The Director, IT Governance, Risk, & Compliance will lead all aspects of the company's IT GRC program and the personnel supporting that program. This will include managing and controlling enterprise-wide IT risk, responding to and managing internal and external audits around HIPAA and Sarbanes-Oxley, including managing subsequent POAMs to conclusion, ensuring compliance with regulatory (HIPAA, SOX, & CCPA), industry (HITRUST, SOC 2, ISO, & NIST), and unique customer requirements, and developing and managing the strategic and tactical governance policies, procedures, documentation, communication, operations, training, support, reporting, and oversight needed to ensure the success of the IT GRC program. This role will work across the spectrum of the company's organization, and will collaborate daily with leadership and staff in the legal, compliance, audit, and IT organizations.

ESSENTIAL FUNCTIONS

* Audit

* IT GRC System - Defines, configures, and controls all aspects of the IT GRC application
* Internal Audit PBC - Responsible for all IT aspect of data collection for internal audit's PBCs, working with internal teams to produce accurate data, and assuring a full and comprehensive PBC
* IT Control Testing & Control Health - Routinely tests IT controls on pre-defined intervals (including ad hoc, daily, weekly, monthly, quarterly, and yearly), ensures the health of all IT controls, and manages corrective action plans needed to address any control gaps, weaknesses, or failures
* Customer Audits - Ensures all customer compliance commitments are met at all times, and leads all interactions with customer audits of our Program
* Industry Audits - Manages all SOC 2, HITRUST, ISO 27000, etc. engagements & audits
* Compliance

* Regulatory Compliance - Responsible for all IT aspects of HIPAA, SOX, & CCPA compliance
* Customer Compliance - Tracks key customer compliance requirements & performs customer compliance activities, such as periodically updating specific customers on specific security and compliance program performance items per a given customer's request, to ensure always-on compliance with our customer requirements
* Customer Engagements - Ensures all customer security & compliance questionnaires and other similar engagements are answered accurately, completely, consistently, quickly, and commiserate with the scope of provided services
* Contracts - Working with legal & non-IT compliance teams, responsible for reviewing & tracking all security & compliance aspects of all contracts to ensure the contracts are realistic, efficient, and supportable
* Governance

* Policy Development - Builds and maintains a Security Policy aligned with a globally-accepted best practice framework, such as NIST 800-53 or ISO 27000
* Procedure Development - Working with all IT teams, develops and maintains procedures to provide full support for the Security Policy
* Training - Ensures IT staff are adequately trained to understand the risks & controls for which they are responsible
* Effectiveness Testing - Constantly tests the control environment to ensure it is operating effectively and efficiently
* Reporting - Periodically reports on IT GRC program performance
* OKRs & KPIs - Develops, monitors, regularly reports, and ensures adherence to OKRs & KPIs for IT GRC
* Risk Management

* Vulnerability Management - With assistance from Security Engineering, owns and operates the vuln management system and all aspects of its scans, including tracking & communicating vulns, working with IT teams to ensure timely vuln mitigation, providing high-level reports that accurately reflect vuln management program performance over time.
* Patching - With assistance from IT Infrastructure teams, responsible for the timely patching of all systems, tools, applications, and application components, such as APIs, etc.
* Risk Management

* Responsible for identifying, tracking, addressing, and reporting on all risk across the enterprise related to any aspect of the business relating to information
* Develops & manages all IT POAMs
* External Assessments - Manages all external assessments, including phishing assessments, penetration tests, etc.
* 3rd Party Assessment Program - Runs comprehensive security & compliance assessment program on all 3rd parties utilized by the company to process or transit our data; this is an ongoing task that requires at least yearly reviews of all 3rd parties, and often requires reporting out to our customers.
* Security Awareness - Operates an ongoing security awareness program that covers all employees, but that is tailored to the risk profile of a given business unit or organization.

POSITION QUALIFICATIONS

Competency Statement(s)

* Collaboration - Outstanding team player, sociable, and able to operate easily in cross-functional and cross-departmental roles
* Project Management Independence - Can fully manage a project independently
* Adaptability - Must be able to react to shifting priorities and multitask
* Analytical Skills - Strong ability to use thinking and reasoning to solve a problem
* Communication, Oral - Excellent ability to communicate effectively with others using the spoken word
* Communication, Written - Excellent ability to communicate in writing, clearly and concisely
* Customer Oriented - Excellent ability to address the customers' needs while following company procedures
* Decision Making - Ability to make critical decisions while following company procedures
* Interpersonal - Ability to get along well with a variety of personalities and individuals
* Leadership - Ability to influence others to perform their jobs effectively and to be responsible for making decisions
* Management Skills - Excellent ability to organize and direct oneself and effectively supervise others
* Problem Solving - Excellent ability to find a solution for or to deal proactively with work-related problems
* Relationship Building - Ability to effectively build relationships with customers and co-workers
* Working Under Pressure - Driven ability to complete assigned tasks under stressful situations
* Flexibility - Sets priorities and adapts to changes in a quick, professional manner
* Thoroughness - Research, evaluate, recommend, and document IT GRC solutions
* Pragmatic Strategy - Understands & embraces a balance between security risk probability and practical application of remediation, and it outcome-oriented above all else

Education / Experience

* Bachelor's Degree in Computer Science, Computer Engineering, or Information Security / Cyber Security, or equivalentcombination of education, training, and experience
* ISC(2) CISSP certificate preferred
* ITIL & GIAC certificates a plus
* Minimum 5 years of experience in a full-time Information Security leadership role

Skills

* Team Leadership & Staff Development - Demonstrated performance leading diverse teams and mentoring & developing staff into more complex or senior roles over time
* Risk Management - Deep expertise in identifying, documenting, and managing qualitative risk. Expertise in quantitative risk, particularly in the FAIR model, is a significant plus.
* Audit Management - Strong understanding of normalized audit processes / methods, goals, motivations, and desired outcomes
* Compliance - Expertise in regulatory requirements and industry standards such as HIPAA, HITRUST, SOX, SOC, NIST CSF, NIST 800-53, ISO 27000, & CCPA.
* Governance - Can build and maintain easy to understand, easy to follow, and easy to audit policies, procedures, controls, narratives, and other common components of an enterprise IT GRC program.

WORK ENVIRONMENT

* The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job.

Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled