Sign upLog in

IT Compliance & Risk Lead

Nuvia MSO LLC

Saint George, UT

Apply
JOB DETAILS
SALARY
JOB TYPE
Part-time
SKILLS
Alliance/Partner Management, Amazon Web Services (AWS), Auditing, Backend as a Service (BaaS), CISA - Certified Information Systems Auditor, CISM - Certified Information Security Manager, CISSP - Certified Information Systems Security Professional, Cadence, Clinical Validation, Cloud Computing, Communication Skills, CompTIA Security+, Computer Security, Cross-Functional, Detail Oriented, Establish Priorities, External Audit, Finance, Financial Administration, Financial Systems, HIPAA (Health Insurance Portability and Accountability Act), Healthcare, IR (Infrared), ISO (International Organization for Standardization), Incident Management, Incident Response, Information Technology & Information Systems, Information Technology/Systems Audit, Internet Security, Leadership, Legal, Machine Tool, Metrics, Microsoft Windows Azure, PCI-DSS, Penetration Testing, Performance Metrics, Phishing, Policy Development, Privacy Controls, Regulations, Regulatory Compliance, Relationship Management, Retrofit, Risk, Risk Analysis, Risk Management, Security Analysis, Security Information and Event Management (SIEM), Service Level Agreement (SLA), Simulation, Software Patches, State Laws and Regulations, Threat and risk analysis (TRA), Time Management, U.S. National Institute of Standards and Technology (NIST), Vendor/Supplier Evaluation, Vendor/Supplier Management, Vendor/Supplier Selection
LOCATION
Saint George, UT
POSTED
30+ days ago

Pay- $120,000 PER YEAR

Key Responsibilities
The following areas define day-to-day ownership and decision rights for this role.

  • Compliance Program Ownership - Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands.
  • Policy & Governance - Develop, maintain, and enforce IT policies, standards, and procedures aligned to NIST CSF, HIPAA Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls.
  • Risk Management - Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence.
  • SOC Partner Oversight - Manage the relationship with Nuvia’s managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence.
  • Vulnerability & Patch Oversight - Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing.
  • Incident Response Coordination - Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan.
  • Access & Identity Governance - Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready.
  • Vendor & Third-Party Risk - Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms.
  • Security Awareness & Training - Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams. Track completion and report metrics to leadership.

First-Year Priorities
This is a foundational hire. Your first twelve months will focus on standing up the program, not optimizing one that already exists. Expected priorities:

  • Stand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis.
  • Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence.
  • Establish quarterly user access reviews across critical clinical, financial, and administrative systems.
  • Codify the incident response plan and run at least one tabletop exercise with the SOC partner.
  • Stand up annual security awareness training and a monthly phishing simulation program.

Performance Metrics
Success in this role is measured by Nuvia’s ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit.

  • Audit Outcomes - No Material Findings - External audits (HIPAA, PCI-DSS, SOC 2) 
  • Risk Register Closure 90%+ - Risks remediated within agreed SLA
  • Vuln Remediation - 30-Day SLA - High-risk findings (PCI-DSS-aligned)
  • Training Completion - 95%+ - Annual security awareness

Qualitative Outcomes Expected

  • External audits (HIPAA, PCI-DSS, SOC 2) close with no material findings.
  • A current, accurate, board-readable risk register that drives prioritization across IT and the business.
  • The SOC partnership produces actionable findings, and findings consistently drive remediation to closure.
  • A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms.
  • Improved employee security hygiene, reflected in declining phishing simulation click rates.
  • Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted.

Qualifications

  • Education & Experience
    • Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience.
    • 4–7 years of experience in IT compliance, GRC, audit, or risk management roles.
    • Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2).
    • Experience managing or partnering with a managed SOC, MSSP, or MDR provider.
    • Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.
  • Technical Skills - Skills are tiered. Primary skills are required; preferred skills are familiarity-level — enough to oversee the SOC partner and translate their work into compliance evidence. 
    • Primary/Required: 
      • GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management
    • Preferred/Familiarity:
      • SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling
  • Compliance Frameworks & Standards - HIPAA and PCI-DSS are load-bearing for Nuvia’s clinical and payment operations. NIST CSF guides the program. Other frameworks below are nice-to-have based on candidate background or future business needs.
    • Primary/Required:
      •  HIPAA
      • PCI-DSS
      • NIST CSF
    • Preferred/Familiarity:
      • SOC 2 Type II
      • State Privacy & Breach Laws
      • CIS Controls 
      • ISO 27001
      • GDPR (as applicable)
  • Soft Skills & Behaviors
    • Preferred/Familiarity:
      • Risk-based thinker
      • Clear communicator
      • Translates risk to business
      • Detail-oriented
      • Calm under pressure
      • Cross-functional collaborator
      • Vendor management
      • Audit-ready mindset
      • Proactive mindset
  • Preferred Certifications
    • Primary/Required:
      • CISA (Information Systems Auditor)
      • CRISC (Risk & Information Systems)
      • CompTIA Security+
    • Preferred/Familiarity:
      • CHC (Certified in Healthcare Compliance)
      • CIPP / US (Privacy)
      • ISO 27001 Lead Auditor
      • CISSP (preferred for senior candidates)
      • CISM (preferred for senior candidates)

About the Company

N

Nuvia MSO LLC

Resume Resources

Free Resume TemplatesFree Resume Builder