IS Security Analyst II

Position Description:

We're looking for those individuals-the creative thinkers and innovation seekers-who are content with nothing short of changing the world. Discover the endless opportunities within the Medical College of Wisconsin (MCW) and be inspired by the work we can do together to improve health, and make a positive, daily impact in our communities. In the role of an IS Security Analyst II you will be working in our Finance and Administration Department.

Position Summary

The Cybersecurity Analyst II is a mid-level practitioner who safeguards MCW systems and data while enabling research. The role specializes in compliance, risk management, incident response, and program coordination. It translates complex requirements (HIPAA Security Rule, CMMC, NIST SP 800-171, NIST SP 800-53, and NIH/dbGaP controlled-access genomic data expectations) into practical, auditable controls across enterprise and research environments. In partnership with the Office of Compliance and Risk and the Office of Research, the analyst co-designs pre-award guidance and post-award monitoring to ensure investigators understand and meet obligations related to ePHI, CUI, and controlled-access data throughout the award's life. This role does not own engineering, code development, or system/tool administration; it coordinates with those teams to drive outcomes.

Primary Responsibilities

A. Research Compliance & Governance (35%)

• Serve as security liaison to the Office of Research, Sponsored Programs, and IRB on security language for grant submissions (e.g., DMS Plans), DUAs/DTAs, and award terms.
• Operationalize NIH/dbGaP (GDS) and, when applicable, NIST SP 800-171 expectations for research environments handling controlled-access data and/or CUI.
• Maintain award-level compliance registers (including control requirements, owners, due dates, and POA&Ms) and define monitoring cadences through award close-out.
• Draft and maintain SOPs, control narratives, and evidence-collection playbooks to support audits and attestations (HIPAA, 800-171/CMMC).

B. Security Operations & Incident Response Participation (25%)

• Participate in the Incident Response process for notable events (e.g., suspected/confirmed breaches, lost or stolen devices): coordinate evidence capture, document actions, support privacy/compliance notifications, and contribute to lessons learned.
• Coordinate vulnerability management activities with engineering/platform teams (risk-based prioritization, exception tracking, remediation SLAs, and reporting).
• Coordinate with platform teams to ensure cloud guardrails (e.g., Azure Policy, AWS SCPs) are enforced; review CSPM reports (e.g., Defender for Cloud, AWS Security Hub, Prisma, Wiz) and track high-risk findings to closure.
• For cloud-related incidents, ensure forensic readiness (retention of logs, access records, snapshots) and contribute to post-incident lessons learned.

C. Risk Management & Assessments (20%)

• Conduct system and vendor risk assessments mapped to HIPAA safeguards and NIST SP 800-53; document risks, compensating controls, and residual risk.
• Support CMMC readiness (where applicable to DoD-funded work) by aligning processes and artifacts to NIST SP 800-171 requirements.
• Lead recurring reviews of cloud security policies and control configurations (IAM, key management, encryption, logging/monitoring, network segmentation, backup/DR, workload isolation) mapped to HIPAA, NIST 800-53/171, CIS Benchmarks, and CSA CCM; produce written findings and remediation plans with accountable owners.
• Validate shared-responsibility alignment in third-party/SaaS platforms (BAA/DPA terms, data residency/retention, access controls) and complete vendor risk assessments with evidence collection.

D. Security Awareness & Phishing Program (10%)

• Co-deliver the annual cybersecurity training; tailor micro-trainings for research audiences handling ePHI/CUI/controlled-access data.
• Plan and execute periodic internal phishing campaigns, tracking metrics (reporting rate, click rate, credential submissions), driving targeted follow-ups, and publishing summary results.

E. Penetration Testing Support (10%)

• Coordinate the annual penetration test by defining the scope with stakeholders, managing vendor logistics and access approvals, tracking findings to remediation/retest, and curating evidence for audit readiness.
• Provide clear readouts to leadership and technology owners; ensure that findings are fed into risk registers and POA&Ms.
• Include cloud attack paths and misconfiguration scenarios in the annual penetration test scope; confirm that findings are mapped to controls and retested after remediation.

