Information Security & Compliance Manager
About Carrot:
Carrot Fertility is the leading global fertility benefits provider for employers built to make fertility care and family-forming affordable and accessible for everyone who wants or needs it. Companies use Carrot to customize a fertility benefit that provides employees financial, medical, and emotional support as they pursue parenthood, reducing healthcare costs and resulting in better clinical outcomes.
The Role:
Information Security & Compliance Manager will play a key role in assessing and enhancing the organization's compliance with regulatory compliance and cyber security. You will be responsible for assisting with coordinating and managing compliance assessments and their activities, developing remediation strategies, and assessing mitigated controls. You will also assist with responding to cyber questionnaires and customer requests regarding pen testing and other requests. You will also be instrumental in helping select and implement technology to uplift and support the organization from a security perspective.
- Support annual certification/audit objectives for such areas as SOC2, HIPAA ,HITRUST, PCI, ISO27001 or other standards. Work with external auditors to support these efforts.
- Perform multi-platform (cloud, application, database, and business processes) level audits based on predefined test objectives. Perform retest of controls that have been remediated or updated as a result of previously identified deficiencies. Obtain, review, and interpret evidence provided to validate controls are performed effectively.
- Obtain, review, and interpret organizational IT policies, standards, and procedures to identify control points that would assist in mitigating risk to the business.
- Conduct audits with internal and external auditors and make recommendations as needed to improve compliance and the security culture.
- Review test results or interpret evidence to address vulnerabilities, gaps, or control deficiencies; work with stakeholders to establish plans for sustainable resolution.
- Identify risks associated with control failures and supports the identification of mitigating controls.
- Be fully accountable for the management, maintenance and configuration of endpoint security protection, intrusion prevention/detection systems, vulnerability management systems, data loss prevention, and others.
- Perform other tasks as necessary to ensure that the compliance meets its commitments to stakeholders.
- Support the Director of Information Security & Privacy.
Preferred Qualifications:
- Advanced knowledge of cyber/information security management policies and procedures, HIPAA/HITECH, PCI regulations and governance processes, information systems and network security
- Advanced knowledge of risk management techniques, technological trends and developments in cyber/information security, systems/software development, engineering, integration, testing and evaluation and operating systems.
- Knowledge of and experience with obtaining and maintaining PCI – DSS, SOC2, HIPAA, HITRUST
- Advanced working knowledge of applicable and accepted security standards and framework (ISO, NIST, CSF, etc.).
- Advanced knowledge and understanding of healthcare regulatory and compliance requirements such as HIPAA, HITECH, PCI, ISO, GDPR, CCPA, etc.
- Advance knowledge and skill sets to develop and implement sustaining cybersecurity solutions (tools, process, controls, etc.) to reduce risk across the entire landscape of the company such as OneTrust or other GRC tools, vulnerability testing tools such as Tinfoil.
- Experience implementing and managing Identity and Access Management systems (IAM)
- Working knowledge of Office 365, Slack, G-suite
Education:
Bachelor's Degree in Computer Science, Healthcare Information Technology, or relevant field or equivalent knowledge and skills obtained through a combination of education, training and experience required.
Experience / Training:
- Minimum of five (5) years of experience in IT, information security, cyber risk management, compliance or a related field required; of which at least 3 years' experience in information security is required.
- Healthcare experience preferred.
Certification:
One or more relevant information security-related certifications preferred. Examples include: CISSP, CISA, HCISPP, CCSP, CRISC, CISM, CGIH, GCFA, GNFA, GPEN, GSEC, QSA and CEH.
Why Carrot?
Founded in 2016, CB Insights recognized Carrot as one of the world's most promising private digital health companies. In 2020, Carrot was named to Fast Company’s World Changing Ideas awards program, which recognizes companies that are tackling society's biggest problems, and Carrot was named to Fierce Healthcare’s Fierce 15 List of 2021 which recognizes the most promising healthcare companies in the industry. Carrot supports 250 companies in more than 60 countries across North America, Asia, Europe, South America, and the Middle East.