Where You’ll Work Inspired by faith. Driven by innovation. Powered by humankindness. CommonSpirit Health is building a healthier future for all through its integrated health services. As one of the nation’s largest nonprofit Catholic healthcare organizations, CommonSpirit Health delivers more than 20 million patient encounters annually through more than 2,300 clinics, care sites and 137 hospital-based locations, in addition to its home-based services and virtual care offerings. CommonSpirit has more than 157,000 employees, 45,000 nurses and 25,000 physicians and advanced practice providers across 24 states and contributes more than $4.2 billion annually in charity care, community benefits and unreimbursed government programs. Together with our patients, physicians, partners, and communities, we are creating a more just, equitable, and innovative healthcare delivery system. Job Summary and Responsibilities The Cybersecurity Associate Analyst is primarily focused on supporting the national effort of aligning and enabling Cybersecurity across CommonSpirit regions and markets. The associate analyst supports the design, development, and implementation of solutions to resolve high to complex difficulty technical and business issues related to information security such as: - Support the delivery of cybersecurity guidance to best protect the organization from cyber threats and exposures as needed. - Documentation, and coordination with other teammates and teams, assisting with response and recovery, and any necessary post-incident activities for cybersecurity investigation for incident response. - Identify and leverage themes and trends to strategically remediate and/or partner with other cyber departments and serve the organization to reduce and resolve cybersecurity issues and risks. - Supporting and engaging in regional cyber activity and needs through partnership and direction with the Regional Cybersecurity Officer(s). - Processing tickets that involve providing guidance on Cyber policy, standards and guidelines. Job Responsibilities - Analyze end user requests for access to blocked websites and USB devices by evaluating business needs against cyber risk and providing guidance and/or support, accordingly. - Analyze security policy exception requests by working with requesters to evaluate the need for exception against potential alternative options and coordinating efforts to select the best path forward. - Coordinate and support onsite or virtual security rounding of facilities, including hospitals, clinics and other clinical sites. - Leverage cybersecurity, IT operations, and collaboration platforms such as Google Workspace, Service Management, Rapid 7 and Medigate to support metrics collection and analysis functions. - Compile regional security metrics to support monthly, quarterly and annual trending of security vulnerabilities within regions and across the organization. - Provide support and guidance to application and technology teams in their efforts to comply with CommonSpirit Health Cybersecurity policies, standards and procedures as they perform their systems implementation and operations activities. - Foster positive relationships with stakeholders throughout CommonSpirit. - Create and maintain both regional and market level reports that drive engagement, education and decisions for Cyber and Operational Leadership. - Compile regional and market level metrics for VM, Phishing, Exceptions to Policy/Rule Sets with Applications, HIPAA Assessment, Rounding Visit/Remediation and additional relevant metrics. - Provide an overview of the Region and detailed market level insights. - Support HIPAA Security Assessments as well as other assessment as assigned by: - attending kick-off calls - conducting remediation follow-up - Manage rounding findings and follow-ups with business/risk owners. - Prepare and maintain monthly slide decks for Regional Cyber focused calls. - Other duties as assigned. Job Requirements - Bachelors and 0-2 years’ experience Required or equivalent exp.

• Work closely with SOC to ensure efficient response to security tickets and incident response • Daily threat hunting and identifying potential vulnerabilities in company systems and processes • Configure and optimize security tools and software • Review daily and historical data to identify, report, and remedy vulnerabilities • Document, prioritize, and analyze security threats, incidents, and key metrics • Regular review of security logs, reports, and other information from both internal and external sources to identify and manage security risks and issues • Evaluate security controls of proposed vendor products and service providers • HITRUST, SOC2, PCI DSS assessment, remediation, documentation, and certification activities • Assist in design and execution of security related training programs and communications • Verify and monitor that laptops and other devices have the appropriate security tools installed, operating, and updated • Investigate, document, and remedy security events • Create and manage Incident Response playbooks and IT Security Procedures • Root Cause Analysis • Collaborate with cross-functional teams regarding security • Stay informed on emerging technologies and services to ensure Marathon maintains its competitive technical advantage.

