Information Security Analyst, GRC

About the Role

Paytient is built on the belief that financial barriers should never stand between a person and the care they need. We partner with employers and health plans to provide a Health Payment Account (HPA), allowing members to pay for out-of-pocket healthcare costs over time, interest-free.

Because we operate at the intersection of healthcare and finance, trust is our most important asset. We are seeking an Information Security GRC Analyst - a disciplined professional who understands that rigorous compliance is the bedrock of our ability to serve our members safely.  The Information Security GRC Analyst is a pivotal member of the Information Security team, responsible for the integrity of our security frameworks and the maturity of our compliance programs. Your primary focuses will be ensuring our policies and procedures align with SOC2 and HITRUST, administering and maturing the risk management program, and serving as a key stakeholder in the Vendor Risk Management process.

This role requires a high degree of craft and diligence. We are looking for a builder who can meticulously manage multiple tasks while possessing a broad understanding of information technologies and security practices to ensure security controls are integrated seamlessly into our operational workflows.

Primary Responsibilities

• HITRUST and SOC2 Alignment: Manage the alignment of internal policies, procedures, and controls with the HITRUST CSF and SOC2. Contribute to the design and implementation of robust security controls across the organization.
• Policy Governance: Collaborate with stakeholders to draft and update information security policies and standards, ensuring they are well-designed and meet stringent requirements.
• Audit Facilitation: Act as a primary participant in SOC2 and HITRUST assessments and audits, managing evidence gathering, documentation, and technical interaction with external auditors.
• Control Validation: Work closely with IT and Security teams to verify that controls are designed correctly and operating effectively within our environment.
• Risk & Vulnerability Tracking: Assist in identifying vulnerabilities and participate in risk assessments for proposed business changes to ensure they do not compromise our compliance posture.
• Vendor Management: Facilitate the Vendor Management Program by performing third party risk reviews for a broad range of technology vendors and reporting risk findings to technology stakeholders.

What You’ll Bring

• The Core Requirement: Verifiable experience leading or playing a high-level role in a successful Information Security GRC program that encompasses vendor lifecycle management, alignment with compliance frameworks, and risk management.
• Professional Experience: 2+ years in Information Security, IT Audit, or a Security GRC role.
• Technical Acumen: A strong understanding of networking, operating systems, cloud security, and encryption. You should be able to speak the same language as our engineers.
• Framework Knowledge: An in-depth knowledge of HITRUST CSF and SOC2 and a working knowledge of NIST and ISO 27001.
• Paramount Communication: Exceptional written communication skills with the ability to create clear, accurate documentation that stands up to auditor scrutiny.
• Tool Proficiency: Experience with Jira, Google Workspace, and GRC platforms such as Vanta, Drata, or similar products. 

Our Values

• Live the Mission: We are missionaries, not mercenaries.
• Lift Others: We succeed by elevating our customers and our teammates.
• Light the Way: We stand out, bring clarity, and blaze a path for others to follow.