/Affirmative Action Employer and does not discriminate on the basis of age, race, color, religion, gender, sexual orientation, gender identity, gender expression, national origin, protected veteran status, disability or any other legally protected status.