More jobs:
IT Compliance & Risk Lead
Job in
Saint George, Washington County, Utah, 84790, USA
Listed on 2026-06-02
Listing for:
Nuvia Dental Implant Center
Full Time
position Listed on 2026-06-02
Job specializations:
-
IT/Tech
Cybersecurity, Information Security, Data Security, IT Support
Job Description & How to Apply Below
Key Responsibilities
The following areas define day-to-day ownership and decision rights for this role.
- Compliance Program Ownership - Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands.
- Policy & Governance - Develop, maintain, and enforce IT policies, standards, and procedures aligned to NIST CSF, HIPAA Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls.
- Risk Management - Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence.
- SOC Partner Oversight - Manage the relationship with Nuvia's managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence.
- Vulnerability & Patch Oversight - Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing.
- Incident Response Coordination - Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan.
- Access & Identity Governance - Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready.
- Vendor & Third-Party Risk - Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms.
- Security Awareness & Training - Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams. Track completion and report metrics to leadership.
This is a foundational hire. Your first twelve months will focus on standing up the program, not optimizing one that already exists. Expected priorities:
- Stand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis.
- Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence.
- Establish quarterly user access reviews across critical clinical, financial, and administrative systems.
- Codify the incident response plan and run at least one tabletop exercise with the SOC partner.
- Stand up annual security awareness training and a monthly phishing simulation program.
Success in this role is measured by Nuvia's ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit.
- Audit Outcomes - No Material Findings - External audits (HIPAA, PCI-DSS, SOC
2) - Risk Register Closure 90%+ - Risks remediated within agreed SLA
- Vuln Remediation - 30-Day SLA - High-risk findings (PCI-DSS-aligned)
- Training Completion - 95%+ - Annual security awareness
- External audits (HIPAA, PCI-DSS, SOC
2) close with no material findings. - A current, accurate, board-readable risk register that drives prioritization across IT and the business.
- The SOC partnership produces actionable findings, and findings consistently drive remediation to closure.
- A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms.
- Improved employee security hygiene, reflected in declining phishing simulation click rates.
- Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted.
- Education & Experience
- Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience.
- 4-7 years of experience in IT compliance, GRC, audit, or risk management roles.
- Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC
2). - Experience managing or partnering with a managed SOC, MSSP, or MDR provider.
- Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.
- Technical Skills - Skills are tiered. Primary skills are required; preferred skills are familiarity-level - enough to oversee the SOC partner and translate their work into compliance evidence.
- Primary/
Required:- GRC Platforms (Vanta, Drata, Audit Board), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management
- Preferred/Familiarity:
- SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling
- Primary/
- Compliance Frameworks & Standards - HIPAA and PCI-DSS…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
Search for further Jobs Here:
×