HeartFlow, Inc. is dedicated to making our products and technologies as secure as possible.

Reporting to the Governance, Risk and Compliance (GRC) Manager, the Senior Information

Security Analyst (GRC) will actively participate in supporting the strategy to enhance HeartFlow’s governance, risk, and compliance programs; aligned to business priorities and supported by authoritative security frameworks. This is a critical self-starter role responsible for driving audit/certification compliance, third-party risk management, training/awareness, and policy management programs. This hands-on role will take the lead on ensuring HeartFlow maintains its regulatory cybersecurity certifications (ISO 270001, HITRUST 9.3, etc.) and SOC 2 Type II Attestation.

We are looking for an experienced, motivated, self-starter who not only knows what to do to make these programs successful but can execute and deliver with minimal oversight. The candidate should have strong analytical skills, keen attention to detail, and the ability to successfully prioritize and execute on multiple tasks and meet deadlines. The candidate should be able to motivate team members in a positive manner both within and external to Information and Security Services to contribute (evidence, documentation, interviews, etc.) to maintain HeartFlow’s regulatory cybersecurity certifications. This person will serve as a subject matter expert with regards to:

Information security regulatory requirements

Common vendor related risks (both technical and workflow based)

Associated information security policies and procedures

This person should be highly organized and possess in-depth knowledge of applying, selecting, and testing the NIST family of security controls and tracking compliance with the associated control requirements. The HeartFlow Governance Risk and Compliance program is a comprehensive program, and this person may be called upon to contribute to other areas of the program as needed.

Job Responsibilities

• Audits HeartFlow information systems, platforms, and operating procedures in accordance with established corporate and regulatory standards for efficiency, accuracy, and security.
• Evaluates HeartFlow infrastructure in terms of risk to the organization and works with the CorpIT and Information Security Operations teams to establish controls to mitigate loss.
• Determines and recommends improvements in current risk management controls and implementations of HeartFlow system changes and upgrades.
• Creates audit planning memos in conformance Internal Audit Department procedures.
• Document’s business processes, process narratives and flowcharts for identifying risks and mitigating controls.
• Develops risk and control matrixes and test plans for key controls.
• Identifies control gaps and tests the design of existing controls.
• Oversees mitigation of identified gaps for required certifications (ISO 270001, HIPAA, HITRUST, etc.), Attestations (i.e. SOC 2 Type 2) and frameworks (NIST 800-53, including but not limited to documentation and controls) to completion
• Conducts recurring internal audits and assessments of security controls and documentation in anticipation of re-certification and determining readiness to achieve new certifications.
• Provide recurring report of controls mapped across multiple regulatory requirements and frameworks for visibility into defense mechanism strengths and gaps
• Collaborate with appropriate teams to execute various security projects (upgrades, new implementations, etc.); evaluate and implement new security technology controls and solutions

Third-Party Risk Management

• Implement and manage a vendor risk management program; review third party vendor contracts to ensure appropriate security and compliance controls are in place and functioning effectively.
• Evaluate requests for exception to established security policies, guidelines, and standards.
• Document all approved exceptions and review on a recurring basis for continued necessity
• Perform information security risk evaluations/reviews of vendor software, solutions, and services to assess risk imposed associated with the use of vendor software, solutions, and services
• Document all approved reviews and audit on a recurring basis for continued necessity

Training and Awareness

• Develop and implement a security training program that addresses the threats, risks, and raises the overall security awareness throughout the enterprise.
• Responsible for managing the security training program and documentation library.
• Collaborate with security, IT, GRC, legal, privacy, compliance, and engineering on training and documentation requirements.
• Collaborate on internal communications for information security messaging for the enterprise.
• Work with security leadership to develop a strategy for security training and awareness programs.
• Develop and report on metrics for training and awareness to leadership.
• Author and document policies, standards, procedures, and guidelines that meet gathered requirements
• Day-to-day management of the security training platform as required
• Develop targeted phishing training campaigns as well as other training programs for all audiences (technical and non-technical).
• Help security leadership with developing effective presentations for internal and external stakeholders.
• Work closely with Legal, Compliance, Product, and Engineering on other requirements for training as required.

Policy Management

• Develop, document and publish Information Security policies, procedures, standards and guidelines based on industry best practices and regulatory compliance requirements
• Develop, maintain, and document a framework to continuously maintain information security policies, standards and guidelines; and oversee the approval and publication of risk policies
• Perform periodic audits on company policies, procedures, and processes
• Ensure policies are aligned to leading information security frameworks and meet cybersecurity regulatory requirements
• Contribute to the development and implementation of a policy compliance framework using a GRC platform coupled with a variety of systems of record
• Identify gaps and conflicts in policy governance structure and make recommendations to address them and drive changes as required
• Shepherd policy changes through a formal governance process practiced by a Policy Approval Committee

Skills Needed

• 5+ years of experience
• 3+ years of information security governance, risk and compliance experience for a global organization (preferably with reliance on cloud computing, but not required)
• Solid technical background with an applied understanding of common attack methodologies; common types of security risks and mitigation strategies
• Experience with GRC tools, including API-driven applications to a variety of systems of record
• Exceptional experience developing effective, pragmatic information security policy and standards frameworks
• Outstanding skills at building and continually strengthening relationships with teammates and partners, thereby influencing key decisions they make
• Ability to bridge gaps of understanding between business and technical partners
• Outstanding analytical and problem-solving skills
• Practical understanding of at least two security control frameworks and associated policy requirements from the following set: ISO 27001, NIST CSF, NIST 800 800-53, NIST 800-171, NIST 800-82, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), SOC2, PCI/DSS
• Solid project management skills, especially in a cross-functional environment.
• Strong team-oriented interpersonal and communication skills; ability to present technical information in a way that establishes rapport, persuades others and gains understanding.
• Effective communication and presentation skills with demonstrated ability to prepare documentation and presentations for technical and non-technical audiences.
• Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations, and best practices

Preferred Skills and Experience

• Strong knowledge of security controls in industry-standard frameworks including ISO 27001, SOC 2 Type II, HITRUST 9.x and the NIST CSF.
• Preference will be given to those candidates who can demonstrate an in-depth technical understanding of common risks imposed by third-party applications and associated mitigation strategies
• Experience working at a cloud service provider company spanning multiple countries is preferred but not required

About HeartFlow, Inc.

HeartFlow, Inc. is a medical technology company redefining the way heart disease is diagnosed and treated. Our non-invasive HeartFlow FFRct Analysis leverages deep learning to create a personalized 3D model of the heart. By using this model, clinicians can better evaluate the impact a blockage has on blood flow and determine the best treatment for patients. Our technology is reflective of our Silicon Valley roots and incorporates decades of scientific evidence with the latest advances in artificial intelligence. The HeartFlow FFRct Analysis is commercially available in the United States, Canada, Europe and Japan. For more information, visit www.heartflow.com.

HeartFlow, Inc. is an Equal Opportunity Employer. We are committed to a work environment that supports, inspires, and respects all individuals and do not discriminate against any employee or applicant because of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other status protected under federal, state, or local law. This policy applies to every aspect of employment at HeartFlow, including recruitment, hiring, training, relocation, promotion, and termination.

Positions posted for HeartFlow are not intended for or open to third party recruiters / agencies. Submission of any unsolicited resumes for these positions will be considered to be free referrals.