Director, IT Governance, Risk and Compliance

Are you passionate about making a difference in people's lives? Do you enjoy working in a service-oriented industry? If so, this opportunity may be the right fit for you! This position is responsible for leading all aspects of the company's IT GRC program and the personnel supporting that program. This will include managing and controlling enterprise-wide IT risk, responding to and managing internal and external audits around HIPAA and Sarbanes-Oxley, including managing subsequent POAMs to conclusion, ensuring compliance with regulatory (HIPAA, SOX, & CCPA), industry (HITRUST, SOC 2, ISO, & NIST), and unique customer requirements, and developing and managing the strategic and tactical governance policies, procedures, documentation, communication, operations, training, support, reporting, and oversight needed to ensure the success of the IT GRC program.This role will work across the spectrum of the company's organization, and will collaborate daily with leadership and staff in the legal, compliance, audit, and IT organizations. This role... • Defines, configures, and controls all aspects of the IT GRC application. • Responsible for all IT aspect of data collection for internal audit's PBCs, working with internal teams to produce accurate data, and assuring a full and comprehensive PBC. • Routinely tests IT controls on pre-defined intervals (including ad hoc, daily, weekly, monthly, quarterly, and yearly), ensures the health of all IT controls, and manages corrective action plans needed to address any control gaps, weaknesses, or failures.• Ensures all customer compliance commitments are met at all times, and leads all interactions with customer audits of our Program. • Manages all SOC 2, HITRUST, ISO 27000, etc. engagements & audits. • Responsible for all IT aspects of HIPAA, SOX, & CCPA compliance. • Tracks key customer compliance requirements & performs customer compliance activities, such as periodically updating specific customers on specific security and compliance program performance items per a given customer's request, to ensure always-on compliance with our customer requirements.• Ensures all customer security & compliance questionnaires and other similar engagements are answered accurately, completely, consistently, quickly, and commiserate with the scope of provided services. • Works with legal & non-IT compliance teams, responsible for reviewing & tracking all security & compliance aspects of all contracts to ensure the contracts are realistic, efficient, and supportable. • Builds and maintains a Security Policy aligned with a globally-accepted best practice framework, such as NIST 800-53 or ISO 27000.• Works with all IT teams, develops and maintains procedures to provide full support for the Security Policy. • Ensures IT staff are adequately trained to understand the risks & controls for which they are responsible. • Constantly tests the control environment to ensure it is operating effectively and efficiently. • Periodically reports on IT GRC program performance. • Develops, monitors, regularly reports, and ensures adherence to OKRs & KPIs for IT GRC. • With assistance from Security Engineering, owns and operates the vuln management system and all aspects of its scans, including tracking & communicating vulns, working with IT teams to ensure timely vuln mitigation, providing high-level reports that accurately reflect vuln management program performance over time.• With assistance from IT Infrastructure teams, responsible for the timely patching of all systems, tools, applications, and application components, such as APIs, etc. • Responsible for identifying, tracking, addressing, and reporting on all risk across the enterprise related to any aspect of the business relating to information. • Develops & manages all IT POAMs. • Manages all external assessments, including phishing assessments, penetration tests, etc. • Runs comprehensive security & compliance assessment program on all 3rd parties utilized by the company to process or transit our data; this is an ongoing task that requires at least yearly reviews of all 3rd parties, and often requires reporting out to our customers.• Operates an ongoing security awareness program that covers all employees, but that is tailored to the risk profile of a given business unit or organization. • May lead projects and perform other duties as assigned. • Occasional business travel may be required. • Determines appropriate resourcing of staff in order to achieve goals and objectives. • Builds an effective leadership team through mentoring and formal education that focuses on management and project management principles. • Defines annual Key Performance Indicators aligned with corporate goals.