Sr. Cyber Risk Assurance Analyst

Position Summary

McKesson is hiring for a Sr. Cyber Risk Assurance Analyst who will be responsible for collaborating across legal, compliance, and technical teams to ensure alignment with regulatory frameworks such as HIPAA, NIST 800-53, FIPS-140, and CMS ARS.

This role requires a strong technical background and deep expertise in compliance, privacy, and risk management.

The ideal candidate will translate complex government regulatory guidance (e.g., NIST CVE, CMS ARS) into actionable business and technical requirements, driving toward secure and compliant designs that are compliant with relevant reference architecture frameworks.

Key Responsibilities

- Conduct cybersecurity risk assessments for internal systems and third-party applications within the regulated environment.

- Drive vulnerability management plan based on strict risk-based classifications across multiple platforms, engaging all asset owners.

- Contribute to the formulation of cybersecurity strategies by advising risk reduction priorities related to vulnerability trends.

- Ensure compliance with all applicable regulatory frameworks and requirements

- Translate technical frameworks and regulatory guidance (e.g., NIST CVE, Zero Trust, FIPS-140) into actionable requirements for technical and business teams.

- Collaborate with legal, compliance, and engineering business partners to integrate requirements into contracts and system designs.

- Support continuous audit readiness, evidence collection, and remediation planning

- Develop and maintain policies and procedures to support regulatory compliance and risk management.

- Partner with multiple business units to ensure success in third-party audits

- Provide risk insights and recommendations to leadership to improve organizational risk posture.

- Foster a culture of accountability and awareness across the business unit.

Minimum Requirements:

- Degree or equivalent and typically requires 7+ years of relevant experience

Critical Skills

- Strong technical background with the ability to interpret and apply complex regulatory frameworks.

- Knowledge of IP network infrastructure, security defense in depth architecture (e.g., firewalls, intrusion detection/prevention, end-point protection), identify and access management, data encryption

- Experience with HIPAA, NIST 800-53, FISMA, FEDRAMP, and FIPS-140

- Strong knowledge of risk frameworks, standards, and authoritative risk categorization sources (e.g., NIST, ISO, FedRAMP, KVE, CVSS, CVE)

- Proficiency with enterprise compliance platforms such as OneTrust, RSA Archer, or ServiceNow GRC.

- Excellent analytical, documentation, and communication skills

Additional Skillsand Certifications

- Certifications such as CISM, CRISC, or CISSP.

- Experience conducting vendor risk assessments and contract reviews.