Director of Governance, Risk, and Compliance

Job Location:

Hybrid Remote in our office in Burlington, MA, or Fully Remote in the USA

Position Summary

Reasons you will want this position:

• We are a rapidly growing company with limitless career growth and advancement for top performers
• Our culture appreciates and rewards creative ideas, especially those that achieve better outcomes for everyone
• This is viewed as a key position for our continued success by our executives and senior leadership.

Summary
As the Director of Technology Governance, Risk, and Compliance (GRC), you will be a key leader within the Cybersecurity Department. You will be responsible for ensuring effective governance, managing risks, and maintaining control frameworks to support the organization's objectives. In this Director position, you will oversee compliance with internal controls, industry-leading practices, and regulatory requirements, which includes HIPAA. Additionally, you will communicate with our internal and external auditors as the point of contact for technology GRC inquiries.

You will be responsible for successfully developing and guiding technology risk management and assessments, third-party risk assessments, and compliance monitoring, as well as developing policies, standards, and controls to ensure a strong control environment is in place for managing risk at Cedar Gate Technologies.

Roles & Responsibilities

Governance & Compliance:

• Oversee a unified control framework (UCF), including monitoring controls to ensure alignment with various leading practice control frameworks, such as NIST CSF, CIS, COBIT, etc.
• Overall responsibility for overseeing and establishing information security policies, procedures, and controls to manage risk and ensure compliance with internal and regulatory requirements.
• Oversees the design and implementation of technology controls in collaboration with other members of technology teams, ensuring adherence to requirements and that control design is embedded into solutions and procedures.
• Facilitate and support assessments of enterprise systems, processes, and controls to verify that controls are designed appropriately and operate effectively.
• Oversee the definition of remediation plans, compensating and mitigating control activities, and retesting; ensure any recommendations received from internal audit, external audit, regulators, or other external parties are addressed and incorporated into those plans.
• Ensure timely remediation of ineffective controls and that remediation plans address the risks and are appropriate, detailed, and current.
• Ensure compliance with industry regulations, particularly HIPAA. Coordinate and facilitate internal and external audits, ensuring timely resolution of findings and recommendations (HiTrust, SOC 1, SOC 2).

Risk Management:

• Overall responsibility for the technology risk management program, including risk reporting, risk registry, and executive metrics.
• Provide leadership, guidance, and oversight to develop an enterprise-wide Technology Risk Management program to assess, identify, report, manage, and prioritize organizational risks.
• Provide leadership, guidance, and oversight to risk mitigation strategies to minimize organizational risks.
• Oversees third-party and supply technology risk management practices and alignment with cross-functional teams such as Enterprise Risk Management (ERM), Legal, and Operational teams.

Leadership and Stakeholder Alignment:

• Provide general leadership, oversight, and development of technology governance, risk, and compliance practices.
• Serve as a key stakeholder on project steering teams for new applications to ensure process and control are designed and implemented appropriately.
• Collaborate with key stakeholders to establish Technology GRC team priorities, goals, and objectives supporting business strategies.
• Monitor and evaluate GRC practices and develop metrics and KPIs to identify areas for improvement and optimization.
• Report regularly to IT Leadership, the business, and other Sr. Management on the effectiveness of GRC, including key risks and compliance with policy and controls, escalating issues as appropriate.
• Conduct lessons learned with audit teams to ensure optimal coordination of improvement opportunities.
• Responsible for short-term and long-range planning, including Key Risk Indicators (KRI’s) financial planning, forecasts, and related variances.
• Coordinate with Cedar Gate legal counsel and stay updated on HIMSS, CMS, and OIG policies and recommendations
• Review and participate in security questionnaires and RFIs before distribution for the correctness and to identify potential gaps in Cedar Gate policies and procedures
• Ensure the organization has and maintains appropriate system use and disclosure/confidentiality statements.
• Manage security incidents and events involving both protected health information (PHI) and non-PHI data.
• Ensure that the company's disaster recovery, business continuity, risk management, and access control needs are addressed.
• Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate.

Required Experience / Qualifications

• Bachelor's degree in business, Information Technology, Information Security, Audit, or a related field with ten or more years of equivalent experience, MBA preferred.
• Experience with GRC solutions and automation
• In-depth experience with various control frameworks and regulatory requirements, such as NIST-CSF, Sarbanes-Oxley (SOX), Privacy (CCPA, GDPR, etc.), and other leading practice frameworks.
• Extensive experience with HITRUST, SOC 1,2,3.
• Robust working knowledge of information systems security standards and practices and practical experience developing and executing strategies for Information Security technologies
• Compelling communication and relationship-building skills with the ability to communicate effectively at all levels of an organization
• Ability to be decisive yet collaborative and influential in decision-making
• Clear ability to develop business case justifications and cost/benefit analysis.
• Creative problem solver with strong analytic skills, strategic thinking, planning and organizing
• Security certification CISSP or CISM or equivalents

Your Future Working Environment

If you join Cedar Gate, you can make great ideas happen for some of the world's most dynamic companies. With broad global resources and deep technical know-how, we collaborate with clients to cultivate ideas and deliver results in the medical industry. Choose a career at Cedar Gate and enjoy an innovative environment where challenging and interesting work is part of daily life.

Next to our excellent terms of employment and fringe benefits, we invest considerable resources to provide ongoing training that builds and extends professional, technical, and management skills in all areas. At Cedar Gate, you will operate in a professional environment where teamwork and innovation are immensely encouraged. Together with colleagues, you will work on high-impact projects for many dynamic companies.

About Cedar Gate

Cedar Gate enables payers, providers, employers, and service administrators to excel at value-based care. Our unified technology and services platform enhances and automates data management activities to deliver employer and provider analytics, care management, and payment technology necessary to pursue every payment model and optimize performance in all lines of business. From primary care attribution to bundled payments to capitation, our platform is designed to improve clinical, financial, and operational outcomes for all.

Based in Greenwich, CT, Cedar Gate is private equity backed by GTCR, a leading Chicago-based private equity firm, Ascension Ventures, a strategic healthcare venture firm, and Cobalt Ventures, the investment subsidiary of BCBS of Kansas City. To learn more, visit www.cedargate.com.