Driven by our mission to make it easier to understand, navigate, and pay for healthcare, Collective Health is evolving the way health benefits work. If you are passionate about our mission and you are an experienced hands-on Cyber Security – Governance Risk and Compliance (GRC) Analyst who is excited about developing and leading a broad range of functions at a mission-driven, highly-regulated technology company.

The GRC Analyst is charged with assisting the organization with the identification, assessment, measurement, monitoring, and management of risk. The ideal candidate will be up to the challenge of developing security policies and standards, risk frameworks, and processes in an innovative and flexible way to support fast-paced and empowered environments.This role will work closely with Engineering teams to implement the procedures and controls necessary to ensure and protect the safety and security of information systems, assets, and customer data. A well-qualified candidate will be comfortable working with executive and technical leadership to embed a risk and security focused mindset in all areas.This role covers the following activities: risk assessment and treatment, monitoring, management, and mitigation; policy, standards, and control design and implementation; risk management (including third party risk); facilitating audits; and training and awareness.

What you'll do:

• Assist in responding to security questionnaires, RFIs, and other requests from current and potential clients.
• Assist with the continuous monitoring of security GRC functions, developing executive reporting, and performing security third party risk management.
• Perform compliance readiness assessments and provide updates, recommendations and roadmap to management both within Security and our business partners.
• Coordinate with external auditors to facilitate SOC 2 and HITRUST audits.
• Develop an audit plan in partnership with internal leadership and lead external audit engagements according to plan, while monitoring the work of external auditors and working with relevant control owners to minimize disruption while successfully completing the efforts in a timely manner.
• Implement corrective actions plans based on audit findings and recommendations.
• Advise, educate and train process and control owners with the preparation and ongoing maintenance of controls and control documentation (e.g., policies, procedures, narratives, and matrices) to better understand the security controls framework and their responsibilities.
• Advise, educate, and train risk owners with identification, assessment, mitigation, and monitoring of risks to better understand the risk management process and their responsibilities.
• Proactively identify gaps or conflicts in existing policies and processes and assist owners in determining a solution.
• Drive remediation and risk mitigation activities, including tracking and progress of action plans across compliance, policy, and process gap remediation activities and risk mitigation activities in partnership with internal business partners.
• Handling exception documentation to existing policies.
• Develop strong working relationships with support teams, management, and cross functional working groups.
• Assist in communicating program and project status, health and effectiveness, and risks to leadership within Security and to business partners/stakeholders.

To be successful in this role, you'll need:

• 4-6 years experience in a cybersecurity, audit, risk, compliance, or GRC role required.
• Working knowledge of common security frameworks and regulations (e.g, NIST, CIS, SOC 2, HIPAA, HITRUST).
• Proven experience in evaluating and implementing controls, and with managing SOC 2 and or HITRUST or equivalent audits in a cloud native organization.
• Strong understanding of policy and data management.
• Knowledge of risk management practices and risk based thinking to drive prioritization.
• Experience responding to, analyzing, and communicating security and information. technology-related practices and controls.
• Understand audit processes.
• Being a strong liaison between both internal and external stakeholders.
• Familiarity with GRC tools.

Nice to Haves:

• Big 4 accounting firm experience
• CISSP, CISA, CRISC, CISM, or other related certifications
• Bachelor’s degree in Information Technology, Computer Science, or a related field

Pay Transparency Statement

This is a hybrid position based out of our offices: San Francisco, CA, Plano, TX, or Lehi, UT, with the expectation of being in office at least two weekdays per week. #LI-hybrid

The actual pay rate offered within the range will depend on factors including geographic location, qualifications, experience, and internal equity. In addition to the salary, you will be eligible for stock options and benefits like health insurance, 401k, and paid time off. Learn more about our benefits at https://jobs.collectivehealth.com/#benefits.