• Directs and mentors leaders on performance gaps, career development opportunities, and strategies. • Directs and coaches leaders on all human resource related processes including onboarding, performance management, succession planning, employee relations, selection, terminations, compensation and rewards. • Accountable for collective results and recognizing others’ contributions and share credit for success. • Owns attainment of high employee satisfaction and retention; lead development of program and initiatives within group to attain high employee satisfaction.• Leads change management initiatives to drive improvements and efficiencies. • Ability to interact collaboratively and communicate effectively with external, internal customers, and stakeholders to address issues and ensure alignment. • Prepares and manages budget as assigned; analyzes variances and initiates corrective actions to maximize operational performance. We are interested in speaking to individuals with the following... • Bachelor's Degree in Computer Science, Computer Engineering, or Information Security / Cyber Security required.• Ten (10) plus years of related experience. • ISC(2) CISSP certificate preferred. • ITIL & GIAC certificates a plus. • Five (5) plus years leadership responsibility in a full-time Information Security leadership role. • Or equivalent combination of education and/or experience. • Demonstrated performance leading diverse teams and mentoring & developing staff into more complex or senior roles over time. • Deep expertise in identifying, documenting, and managing qualitative risk. Expertise in quantitative risk, particularly in the FAIR model, is a significant plus.• Strong understanding of normalized audit processes / methods, goals, motivations, and desired outcomes. • Expertise in regulatory requirements and industry standards such as HIPAA, HITRUST, SOX, SOC, NIST CSF, NIST 800-53, ISO 27000, & CCPA. • Can build and maintain easy to understand, easy to follow, and easy to audit policies, procedures, controls, narratives, and other common components of an enterprise IT GRC program. • Outstanding team player, sociable, and able to operate easily in cross-functional and cross-departmental roles.• Can fully manage a project independently• Must be able to react to shifting priorities and multitask. • Strong ability to use thinking and reasoning to solve a problem. • Excellent ability to communicate effectively with others using the spoken word. • Excellent ability to communicate in writing, clearly and concisely. • Excellent ability to address the customers' needs while following company procedures. • Ability to make critical decisions while following company procedures. • Ability to get along well with a variety of personalities and individuals.• Ability to influence others to perform their jobs effectively and to be responsible for making decisions. • Excellent ability to organize and direct oneself and effectively supervise others. • Excellent ability to find a solution for or to deal proactively with work-related problems. • Ability to effectively build relationships with customers and co-workers. • Driven ability to complete assigned tasks under stressful situations. • Sets priorities and adapts to changes in a quick, professional manner.• Research, evaluate, recommend, and document IT GRC solutions. • Understands & embraces a balance between security risk probability and practical application of remediation, and it outcome-oriented above all else. Salary: $168,000-231,000This role is bonus eligible based on company and personal performance. Modivcare’s positions are posted and open for applications for a minimum of 5 days. Positions may be posted for a maximum of 45 days dependent on the type of role, the number of roles, and the number of applications received.We encourage our prospective candidates to submit their application(s) expediently so as not to miss out on our opportunities. We frequently post new opportunities and encourage prospective candidates to check back often for new postings. We value our team members and realize the importance of benefits for you and your family. Modivcare offers a comprehensive benefits package to include the following:• Medical, Dental, and Vision insurance• Employer Paid Basic Life Insurance and AD&D• Voluntary Life Insurance (Employee/Spouse/Child)• Health Care and Dependent Care Flexible Spending Accounts• Pre-Tax and Post --Tax Commuter and Parking Benefits• 401(k) Retirement Savings Plan with Company Match• Paid Time Off• Paid Parental Leave• Short-Term and Long-Term Disability• Tuition Reimbursement• Employee Discounts (retail, hotel, food, restaurants, car rental and much more!)Modivcare is an Equal Opportunity Employer.• EEO isThe Law - click here for more information• Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled• We consider all applicants for employment without regard to race, color, religion, sex, sexual orientation, national origin, age, handicap or disability, or status as a Vietnam-era or special disabled veteran in accordance with federal law. If you need assistance, please reach out to us at [email protected] Apply tot his job