- Analyze and develop information security governance, including organizational policies, procedures, standards, baselines and guidelines with respect to information security and use and operation of information systems.
- Develop and implement security controls, risk assessments framework that align with HIPAA
- Evaluate risks and develop security standards, procedures, and controls to manage risks.
- Drive internal audits to assess compliance and partner with key stakeholders such as security, legal and HR to identify areas for improvement.
- Working cross-functionally to help Two Chairs get SOC2 Type II, ISO 27001, ISO, HIPAA, and other certifications that entice confidence in our clients and clinicians.
- Perform email security and phishing audits
- Perform IT risk assessments, identify vulnerabilities, and work closely with technical teams to ensure that risks are mitigated appropriately.
- Perform security assessments on third-party vendors and integrations.
- Respond to security assessments, questionnaires and audits from payers/health plans
- Develops and administers, or provides advice, evaluation, and oversight for, information security training and awareness programs.
- SOC2 Type2 Assessment and Readiness
- First Penetration Test is successfully completed
- Develop TwoChairs Security Policies.
- Proven experience working in a GRC role, preferably in the healthcare industry
- Strong understanding of risk management methodologies and best practices.
- Professional experience conducting security assessments.
- Familiarity with privacy regulations like CCPA, and LGPD
- Solid understanding of IAM principles and practices
- In-depth knowledge of Google Workspace
- In-depth knowledge of SSO, SAML, OAuth, and OpenID Connect
- Knowledge of Spam filtering and phishing protection
- Knowledge and understanding of email authentication protocols: DMARC, DKIM, and SPF
- Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications are preferred.
- Knowledge of security event management (SIEM ), event correlation and analysis technologies.
- Experience with GRC Platform tools like Vanta or Drata
- Strong leadership abilities with the capacity to influence and drive change within the organization.
- Experience with HIPAA
- Equity in a high-growth start-up
- PTO program, including a Winter Office Closing: Christmas Day (Observed) through New Year's Day
- Comprehensive medical, dental, and vision coverage
- One-time $200 Work from Home reimbursement
- Annual $500 professional development stipend to support your professional development
- Annual $500 subsidized company contribution to your healthcare FSA
- Annual $500 wellness stipend to encourage and support a well-rounded and healthy lifestyle
- Paid parental leave
Staff InfoSec Analyst, GRC - San Francisco, CA, United States - Two Chairs
Description
Two Chairs
At Two Chairs, we make it easy to find the right therapist and get the care you need.View company page
We've brought together an exceptional team at the intersection of clinical care, technology, and design to revolutionize how people connect with and receive care. We're united by our collective personal experiences with the mental health care system and a desire to build a better one for everyone. With that, we're excited and honored to have been recognized as one of the 2023 Bay Area Best Places to Work .
About the role
The Staff InfoSec Analyst, GRC is critical to the success of Two Chairs' goals to protect our clients' data and secure our clinicians' workflows. In this position, you will work closely with compliance, IT, Product Development teams and various teams to promote industry security best practices; and ensure that Two Chairs' security policies and procedures are maintained and complied with all internal and external regulations and requirements. Your clear communication will be crucial as you explain security trade-offs and create practical solutions to manage risks effectively for our clients, clinicians and our organization overall.
You bring a proactive, self-motivated attitude, combined with curiosity and practicality that effectively handles and minimizes application and infrastructure security risks. Our team appreciates diverse work styles, recognizing both the impact of taking initiative and the insight of deliberate decision-making
You'll be responsible for driving risk assessment and mitigation efforts across Two Chairs, partnering with clinical leadership, compliance, and IT teams on policy creation, review, and updates, and developing procedures to ensure compliance with relevant regulations and industry standards. In addition, this role will be responsible for helping Two Chairs' obtain and maintain compliance certifications such as the SOC 2 Type II, ISO, HIPAA, etc.
Core Areas of Responsibility
Governance Risk and Compliance 70%
IT Security 10%
Vendor Security Review 10%
Training/Education: 10%
Impact and Success Indicators
Where you'll make an impact in the first 90 days:
Where you'll make an impact in the first year:
You'll be successful if you have:
We offer perks and benefits that support the health and well-being of our teams, including:
About Two Chairs
At Two Chairs, we are building a world where everyone has access to exceptional mental health care. We do this by bringing people together at the intersection of clinical care, technology, and design. We are passionate about mental health and excited to be a part of a team that is bringing personalized, data-driven therapy to California, Washington, and eventually nationwide.
Diversity, equity, and inclusion are the principles guiding how we build our business and teams. We encourage interested candidates from diverse backgrounds to apply even if they don't think they meet every expectation of the role.
Please stay alert to protect yourself from sophisticated job scams during the recruiting process.
Only emails that come from are legitimate recruiting messages. We conduct all interviews by phone or Google Video, and we will never ask you for money or to download software.
All applicants must be authorized to work for ANY employer in the U.S. We are unable to sponsor or take over sponsorship of an employment Visa at this time.
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
#J-18808-Ljbffr