Senior Security Engineer - Compliance and Risk

About The Position

Requirements

• Experience: 3-5+ years of experience in Information Security, Governance, Risk, Vulnerability Management, Compliance (GRC), or IT Audit.
• Program Management: Proven experience managing specific compliance verticals like vulnerability management or business continuity.
• Communication: Ability to translate compliance requirements into actionable technical tasks for engineering teams.
• Organization: Exceptional documentation skills—you understand that "if it isn't written down, it didn't happen."
• Influence: Ability to drive consensus and compliance across teams without direct management authority.

Responsibilities

• Vulnerability Management Governance
• Oversee the compliance aspect of the vulnerability management program, ensuring scans and remediation efforts adhere to SLAs.
• Track and report on remediation timelines to ensure evidence is audit-ready.
• Collaborate with engineering and IT teams to validate that exceptions are documented, risk-accepted, and reviewed periodically.
• Manage and handle “tracking technologies” to comply with partner requirements
• Privacy & Data Governance
• Manage adherence to internal privacy policies and external regulations (HIPAA, State Laws, CCPA).
• Manage adherence to partner-specific health system requirements
• Monitor data retention schedules to ensure data is stored, archived, and purged in accordance with policy and legal requirements.
• Conduct periodic privacy impact assessments (PIAs) for new products or features.
• Disaster Recovery (DR) & Business Continuity (BCP)
• Coordinate annual or bi-annual DR/BCP table-top exercises and technical tests.
• Maintain and update DR/BCP documentation, ensuring contact lists and recovery procedures are current.
• Review post-mortem reports from tests to ensure continuous improvement and compliance with availability trust principles.
• Audit & Framework Management (SOC 2 & HITRUST)
• Serve as a primary point of contact for external auditors during SOC 2 and HITRUST assessments.
• Collect, organize, and review evidence on the controls for the programs above.
• Identify compliance gaps and drive remediation projects before external audits begin.
• AI/ML in healthcare and emerging federal and state AI regulations

Benefits

• Hybrid work schedule with weekly lunches and stocked fridges
• Monthly social committees for company events
• 18 vacation days, 9 company holidays, 5 sick days, and 2 personal days
• Stock options for every full-time employee
• Paid parental leave
• 401k benefit
• Commuter Benefits
• Competitive health, dental, and vision insurance options