InfoSec Compliance Analyst

Who we are
Zus is a shared health data platform designed to accelerate healthcare data interoperability by providing easy-to-use patient data via API, embedded components, and direct EHR integrations. Founded in 2021 by Jonathan Bush, co-founder and former CEO of athenahealth, Zus partners with HIEs and other data networks to aggregate patient clinical history and then translates that history into user-friendly information at the point of care. Zus's mission is to catalyze healthcare's greatest inventors by maximizing the value of patient insights - so that they can build up, not around.
What we’re looking for
We are looking for an InfoSec Compliance Analyst to support and mature our InfoSec and Compliance programs. This role is perfect for someone who is process-driven, organized, and curious — with an eye for documentation, systems, and continuous improvement. You’ll be a critical partner in maintaining and enhancing our security practices, with opportunities to grow deeper into the Risk and InfoSec management space (e.g., AWS, DevOps, and security infrastructure) over time.
You’ll report to our Manager of InfoSec and collaborate cross-functionally with IT, Engineering, Legal, People Ops, and other teams to keep our security, privacy, and compliance programs running smoothly and effectively

As part of our team, you will be responsible for

Risk and Compliance Management

• Maintaining and monitoring SOC 2 controls, tests, and evidence. Assisting with coordination of any required remediation or documentation generation.
• Proactively identifying, raising, and documenting risks as part of our ongoing Risk Management program.
• Performing access reviews across Zus Identity-Provider (Okta), customer environments, SaaS tools, and Google Workspace.

Operational Security Stewardship

• Performing the security review aspect of new software acquisition or purchase request within Zus
• Managing Vendor Review and Third-Party Risk Management (TPRM) workflows.
• Leading the configuration, maintenance, and reporting for security awareness and anti-phishing campaigns.

InfoSec Planning and Program Coordination

• Operating the master InfoSec program schedule, ensuring all annual and quarterly security activities are completed on time, documented thoroughly, and the compliance artifacts are generated and securely stored..
• Planning, coordinating, and publishing materials for scheduled activities such as postmortems, incident debriefs, and tabletop exercises.
• Driving annual compliance activities, such as Disaster Recovery tests, Incident Response tests, Network reviews, Penetration tests, Risk Assessments, and Customer SSO credential rotations.
• Coordinating quarterly compliance reviews in partnership with Legal and other stakeholders.

Process Improvement

• Helping prioritize and track incident postmortem follow-up actions.
• Contribute to implementation work related to configuration-as-code and GitOps workflows.
• Maintain hygiene (related to sensitive customer data, PHI) in shared environments (e.g., Google Drive monitoring and cleanup).

You're a good fit because you have

• Organized, detail-oriented, and accountable — you take pride in running a tight ship.
• Strong project and documentation skills; you can wrangle chaos into a crisp Confluence page and clearly defined Jira tickets.
• Familiarity with SIEM tools.
• Fast and effective: you know how to move things forward without overcomplicating them.
• A self-starter attitude that shows that you are ready for the fast, and sometimes unstructured nature of an early startup.

It would be great if you had

• Interest in growing into AWS, DevOps, and Security infrastructure concepts — you don’t need to be a developer, but you’re curious and eager to learn.
• Previous experience supporting SOC 2 audits or other security frameworks (HIPAA, ISO 27001, HITRUST, etc.).
• Exposure to tools like GitHub, Jira, GSuite Admin, TrustCloud, or AWS IAM is a plus.
• Basic knowledge of infrastructure-as-code and configuration-as-code as well as CI/CD processes.
• CISA certification. 

This role is based in Boston with a hybrid schedule where you'll be expected to work in the office a few days per week. We're located at 1 Lincoln St.
We will offer you…
• Competitive compensation that reflects the value you bring to the team a combination of cash and equity• Robust benefits that include health insurance, wellness benefits, 401k with a match, unlimited PTO• Opportunity to work alongside a passionate team that is determined to help change the world (and have fun doing it)
Please Note: Research shows that candidates from underrepresented backgrounds often don’t apply unless they meet 100% of the job criteria. While we have worked to consolidate the minimum qualifications for each role, we aren’t looking for someone who checks each box on a page; we’re looking for active learners and people who care about disrupting the current healthcare system with their unique experiences.
We do not conduct interviews by text nor will we send you a job offer unless you've interviewed with multiple people, including the Director of People & Talent, over video interviews. Job scams do exist so please be careful with your personal information.