Contract Climate Risk Analyst Jobs in Utah (NOW HIRING)

Pay- $120,000 PER YEAR

Key Responsibilities
The following areas define day-to-day ownership and decision rights for this role.

• Compliance Program Ownership - Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands.
• Policy & Governance - Develop, maintain, and enforce IT policies, standards, and procedures aligned to NIST CSF, HIPAA Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls.
• Risk Management - Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence.
• SOC Partner Oversight - Manage the relationship with Nuvia’s managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence.
• Vulnerability & Patch Oversight - Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing.
• Incident Response Coordination - Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan.
• Access & Identity Governance - Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready.
• Vendor & Third-Party Risk - Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms.
• Security Awareness & Training - Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams. Track completion and report metrics to leadership.

First-Year Priorities
This is a foundational hire. Your first twelve months will focus on standing up the program, not optimizing one that already exists. Expected priorities:

• Stand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis.
• Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence.
• Establish quarterly user access reviews across critical clinical, financial, and administrative systems.
• Codify the incident response plan and run at least one tabletop exercise with the SOC partner.
• Stand up annual security awareness training and a monthly phishing simulation program.

Performance Metrics
Success in this role is measured by Nuvia’s ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit.

• Audit Outcomes - No Material Findings - External audits (HIPAA, PCI-DSS, SOC 2)
• Risk Register Closure 90%+ - Risks remediated within agreed SLA
• Vuln Remediation - 30-Day SLA - High-risk findings (PCI-DSS-aligned)
• Training Completion - 95%+ - Annual security awareness

Qualitative Outcomes Expected

• External audits (HIPAA, PCI-DSS, SOC 2) close with no material findings.
• A current, accurate, board-readable risk register that drives prioritization across IT and the business.
• The SOC partnership produces actionable findings, and findings consistently drive remediation to closure.
• A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms.
• Improved employee security hygiene, reflected in declining phishing simulation click rates.
• Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted.

Qualifications

• Education & Experience
  
  • Bachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience.
  • 4–7 years of experience in IT compliance, GRC, audit, or risk management roles.
  • Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2).
  • Experience managing or partnering with a managed SOC, MSSP, or MDR provider.
  • Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.
• Technical Skills - Skills are tiered. Primary skills are required; preferred skills are familiarity-level — enough to oversee the SOC partner and translate their work into compliance evidence.
  • Primary/Required:
    • GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk Management
  • Preferred/Familiarity:
    • SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy Tooling
• Compliance Frameworks & Standards - HIPAA and PCI-DSS are load-bearing for Nuvia’s clinical and payment operations. NIST CSF guides the program. Other frameworks below are nice-to-have based on candidate background or future business needs.
  
  • Primary/Required:
    • HIPAA
    • PCI-DSS
    • NIST CSF
  • Preferred/Familiarity:
    • SOC 2 Type II
    • State Privacy & Breach Laws
    • CIS Controls
    • ISO 27001
    • GDPR (as applicable)
• Soft Skills & Behaviors
  • Preferred/Familiarity:
    
    • Risk-based thinker
    • Clear communicator
    • Translates risk to business
    • Detail-oriented
    • Calm under pressure
    • Cross-functional collaborator
    • Vendor management
    • Audit-ready mindset
    • Proactive mindset
• Preferred Certifications
  • Primary/Required:
    • CISA (Information Systems Auditor)
    • CRISC (Risk & Information Systems)
    • CompTIA Security+
  • Preferred/Familiarity:
    • CHC (Certified in Healthcare Compliance)
    • CIPP / US (Privacy)
    • ISO 27001 Lead Auditor
    • CISSP (preferred for senior candidates)
    • CISM (preferred for senior candidates)