Apply Now Clicking "Apply Now" opens the link in a new window.

How to Apply

A cover letter is required for consideration for this position and should be attached as the first page of your resume. The cover letter should address your specific interest in the position and outline skills and experience that directly relate to this position.

Job Summary

The University of Michigan's Information Assurance team at Michigan Medicine (IA:MM) is seeking a candidate to fulfill the role of Vulnerability Analyst. This role will support in developing and enhancing our organization’s information security risk management, planning, and developing strategies. This role will also help with the logistics for information security risk remediation throughout the Academic Medical Center and across the three missions of research, education and patient care. The Vulnerability Analyst will need to be adaptable to help drive strategic and operational direction by ensuring the development and support of complex assessment systems, reporting and processes.

 The Vulnerability Analyst must be adaptable, highly motivated, results-oriented, creative, and data driven professional.


  • Prepare security assessments for new and existing information systems, applications, and information technology services of Michigan Medicine Service Providers for compliance with U-M and Michigan Medicine policy and procedure, as well as relevant legal and regulatory requirements.
  • Use tools and methodology to assess the information security risks associated with sensitive and mission critical systems based on the NIST 800-53 security control framework.
  • Assist with developing mitigation strategies to bring risk levels into an acceptable range and assist and support the Michigan Medicine Service Providers with those remediation activities.
  • Identify information security risk areas where further awareness and training is needed.
  • Compare, evaluate, and recommend improvements in policies, procedures, and technical safeguards to address significant risks to the security of Michigan Medicine information systems and data.
  • Assess the impact of reported vulnerabilities and assist with the implementation of mitigation strategies based on severity.
  • Identify sensitive data and provide input for proper storage and protection.
  • Make recommendations and participate in the development of information assurance policies and procedures.
  • Participate in the development of education and awareness efforts and the timely dissemination of security information to staff and end users.
  • Assist with the process improvements, problem management, and risk management functions within the Michigan Medicine information assurance team.
  • Build good relationships with teams, and stakeholders at all levels (e.g. management, colleagues, and employees) using strong competencies to build trust, change perceptions, effectively communicate, influence, and adapt
  • Collaborate with teams, stakeholders and business partners to understand and implement improvement opportunities.
  • Inspire and influence teams including staff and Health Information Technology & Services business partners to deliver risk management solutions and offerings effectively to the Academic Medical Center’s community.
  • Continually improve security service solutions and offerings by keeping up-to-date on security conferences, seminars, reading, research, and testing.
  • Guiding the development of information security standards, guidelines, and policy.
  • Develop sound relationship with internal and external customers by providing accurate and effective support.

Required Qualifications*

Intermediate Requirements:

  • Bachelor degree in computer science or a related field and/or equivalent combination of education, certification and experience.
  • Minimum of 4 years demonstrated experience in information systems security.
  • Demonstrated experience in conducting audits or risk assessments, or using audit/assessment tools and methodologies.
  • Demonstrated knowledge of National Institute of Standards and Technology (NIST) with specific emphasis on the NIST Special Publications (SP) 800 and 1800 series.
  • Experience in IT auditing and/or information security consulting.
  • Exposure to, experience with, responsibility for, and deep understanding of at least two of these security related technologies or practices.
  • Demonstrated understanding of/and exposure to, experience with, responsibility for, and deep understanding of at least two of these security related technologies and practices including but not limited to; authentication and authorization systems, digital forensics, encryption, endpoint protection, education and awareness, firewalls, IDS/IPS, incident response, malware disassembly, mobile device security, NAC, secure code review, secure remote access, secure wireless networking, penetration testing, PKI, policy development, risk management, SIEM, threat modeling, two-factor authentication, vulnerability management, web application security, web application firewalls.
  • Demonstrated knowledge of TCP/IP stack.
  • Demonstrated understanding of attack methodologies and vectors.
  • Ability to work independently and proactively.
  • Excellent organizational, analytical, and independent problem solving skills.
  • Ability to communicate effectively, both verbally and in writing. Demonstrated success giving presentations.
  • Demonstrated success coordinating and completing multiple tasks within established and changing deadlines.

Associate Requirements: 

  • Associate degree in Computer Science, Computer Engineering, or Information Assurance or an equivalent combination of education and experience.
  • 2 years information technology experience.
  • Understanding of fundamental Operating System and TCP/IP Networking concepts.
  • Understanding of fundamental information security concepts including: Authentication, Authorization, Audit, Encryption, Firewalls.
  • Demonstrated understanding of/and exposure of fundamental security related practices such as: Risk Management, Incident Response, Vulnerability Management, Penetration Testing, IDS/IPS, System and Application Hardening, Identity and Access Management, Security Information and Event Management (SIEM), Firewall management, IDS/IPS
  • Outstanding verbal and written communication skills
  • Demonstrated success completing tasks within established deadlines

Desired Qualifications*

  • Minimum of 5 years experience in information systems security.
  • Experience in a healthcare environment.
  • Experience with vulnerability scanning and penetration testing tools and technology
  • Hold security certification such as CISSP, CISA, GIAC-GSEC.

Underfill Statement

This position may be underfilled at a lower classification depending on the qualifications of the selected candidate.

Background Screening

Michigan Medicine conducts background screening and pre-employment drug testing on job candidates upon acceptance of a contingent job offer and may use a third party administrator to conduct background screenings.  Background screenings are performed in compliance with the Fair Credit Report Act.

Mission Statement

The mission of UM Information Assurance is to direct university-wide IT security, IT policy, compliance, privacy, and enterprise continuity efforts and provide operation security services that enable the university to excel in its research, teaching, and patient care mission.

This role, as part of the academic medical center’s assurance program, is both part of UM Information Assurance and the Michigan Medicine Chief Information Officer’s program. The goal is to represent and balance the needs of the health system and medical school in the framework and processes of the greater UM Information Assurance effort.

Essential to the success of this position will be the ability to successfully navigate and work collaboratively with the IT organizations, assurance partners, technical security staff, and Michigan Medicine management and external organizations’ roles and priorities. We work in a highly collaborative environment with an extraordinary scope of responsibilities and priorities. A successful candidate will be required to operate with minimal supervision, deliver effective and predictable results, and solve problems creatively, yet practically. A candidate should be comfortable and confident in meeting deadlines and executing timely performance of operations and project work within shared systems of work. This organization changes to suit the needs of the institution. Candidates should understand the dynamic nature of information services within an academic health center, information technology operations, and medical education.

Application Deadline

Job openings are posted for a minimum of seven calendar days.  This job may be removed from posting boards and filled anytime after the minimum posting period has ended.

U-M EEO/AA Statement

The University of Michigan is an equal opportunity/affirmative action employer.