Staff InfoSec Analyst, GRC

We’ve brought together an exceptional team at the intersection of clinical care, technology, and design to revolutionize how people connect with and receive care. We’re united by our collective personal experiences with the mental health care system and a desire to build a better one for everyone. With that, we're excited and honored to have been recognized as one of the 2023 Bay Area Best Places to Work.

About the role

The Staff InfoSec Analyst, GRC is critical to the success of Two Chairs’ goals to protect our clients’ data and secure our clinicians’ workflows. In this position, you will work closely with compliance, IT, Product Development teams and various teams to promote industry security best practices; and ensure that Two Chairs' security policies and procedures are maintained and complied with all internal and external regulations and requirements. Your clear communication will be crucial as you explain security trade-offs and create practical solutions to manage risks effectively for our clients, clinicians and our organization overall.

You bring a proactive, self-motivated attitude, combined with curiosity and practicality that effectively handles and minimizes application and infrastructure security risks. Our team appreciates diverse work styles, recognizing both the impact of taking initiative and the insight of deliberate decision-making

You'll be responsible for driving risk assessment and mitigation efforts across Two Chairs, partnering with clinical leadership, compliance, and IT teams on policy creation, review, and updates, and developing procedures to ensure compliance with relevant regulations and industry standards. In addition, this role will be responsible for helping Two Chairs’ obtain and maintain compliance certifications such as the SOC 2 Type II, ISO, HIPAA, etc.

Core Areas of Responsibility

Governance Risk and Compliance  70%

• Analyze and develop information security governance, including organizational policies, procedures, standards, baselines and guidelines with respect to information security and use and operation of information systems.
• Develop and implement security controls, risk assessments framework that align with HIPAA
• Evaluate risks and develop security standards, procedures, and controls to manage risks.
• Drive internal audits to assess compliance and partner with key stakeholders such as security, legal and HR to identify areas for improvement. 
• Working cross-functionally to help Two Chairs get SOC2 Type II, ISO 27001, ISO, HIPAA, and other certifications that entice confidence in our clients and clinicians.

IT Security  10%

• Perform email security and phishing audits
• Perform IT risk assessments, identify vulnerabilities, and work closely with technical teams to ensure that risks are mitigated appropriately.

Vendor Security Review  10% 

• Perform security assessments on third-party vendors and integrations.
• Respond to security assessments, questionnaires and audits from payers/health plans

Training/Education: 10%

• Develops and administers, or provides advice, evaluation, and oversight for, information security training and awareness programs.

Impact and Success Indicators 

Where you’ll make an impact in the first 90 days:

• SOC2 Type2 Assessment and Readiness

 Where you’ll make an impact in the first year:

• Two Chairs SOC2 Certification
• First Penetration Test is successfully completed
• Develop TwoChairs Security Policies.

 You’ll be successful if you have:

• Proven experience working in a GRC role, preferably in the healthcare industry
• Strong understanding of risk management methodologies and best practices. 
• Professional experience conducting security assessments.
• Familiarity with privacy regulations like CCPA, and LGPD
• Solid understanding of IAM principles and practices
• In-depth knowledge of Google Workspace
• In-depth knowledge of SSO, SAML, OAuth, and OpenID Connect
• Knowledge of Spam filtering and phishing protection
• Knowledge and understanding of email authentication protocols: DMARC, DKIM, and SPF
• Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications are preferred.
• Knowledge of security event management (SIEM), event correlation and analysis technologies.
• Experience with GRC Platform tools  like Vanta or Drata
• Strong leadership abilities with the capacity to influence and drive change within the organization. 
• Experience with HIPAA

Compensation & Benefits

We offer perks and benefits that support the health and well-being of our teams, including:

• Equity in a high-growth start-up 
• PTO program, including a Winter Office Closing: Christmas Day (Observed)  through New Year's Day
• Comprehensive medical, dental, and vision coverage
• One-time $200 Work from Home reimbursement 
• Annual $500 professional development stipend to support your professional development
• Annual $500 subsidized company contribution to your healthcare FSA
• Annual $500 wellness stipend to encourage and support a well-rounded and healthy lifestyle
• Paid parental leave
  
  

About Two Chairs

At Two Chairs, we are building a world where everyone has access to exceptional mental health care. We do this by bringing people together at the intersection of clinical care, technology, and design. We are passionate about mental health and excited to be a part of a team that is bringing personalized, data-driven therapy to California, Washington, and eventually nationwide.

Diversity, equity, and inclusion are the principles guiding how we build our business and teams. We encourage interested candidates from diverse backgrounds to apply even if they don't think they meet every expectation of the role.

Please stay alert to protect yourself from sophisticated job scams during the recruiting process.
Only emails that come from twochairs.com are legitimate recruiting messages. We conduct all interviews by phone or Google Video, and we will never ask you for money or to download software.

More tips from the FTC to avoid job scams: https://www.consumeraffairs.com/news/ftc-offers-tips-on-avoiding-job-scams-041321.html 

 #LI-Remote #LI-AS1 

All applicants must be authorized to work for ANY employer in the U.S. We are unable to sponsor or take over sponsorship of an employment Visa at this time.