Knowledge - Skills - Abilities

• Alert triage
• Incident documentation
• Risk Assessment
• Strong collaboration with Information Technology Services colleagues
• Effective partnership with colleagues from Compliance and Risk Management, the Office of Research, the Office of General Counsel, and other applicable departments.
• Is respectful, honest, and demonstrates integrity and ethics.
• Listens effectively, shares ideas and information openly, and facilitates relationship building by establishing trust.
• Strong analytical thinker.
• Possesses initiative, good judgment, and the ability to problem solve.
• Possesses strong business acumen with proven experience in thinking strategically and implementing tactically.
• Handles demanding workloads to meet objectives.
• Is customer-focused, service-oriented, and has effectively affected change.
• Makes tough decisions when needed.
• Can make decisions under conditions of high uncertainty/ambiguity.
• Stays current with cutting-edge developments in technology and the industry.
• Ability to maintain confidences.
• Ability to perform effectively in a stressful environment.
• Demonstrated leadership ability.
• Ability to work and communicate successfully with all levels of internal and external contacts.
• Ability to communicate orally and in writing clearly and logically.
• Ability to foster and maintain solid working relationships.
• Ability to effectively plan and organize projects impacting the work of others.

Preferred Schedule:



Monday - Friday 8:00-5:00

Position Requirements:

Qualifications

Minimum Required Education: Bachelor's in Information Security, IT, or related field-or equivalent experience.
Minimum Required Experience: 5 years in security operations, risk/compliance, or assessment roles within healthcare, higher ed, or research-intensive settings. Experience reviewing (not engineering) cloud environments against frameworks (HIPAA, NIST 800-53/171) and control catalogs (CIS Benchmarks, CSA CCM).
Framework Fluency: HIPAA Security Rule; NIST SP 800-53 r5; NIST SP 800-171; awareness of CMMC v2; familiarity with NIH/dbGaP controlled-access requirements for genomic data.
Certifications (preferred; or in progress): HIPAA Security Rule; NIST SP 800-53 r5; NIST SP 800-171; awareness of CMMC v2; familiarity with NIH/dbGaP controlled-access requirements for genomic data.
Preferred Qualifications: Experience supporting ePHI and/or CUI in academic medicine or research computing; exposure to research enclaves or secured workspaces. Working knowledge of NIST CSF 2.0 mappings to HIPAA/800-53 and experience contributing to DMS Plans or security appendices for grants.

Why MCW?

• Outstanding Healthcare Coverage, including but not limited to Health, Vision, and Dental. Along with Flexible Spending options
• 403B Retirement Package
• Competitive Vacation and Paid Holidays offered
• Tuition Reimbursement
• Paid Parental Leave
• Pet Insurance
• On campus Fitness Facility, offering onsite classes.
• Additional discounted rates on items such as: Select cell phone plans, local fitness facilities, Milwaukee recreation and entertainment etc.

For a full list of positions see: www.mcw.edu/careers

For a brief overview of our benefits see: https://www.mcw.edu/departments/human-resources/benefits

At MCW all of our endeavors, from our internal operations to our interactions with our partners, are driven by our shared organizational values: Caring - Collaborative - Curiosity - Inclusive - Integrity - Respect. We are committed to fostering an inclusive environment that values diversity in backgrounds, experiences, and perspectives through merit-based processes and in alignment with all applicable laws. We believe that embracing human differences is critical to realize our vision of a healthier world, and we recognize that a healthy and thriving community starts from within. Our values define who we are, what we stand for and how we conduct ourselves at MCW. If you believe in embracing individuality and working together according to these principles to improve health for all, then MCW is the place for you.

MCW as an Equal Opportunity Employer and Commitment to Non-Discrimination


The Medical College of Wisconsin (MCW) is an Equal Opportunity Employer. We are committed to fostering an inclusive community of outstanding faculty, staff, and students, as well as ensuring equal educational opportunity, employment, and access to services, programs, and activities, without regard to an individual's race, color, national origin, religion, age, disability, sex, gender identity/expression, sexual orientation, marital status, pregnancy, predisposing genetic characteristic, or military status. Employees, students, applicants, or other members of the MCW community (including but not limited to vendors, visitors, and guests) may not be subjected to harassment that is prohibited by law or treated adversely or retaliated against based upon a protected characteristic.

.