Governance Risk & Compliance Analyst

Summary

Join DoseSpot, a PE-backed start-up and leader in electronic prescribing software, as their Governance Risk & Compliance (GRC) Analyst. You will play a crucial role in operationalizing and evolving DoseSpot’s security and compliance programs. Collaborate cross-functionally to drive alignment with industry frameworks, proactively manage risk, and build scalable processes. This role involves managing day-to-day compliance operations, including SOC 2 and HITRUST audits, refining third-party risk assessments, and supporting the transformation of DoseSpot’s compliance program. The ideal candidate will have a strong background in information security, risk management, and compliance, with experience in managing SOC2 and HITRUST audits. This is a remote position with a flexible work schedule, offering a generous benefits package.

Requirements

• Bachelor’s degree in information security or related field
• 5+ years of experience in information security, with an emphasis on risk and compliance
• At least 3+ years of experience managing SOC2 and HITRUST audits
• Thorough understanding of regulatory and compliance requirements, including HIPAA
• Familiarity with ISMS and security frameworks, including NIST, HITRUST, ISO27001
• Knowledge of identity management standards, storage, and disaster recovery in the cloud
• Knowledge of GRC tools and best practices, including solutions such as Vanta, Drata, OneTrust
• Proven track record of organizing and carrying out several risk and compliance projects independently
• Ability to manage third-party audits and organize audit responses in detail proactively
• Effective written and verbal communication skills and capability to communication and collaborate with cross-functional teams

Responsibilities

• Managed risk and vulnerability assessments, validation testing, compliance reviews, and audit in accordance with both NIST and HITRUST standards
• Manage and support SOC2 and HITRUST audits
• Conduct and manage recurring risk and vulnerability assessments, control validation, and compliance reviews aligned to NIST, HITRUST, HIPAA, and ISO 27001
• Lead end to end SOC2 and HITRUST audits, including readiness assessments, evidence collection, gap remediation, and audit response
• Proactively manage audit timelines and ensure completeness and accuracy of submissions using GRC tools such as Drata and Vanta
• Promote widespread implementation of HITRUST and NIST based controls across security, engineering, and business operations
• Maintain an organized, audit-ready repository of evidence and artifacts through GRC platforms
• Inform stakeholders of risk management concerns
• Translate risk and compliance insights into clear, actionable updates for security, IT, product, and legal teams
• Manage the development, maintenance, and version control of security policies and standards ensuring compliance with emerging regulations and company practices
• Support vendor due-diligence process and help to lead and define the overall third-party risk management (TPRM) efforts

Preferred Qualifications

• CISA, CISM, CRISM, or CISSP certifications are preferred, but not required
• You like to be hands on and work with GRC tools to better automate and operationalize GRC programs
• You enjoy collaborating with teams on risk management

Benefits

• Remote work environment with a flexible work schedule to encourage work-life balance
• Annual company offsite
• Generous leave package including flexible time off policy that encourages team members to take time off to relax and recharge; plus 13 paid holidays, paid sick leave, and paid parental leave
• Medical, dental, and vision insurance for you and your family, plus a company funded FSA & HSA (dependent on which medical plan you choose)
• 401(k) company match
• One-time workspace reimbursement to help you optimize your remote workspace