IT Compliance & Risk Lead

Pay

• $120,000 PER YEAR Key Responsibilities The following areas define day-to-day ownership and decision rights for this role. Compliance Program Ownership
• Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands. Policy & Governance
• Develop, maintain, and enforce IT policies, standards, and procedures aligned to

NIST CSF, HIPAA

Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls. Risk Management

• Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence. SOC Partner Oversight
• Manage the relationship with Nuvia's managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence. Vulnerability & Patch Oversight
• Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing. Incident Response Coordination
• Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan. Access & Identity Governance
• Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready. Vendor & Third-Party Risk
• Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms. Security Awareness & Training
• Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams.

Track completion and report metrics to leadership. First-Year Priorities This is a foundational hire. Your first twelve months will focus on standing up the program, not optimizing one that already exists.

Expected priorities:

Stand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis. Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence. Establish quarterly user access reviews across critical clinical, financial, and administrative systems. Codify the incident response plan and run at least one tabletop exercise with the SOC partner. Stand up annual security awareness training and a monthly phishing simulation program. Performance Metrics Success in this role is measured by Nuvia's ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit. Audit Outcomes

• No Material Findings
• External audits (HIPAA, PCI-DSS, SOC 2) Risk Register Closure 90%+
• Risks remediated within agreed SLA Vuln Remediation
• 30-Day SLA
• High-risk findings (PCI-DSS-aligned) Training Completion
• 95%+
• Annual security awareness Qualitative Outcomes Expected External audits (HIPAA, PCI-DSS, SOC 2) close with no material findings.

A current, accurate, board-readable risk register that drives prioritization across IT and the business. The SOC partnership produces actionable findings, and findings consistently drive remediation to closure. A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms. Improved employee security hygiene, reflected in declining phishing simulation click rates. Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted. Qualifications Education & Experience Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience. 4-7 years of experience in IT compliance, GRC, audit, or risk management roles. Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2). Experience managing or partnering with a managed SOC, MSSP, or MDR provider. Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics. Technical Skills

• Skills are tiered.

Primary skills are required; preferred skills are familiarity-level — enough to oversee the SOC partner and translate their work into compliance evidence.

Primary/Required:

GRC Platforms (Vanta, Drata, AuditBoard),

Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management Preferred/Familiarity:

SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling Compliance Frameworks & Standards

• HIPAA and PCI-DSS are load-bearing for Nuvia's clinical and payment operations.

NIST CSF

guides the program. Other frameworks below are nice-to-have based on candidate background or future business needs.

Primary/Required:

HIPAA PCI-DSS NIST CSF

Preferred/Familiarity:

SOC 2 Type II State Privacy & Breach Laws CIS Controls

ISO 27001 GDPR

(as applicable)

Soft Skills & Behaviors Preferred/Familiarity:

Risk-based thinker Clear communicator Translates risk to business Detail-oriented Calm under pressure Cross-functional collaborator Vendor management Audit-ready mindset Proactive mindset

Preferred Certifications Primary/Required:

CISA (Information Systems Auditor) CRISC (Risk & Information Systems) CompTIA Security+

Preferred/Familiarity:

CHC (Certified in Healthcare Compliance)

CIPP / US

(Privacy)

ISO 27001

Lead Auditor CISSP (preferred for senior candidates) CISM (preferred for senior candidates) Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience. 4-7 years of experience in IT compliance, GRC, audit, or risk management roles. Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2). Experience managing or partnering with a managed SOC, MSSP, or MDR provider. Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.

Primary/Required:

GRC Platforms (Vanta, Drata, AuditBoard),

Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management Preferred/Familiarity:

SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure),

Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling Primary/Required:

HIPAA PCI-DSS NIST CSF

Preferred/Familiarity:

SOC 2 Type II State Privacy & Breach Laws CIS Controls

ISO 27001 GDPR

(as applicable)

HIPAA PCI-DSS NIST CSF SOC 2

Type II State Privacy & Breach Laws CIS Controls

ISO 27001 GDPR

(as applicable)

Preferred/Familiarity:

Risk-based thinker Clear communicator Translates risk to business Detail-oriented Calm under pressure Cross-functional collaborator Vendor management Audit-ready mindset Proactive mindset Risk-based thinker Clear communicator Translates risk to business Detail-oriented Calm under pressure Cross-functional collaborator Vendor management Audit-ready mindset Proactive mindset

Primary/Required:

CISA (Information Systems Auditor) CRISC (Risk & Information Systems) CompTIA Security+

Preferred/Familiarity:

CHC (Certified in Healthcare Compliance)

CIPP / US

(Privacy)

ISO 27001

Lead Auditor CISSP (preferred for senior candidates) CISM (preferred for senior candidates) CISA (Information Systems Auditor) CRISC (Risk & Information Systems) CompTIA Security+ CHC (Certified in Healthcare Compliance)

CIPP / US

(Privacy)

ISO 27001

Lead Auditor CISSP (preferred for senior candidates) CISM (preferred for senior candidates) Equal Opportunity Employer This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.