The Information Security Risk Team at MongoDB is the operational engine of the internal and third-party risk programs. Situated within the Assurance, Risk, and Compliance (ARC) organization, the team is responsible for the "Reduction of Uncertainty" across the enterprise. We view this team as the "Operational Commander" of the risk function. The team oversees the entire lifecycle of risk identification, assessment, and treatment, ensuring that MongoDB’s leadership has a clear, quantified view of the top risks facing the organization. We are not just a compliance function; we are a "Risk Intelligence" unit that empowers the business to "Think Big" while keeping our eyes wide open to the risks we accept. As the Senior Information Risk Analyst, you will serve as the subject matter expert and primary executor of our risk function. Reporting directly to the Risk Director, you will be responsible for conducting and owning the lifecycle of internal security assessments (annual + ad-hoc), applying risk methodology, producing risk memos and working with asset/risk owners across the business that powers MongoDB’s growth. This is a pivotal moment for our Risk function as we scale operations to meet the demands of a $100B+ database market while navigating an increasingly rigorous regulatory landscape (DORA, FedRAMP, NIS2). This role can be based remotely in the United States. Responsibilities Program Maturity - Risk Assessment Methodology Implementation: Lead the strategic roadmap to integrate the risk matrix into the risk framework. - Regulatory Governance: Ensure the risk program complies with global regulations, specifically DORA (EU) regarding ICT registers and FedRAMP Rev 5 supply chain controls. Maintain the Supply Chain Risk Management (SCRM) plan and oversee strict boundary protections for the "Atlas for Government" environment - Policy & Procedure Ownership: Maintain the Information Risk Management Procedure (ISQMS), ensuring that risk identification, assessment, and treatment processes are documented, updated annually, and followed consistently across the organization Operational Execution - Experience conducting technical security risk assessments (infrastructure, cloud, application-level). Including experience in evaluating control effectiveness through technical evidence (configurations, logs, architecture diagrams) - Workflow Orchestration: Own the end-to-end risk assessment process - Inherent Risk Scoring: Validate the team’s application of the Risk Scoring formula. Apply the risk scoring formula for baseline scores based on breach history (last 12 months) and weighted impact - Ensure the risk acceptance process has the right level of information and the appropriate stakeholders - Ticket Hygiene: Actively manage the Jira backlog to prevent "frozen tickets” Monitoring and Reporting - Conduct annual enterprise security risk assessments and ad-hoc assessments as triggered by material changes, incidents, or new initiatives - Identify risk scenarios for the in-scope assets by working with the asset and risk owners - Assess the inherent risk and residual risk based on established risk assessment methodology and control assessments - Synthesize the analysis into high-quality, Risk Assessment Memos. These documents must tell a cohesive story, moving from the "Risk Statement" to the "Calculation Logic" to the final "Risk Rating" - Manage the risk acceptance process in JIRA, review for appropriateness and accuracy - Maintain the Risk Management Dashboard and report on accurate risk metrics Requirements - Professional Experience: 10+ years of experience in Information Security, Governance, Risk & Compliance (GRC) - Hands-on experience conducting enterprise-level security risk assessments end-to-end, including scoping, threat modeling, control evaluation, and executive reporting - Evaluate control effectiveness using technical evidence (configs, logs, architecture diagrams) - Perform threat modeling using established methodologies (STRIDE, MITRE ATT&CK) - Deep operational understanding of risk assessment methodologies (NIST SP 800-30) and standard control frameworks (NIST CSF, NIST SP 800-53, ISO 27001, SOC 2, SIG Core/Lite, CAIQ) - Regulatory Knowledge: Comprehensive knowledge of DORA, NIS2, FedRAMP Rev 5 (specifically Supply Chain/SCRM), GDPR, and PCI-DSS requirements - Ability to write executive-level risk reports that translate technical flaws into business risks - A strong track record of collaborating effectively across teams and levels to influence change - Education: Bachelor’s degree in a relevant field (Cybersecurity, Business, Information Systems) - Certifications: CRISC, CCSP, CISSP, CISA, relevant cloud certifications About MongoDB MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure. With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software. Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world! MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter. MongoDB, Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type and makes all hiring decisions without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. Req ID: 1273387742 MongoDB’s base salary range for this role is posted below. Compensation at the time of offer is unique to each candidate and based on a variety of factors such as skill set, experience, qualifications, and work location. Salary is one part of MongoDB’s total compensation and benefits package. Other benefits for eligible employees may include: equity, participation in the employee stock purchase program, flexible paid time off, 20 weeks fully-paid gender-neutral parental leave, fertility and adoption assistance, 401(k) plan, mental health counseling, access to transgender-inclusive health insurance coverage, and health benefits offerings. Please note, the base salary range listed below and the benefits in this paragraph are only applicable to U.S.-based candidates. MongoDB’s base salary range for this role in the U.S. is: $97,000—$189,000 USD

Role Description In this role, you will: - Perform daily IAM operational tasks including user provisioning, deprovisioning, and access modifications - Manage and fulfill IAM tickets in a timely manner, ensuring adherence to SLAs and security policies - Support organizational changes (e.g., new hires, terminations, role changes) by updating access accordingly - Process and validate role-based access requests (RBAC) to ensure appropriate access levels - Partner with business units to understand access needs and enforce least-privilege principles - Assist with access reviews, audits, and compliance-related activities - Identify and escalate access-related risks or anomalies Qualifications - 4+ years of experience in Identity & Access Management or related cybersecurity role - Hands-on experience with IAM tools such as Okta and SailPoint - Working knowledge of CyberArk for privileged access management - Strong experience with Active Directory (AD), including user/group management - Familiarity with role-based access control (RBAC) models and identity lifecycle management - Experience working with ticketing systems and handling access-related requests - Strong attention to detail and organizational skills Requirements - Experience in a regulated industry (insurance, finance, etc.) - Exposure to audit and compliance frameworks (SOX, NIST, etc.) - Basic scripting or automation experience (PowerShell, etc.) is a plus Benefits - Competitive compensation - Comprehensive and well-rounded benefits package for full-time employees - Health coverage - Wellness programs - 401K company match - Self-managed PTO - Unique incentives that celebrate accomplishments - Remote and Hybrid Work - Time Off When You Need It - Benefits That Flex - Professional Development opportunities