Working as part of the Information Security team at NeueHealth, the GRC (Governance, Risk and Compliance) Security Analyst will report directly to the AVP, Technology Infrastructure and Security and will be responsible for leading day to day IT compliance, data governance, and assisting with audit activities (internal and external). The role will include primary responsibility for defining, creating, and managing IT and organizational policies and standards in support of legal and regulatory compliance needs as well as general IT and organizational information security practices.

Preferred locations - MN, TX, FL, AZ
YOUR RESPONSIBILITIES

• Collaborate to define and support IT security standards and develop supporting organizational policies
• Perform security and compliance assessments on new and existing systems, processes, and technology
• Support vendor due-diligence process and help to lead and define overall third-party risk management efforts
• Work with various business units to ensure controls are adequate, appropriate, and effective
• Support internal and external audit process for relevant compliance concerns including SOC2, HITRUST, and HIPAA Security Rule requirements
• Assist with maintenance and management of the GRC Risk Register
• Perform periodic gap assessments to validate compliance on an ongoing basis with all areas of IT
• Stay up to date and informed on developing regulatory concerns and changing IT and information security trends
• Manage and lead efforts for the organizations SOC2 report and HITRUST certification

EDUCATION, TRAINING, AND PROFESSIONAL EXPERIENCE

• Bachelor's degree in Information Security or a related field or equivalent work experience is required
• At least 1 or 2 years in a GRC Security Analyst role is required
• Experience with third-party security and compliance reviews is highly preferred
• Experience in SOC2 and HITRUST preferred

LICENSURES AND CERTIFICATIONS

• ISACA, GIAC, OCEG, or (ISC)2 Certification preferred.

PROFESSIONAL COMPETENCIES

• Knowledge and experience in information security and privacy laws, access, release of information, and release control technologies
• Knowledge and experience in general electronic health information access, release of information, and release control technologies
• Ability to analyze the nature and classification of health data and the status of the person or entity requesting the electronic health data; determine which provisions in HIPAA or security policy apply to the data, determine if other state or federal laws, rules, or regulations are in conflict with the applicable provision of HIPAA or policy; determine if there are court decisions that address the issue; and recommend procedures or processes that reduce or eliminate the conflicts in law and assure compliance with applicable statutes and/or regulations
• Demonstrated organizational, facilitation, presentation, and project management skills with excellent written and verbal communication skills
• Ability to develop and/or modify policies and procedures within the confines of current law and management objectives

A reasonable estimate of the range is $61,000.00 - $91,000.00 annually. Actual compensation will vary based on the applicant’s education, experience, skills, and abilities, as well as internal equity. Additionally, employees are eligible for health benefits; life and disability benefits, a 401(k) savings plan with match; Paid Time Off, and paid holidays.