Director, Governance, Risk & Compliance

Job Description:

• Establish IT audit procedures relevant to HITRUST/HIPAA, ISO 27001, SOC 2, and other data protection or privacy-related regulations
• Provide governance and security oversight around the company's adoption and use of AI, LLMs, and other generative-AI capabilities
• Evaluate and test the design and operating effectiveness of technical and administrative security controls
• Maintain and manage the Third-Party Risk Management program and integration with Vendor and Customer related Security obligations, requirements, and contractual agreements
• Work closely with the CISO to develop and implement strategies for governance and compliance related to corporate-wide security initiatives
• Design and implement data protection policies, process and procedures to align with HIPAA and Information Security policies, especially for cloud-hosted data environments and customer data handling throughout the development lifecycle
• Implement and manage an Identity Governance Program to ensure appropriate authorization to key resources, including the development of a Role Based Access Control and Role Review process.
• Develop training programs and FAQs related to data protection, privacy and secure data handling procedures
• Provide oversight and guidance for periodic security assessments to ensure compliance with information security policies and established security controls
• Develop metrics and compliance dashboards to measure progress for security initiatives and communicate team accomplishments and the effectiveness of audited security controls and processes
• Maintain and mature the Risk Register, Policy Exception Tracking, and Security Dashboard processes, standards, and components
• Ensure applications, networks, systems, cloud services, people, and process are assessed, monitored and audited in accordance with security controls related to SOC 2, ISO 27001, HITRUST/HIPAA and the corporate Information Security Policy
• Work closely with cross-functional teams to ensure security controls have been designed effectively and are working as intended
• Identify control deficiencies and weaknesses and recommending remediation plans for improvements
• Create, manage and hold staff accountable for corrective action plans (CAPs)
• Implement a process for continuous improvement of IT controls
• Work with internal and external resources to conduct and manage an assessment program for compliance requirements, including auditing and monitor privileged access to critical information systems; authentication and authorization processes; change control processes and IT operations processes
• Work closely with the Engineering teams to automate monitoring and auditing to reduce manual effort required for compliance activities
• Develop communication plans for executive-level reporting
• Lead the team in the development and evolution of security roadmaps, embodiment of strategic plans, understanding controls and process gaps, providing architectural vision, and enabling the larger information security team.
• Hire, grow and retain team members to expand the team and its capabilities within the organization.
• Perform assessments of security tools, vendors, and solutions to support information security roadmap initiatives
• Act as an advocate for mentoring and technical career growth in the information security organization
• Act as a liaison with other internal NextGen teams or driving new capabilities, product investments, and research to fill coverage gaps.
• Provide assistance and guidance to Sales and Support teams across various customer engagements.
• Regularly provide key performance and risk indicator metrics for management visibility into the status, health, and maturity of the Information Security Program at NextGen.

Education Required:

• Bachelor's degree in Computer Science, Programming, Engineering, or similar field.
• Or, any combination of education and experience which would provide the required qualifications for the position.

• 4+ years of experience in Information Security with an emphasis on IT audit, IT risk management and/or IT compliance.
• Prior experience with managing a GRC team.
• Extensive background in information security services and operations and the people, process, and technology components.
• Significant experience in fulfilling business needs through the development of solutions through well-organized processes.
• Experience in client-facing discussions with new and existing customers to discuss security controls and implementations.
• Significant Service Management and or vendor management experience.

• Appropriate certifications a plus.

• Knowledge of:Knowledge of technical security control environments and compliance frameworks including CSA CCM, ISO 270001 and SOC 2, HITRUST/HIPAA and GDPR.
• Skill in: Excellent analytical, technical and internal audit skills. Excellent organizational and documentation skills. Strong project management skills highly desired.
• Ability to: Proven ability to manage priorities & deadlines and to work independently in a highly dynamic and diverse environment with multiple concurrent projects happening simultaneously.

NextGen Healthcare is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.