Description

McKesson is in the business of better health and we touch the lives of patients in virtually every aspect of healthcare. We partner with payors, hospitals, physician offices, pharmacies, pharmaceutical companies and others across the spectrum of care to build healthier organizations that deliver better care to patients in every setting. We believe in the importance of strong, vital organizations because we know that patients can only be healthy when our system is healthy.

Every single McKesson employee contributes to our mission—by joining McKesson you act as a catalyst in a chain of events that helps millions of people all over the globe. Talented, compassionate people are the future of our company—and of healthcare. At McKesson, you’ll collaborate on the products and solutions that help us carry out our mission to improve lives and advance healthcare. Working here is your opportunity to shape an industry that’s vital to us all.

We understand the importance of a system that works together. Your expertise, drive and passion can help us improve everything we touch, from providers to payors to pharmacies. Join our team of leaders to begin a rewarding career.  Wherever you contribute here at McKesson, you will have the ability to make a real impact in the lives of others.

Current Need:

McKesson is looking for a Third-Party Risk Management (TPRM) analyst to join our growing team within our Information Security and Risk Management (ISRM) organization.  The TPRM analyst will support and execute IT assurance activities to mitigate risk related to third parties supporting McKesson’s business operations.  In addition, resource will support other department program activities including but not limited to SOC 1 / 2 attestations, audit activities and application prioritization.  This individual contributor is expected to possess strong analytical, process management, and communication skills.

Position Description:

McKesson is enhancing it’s TPRM program in the Information Security & Risk Management organization.  The goal of the program is to regularly assess, monitor, and manage the risk associated with third parties who possess or access McKesson’s information systems and data. The TPRM Analyst will work under the direction of the TPRM Product Owner to execute the operational processes and tasks within McKesson’s TPRM program.  Day to day activities include managing security risk assessments and obtaining necessary data from third parties to assess their security posture.

Due diligence and Ongoing monitoring:

- Perform new and recurring third party security risk assessments, develop mitigation plans, and work with internal stakeholders to assign remediation tracking responsibility

- Maintain and enhance the administration of issue monitoring and exception tracking and, where necessary, facilitate remediation actions to improve overall third-party performance to meet business needs.

- Implement processes to monitor the third-party portfolio using a risk based approach.  Monitoring may take many forms, including but not limited to:

• Review of third party provided audit reports and supporting collateral e.g. SOC 1/2 reports and other certifications, or review of third-party security whitepapers
• Request and review of questionnaires completed by the third party describing their environment and controls
• Periodic onsite risk assessments / audits

Stakeholder Collaboration:

- Collaborate with the McKesson Sourcing organizations and the other Risk Organizations such as Compliance and Privacy in the process of supporting the program

- Work in a self-directed, collaborative, and constructive manner with the business units and our internal stakeholders to enhance the effectiveness of TPRM processes and controls.

- Build effective relationships with stakeholders who own and support key third party relationships. Gain commitment from stakeholders to help manage and improve the risk posture of these third parties.

- Maintain and enhance the administration of issue monitoring and exception tracking and, where necessary, facilitate remediation actions to improve overall 3rd party performance to meet business needs.

- Manage the analysis of critical information security process, documentation and service delivery models; facilitate remediation of known issues resulting from gap analysis

- Monitor and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for appropriate escalation to stakeholders

Requirements

Minimum Requirements:

Typically has 7+ years of professional experience in IT Security and/or Governance, Risk, and Compliance administering and/or assessing security controls in an organization.

Critical Skills:

• Experience in risk assessment, audit, and/or IT security assessments
• Familiar with compliance regulations, IT, security frameworks and standards (i.e. NIST 800, ISO/IEC 27002, HIPAA, PCI, SOX, HITRUST)
• Strong analytical, interpersonal, written and oral communication skills
• Ability to communicate technical security risks to non-technical business stakeholders
• Proven ability to effectively prioritize and execute tasks with competing priorities
• Self-starter with a drive to continuously improve processes and remove inefficiencies
• Strong project and time management skills
• Process Improvement / Six Sigma experience
• Proficiency with Microsoft Office

Additional Skills:

• CISA, CRISC, CISM, CISP, or CTPRP certifications
• ISO 9000:2015 Quality Management Systems (QMS) experience preferred
• Understanding of IT General Controls (ITGC) and Good Documentation Practices (GDP)
• Strong ability to influence or negotiate with stakeholders dealing with competing priorities

Education:

• 4-year degree in computer science, information systems, or related field or equivalent experience