Information Security Governance, Risk, Compliance (GRC) Supervisor

About The Position

Requirements

• Information Security Governance, Risk, and Compliance (GRC) program leadership
• Alignment with ARUP security policies, healthcare regulatory requirements, and the NIST Risk Management Framework
• Educating, training, and transitioning ARUP Business Owners and System Owners to operate in compliance with NIST security standards and ARUP security policies
• Leading risk assessments, compliance activities, audits, and governance processes
• Delivering clear visibility into ARUP’s risk posture through metrics and executive reporting
• Leading and mentoring a team of compliance professionals
• Driving continuous improvement of governance processes
• Partnering across the organization to embed risk management and security accountability
• Protecting clinical, laboratory, and enterprise systems
• NIST SP 800-53 control alignment
• Enterprise risk governance frameworks
• HIPAA, CAP, SOC 2, GDPR, ISO standards compliance
• Collaboration with IT, Infrastructure, Applications, and Operations teams
• Integration of risk management and compliance into Configuration Management, Change Management, and CAB processes
• Maintenance of System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), Security Assessment Reports (SARs), Risk Assessment Reports (RARs)
• Identification of security control gaps and recommendation of risk-based improvements
• Oversight of corrective action implementation and tracking
• Support for system authorization and accreditation activities
• Development and maintenance of compliance dashboards, risk metrics, and executive-level reporting
• Building and sustaining strong working relationships with System Owners, Authorizing Officials, System Administrators, and business leaders
• Leading a Vulnerability Management Team
• Working under moderate supervision
• Exercising independent judgment in governance, risk, and compliance decision-making
• Mentoring junior team members
• Supporting 24-hour operational requirements as needed

Nice To Haves

• Experience in a national clinical and anatomic pathology reference laboratory setting
• Experience within the University of Utah and its Department of Pathology

Responsibilities

• Leads the development, implementation, and continual improvement of ARUP’s Information Security Governance, Risk Management, and Compliance (GRC) program, ensuring alignment with ARUP security policies, institutional objectives, and the NIST Risk Management Framework (RMF).
• Serves as a primary educator and change agent for the organization, responsible for teaching, training, and transitioning ARUP Business Owners, System Owners, and technical teams to operate in compliance with NIST security frameworks and ARUP security policies.
• Designs and delivers structured training, workshops, and guidance to help business and system owners understand their security responsibilities, risk ownership, control implementation requirements, and ongoing compliance obligations under NIST SP 800-53.
• Conducts and oversees - system-level risk assessments, translating technical and regulatory requirements into clear, actionable guidance for business stakeholders.
• Leads the development, review, and maintenance of security policies, standards, and procedures, ensuring alignment with ARUP policy, HIPAA, CAP, SOC 2, GDPR, ISO standards, and NIST RMF requirements.
• Leads internal audits, compliance reviews, and external audit preparation, including coordination with auditors and facilitation of evidence collection, remediation planning, and executive reporting.
• Delivers compliance and governance services to business and system owners, supporting full lifecycle alignment with NIST SP 800-53 controls, enterprise risk governance frameworks, and ARUP security policy requirements.
• Collaborates with cross-functional teams (IT, Infrastructure, Applications, and Operations) to integrate risk management and compliance practices into organizational processes, including Configuration Management, Change Management, and Change Approval Board (CAB).
• Maintains System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), Security Assessment Reports (SARs), Risk Assessment Reports (RARs), and other required cybersecurity documentation.
• Identifies gaps in security controls, recommends risk-based improvements, and oversees the implementation and tracking of corrective actions to closure.
• Supports system authorization and accreditation activities, ensuring operational environments meet defined security requirements and governance expectations.
• Develops and maintains compliance dashboards, risk metrics, and executive-level reporting to communicate risk posture, compliance status, and trends to leadership concerning information security.
• Builds and sustains strong working relationships with System Owners, Authorizing Officials, System Administrators, and business leaders to promote shared accountability for information security risk management.
• Leads and mentors a team of information security GRC analysts and cybersecurity professionals, providing clear direction, coaching, and performance oversight.
• Leads a Vulnerability Management Team responsible for ARUP’s Vulnerability Management Program.
• Works under moderate supervision, exercising independent judgment in governance, risk, and compliance decision-making, and may mentor junior team members.
• Supports 24-hour operational requirements as needed, including time-sensitive risk assessments, audits, or incident-related governance activities.

Benefits

• Diversity
• Professional growth
• Continuous development