Governance Risk & Compliance Analyst

DoseSpot
Summary
Join DoseSpot, a PE-backed start-up and leader in electronic prescribing software, as their Governance Risk & Compliance (GRC) Analyst. You will play a crucial role in operationalizing and evolving DoseSpot’s security and compliance programs. Collaborate cross-functionally to drive alignment with industry frameworks, proactively manage risk, and build scalable processes. This role involves managing day-to-day compliance operations, including SOC 2 and HITRUST audits, refining third-party risk assessments, and supporting the transformation of DoseSpot’s compliance program. The ideal candidate will have a strong background in information security, risk management, and compliance, with experience in managing SOC2 and HITRUST audits. This is a remote position with a flexible work schedule, offering a generous benefits package.
Requirements
- Bachelor’s degree in information security or related field
- 5+ years of experience in information security, with an emphasis on risk and compliance
- At least 3+ years of experience managing SOC2 and HITRUST audits
- Thorough understanding of regulatory and compliance requirements, including HIPAA
- Familiarity with ISMS and security frameworks, including NIST, HITRUST, ISO27001
- Knowledge of identity management standards, storage, and disaster recovery in the cloud
- Knowledge of GRC tools and best practices, including solutions such as Vanta, Drata, OneTrust
- Proven track record of organizing and carrying out several risk and compliance projects independently
- Ability to manage third-party audits and organize audit responses in detail proactively
- Effective written and verbal communication skills and capability to communication and collaborate with cross-functional teams
Responsibilities
- Managed risk and vulnerability assessments, validation testing, compliance reviews, and audit in accordance with both NIST and HITRUST standards
- Manage and support SOC2 and HITRUST audits
- Conduct and manage recurring risk and vulnerability assessments, control validation, and compliance reviews aligned to NIST, HITRUST, HIPAA, and ISO 27001
- Lead end to end SOC2 and HITRUST audits, including readiness assessments, evidence collection, gap remediation, and audit response
- Proactively manage audit timelines and ensure completeness and accuracy of submissions using GRC tools such as Drata and Vanta
- Promote widespread implementation of HITRUST and NIST based controls across security, engineering, and business operations
- Maintain an organized, audit-ready repository of evidence and artifacts through GRC platforms
- Inform stakeholders of risk management concerns
- Translate risk and compliance insights into clear, actionable updates for security, IT, product, and legal teams
- Manage the development, maintenance, and version control of security policies and standards ensuring compliance with emerging regulations and company practices
- Support vendor due-diligence process and help to lead and define the overall third-party risk management (TPRM) efforts
Preferred Qualifications
- CISA, CISM, CRISM, or CISSP certifications are preferred, but not required
- You like to be hands on and work with GRC tools to better automate and operationalize GRC programs
- You enjoy collaborating with teams on risk management
Benefits
- Remote work environment with a flexible work schedule to encourage work-life balance
- Annual company offsite
- Generous leave package including flexible time off policy that encourages team members to take time off to relax and recharge; plus 13 paid holidays, paid sick leave, and paid parental leave
- Medical, dental, and vision insurance for you and your family, plus a company funded FSA & HSA (dependent on which medical plan you choose)
- 401(k) company match
- One-time workspace reimbursement to help you optimize your remote workspace