HiringCafe
Posted 3d ago

IT Compliance & Risk Lead

@ Nuvia Dental Implant Center
View All Jobs
Saint George, Utah, United States
$120k/yrOnsiteFull Time
Responsibilities:own compliance, manage audits, oversee risk
Requirements Summary:Lead HIPAA/PCI-DSS compliance, risk management, SOC oversight; IAM and vendor risk; 4–7 years IT compliance; Bachelor’s degree.
Technical Tools Mentioned:GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management, SIEM, EDR, Cloud Compliance (AWS / Azure), Vulnerability Management
Save
Mark Applied
Hide Job
Report & Hide
Job Description

Pay- $120,000 PER YEAR

Key Responsibilities
The following areas define day-to-day ownership and decision rights for this role.

  • Compliance Program Ownership - Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands.
  • Policy & Governance - Develop, maintain, and enforce IT policies, standards, and procedures aligned to NIST CSF, HIPAA Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls.
  • Risk Management - Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence.
  • SOC Partner Oversight - Manage the relationship with Nuvia’s managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence.
  • Vulnerability & Patch Oversight - Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing.
  • Incident Response Coordination - Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan.
  • Access & Identity Governance - Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready.
  • Vendor & Third-Party Risk - Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms.
  • Security Awareness & Training - Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams. Track completion and report metrics to leadership.

First-Year Priorities
This is a foundational hire. Your first twelve months will focus on standing up the program, not optimizing one that already exists. Expected priorities:

  • Stand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis.
  • Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence.
  • Establish quarterly user access reviews across critical clinical, financial, and administrative systems.
  • Codify the incident response plan and run at least one tabletop exercise with the SOC partner.
  • Stand up annual security awareness training and a monthly phishing simulation program.

Performance Metrics
Success in this role is measured by Nuvia’s ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit.

  • Audit Outcomes - No Material Findings - External audits (HIPAA, PCI-DSS, SOC 2) 
  • Risk Register Closure 90%+ - Risks remediated within agreed SLA
  • Vuln Remediation - 30-Day SLA - High-risk findings (PCI-DSS-aligned)
  • Training Completion - 95%+ - Annual security awareness

Qualitative Outcomes Expected

  • External audits (HIPAA, PCI-DSS, SOC 2) close with no material findings.
  • A current, accurate, board-readable risk register that drives prioritization across IT and the business.
  • The SOC partnership produces actionable findings, and findings consistently drive remediation to closure.
  • A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms.
  • Improved employee security hygiene, reflected in declining phishing simulation click rates.
  • Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted.

Qualifications

  • Education & Experience
    • Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience.
    • 4–7 years of experience in IT compliance, GRC, audit, or risk management roles.
    • Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2).
    • Experience managing or partnering with a managed SOC, MSSP, or MDR provider.
    • Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.
  • Technical Skills - Skills are tiered. Primary skills are required; preferred skills are familiarity-level — enough to oversee the SOC partner and translate their work into compliance evidence. 
    • Primary/Required: 
      • GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management
    • Preferred/Familiarity:
      • SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling
  • Compliance Frameworks & Standards - HIPAA and PCI-DSS are load-bearing for Nuvia’s clinical and payment operations. NIST CSF guides the program. Other frameworks below are nice-to-have based on candidate background or future business needs.
    • Primary/Required:
      •  HIPAA
      • PCI-DSS
      • NIST CSF
    • Preferred/Familiarity:
      • SOC 2 Type II
      • State Privacy & Breach Laws
      • CIS Controls 
      • ISO 27001
      • GDPR (as applicable)
  • Soft Skills & Behaviors
    • Preferred/Familiarity:
      • Risk-based thinker
      • Clear communicator
      • Translates risk to business
      • Detail-oriented
      • Calm under pressure
      • Cross-functional collaborator
      • Vendor management
      • Audit-ready mindset
      • Proactive mindset
  • Preferred Certifications
    • Primary/Required:
      • CISA (Information Systems Auditor)
      • CRISC (Risk & Information Systems)
      • CompTIA Security+
    • Preferred/Familiarity:
      • CHC (Certified in Healthcare Compliance)
      • CIPP / US (Privacy)
      • ISO 27001 Lead Auditor
      • CISSP (preferred for senior candidates)
      • CISM (preferred for senior candidates)