What You’ll Be Working On

• Administer vendor management program by reviewing documentation (i.e. SOC2, security whitepapers, technical controls), determining the extent of risks associated with the proposed vendor relationship, authoring risk assessments, designing, recommending and enforcing mitigating controls.
• Respond promptly to customer security assessments/questionnaires while ensuring controls are described in a manner consistent with the Information Security Program.
• Assist with the development and maturation of security policies, procedures, and standards, consistent with security certifications and frameworks i.e., ISO 27001, SOC2.
• Engage in cross-functional oversight to ensure compliance with certification standards are followed and associated policies, procedures and standards are complied with.
• Schedule and facilitate penetration testing of infrastructure and applications. 
• Assess vulnerabilities, associated controls and related risks to inform remidations plans.
• Create and manage remediation plans for vulnerabilities working cross-functionally to see remediations through to completion.
• Prepare for internal, external and certification audits of the Information Security Program by organizing requests, gathering evidence and authoring responses. 
• Function as an ambassador to the business for security policy/procedure updates and Security Awareness Program in furtherance of the Information Security Program.
• Manage Security Awareness Program and training content, including the phishing simulation component using industry leading toolset 
• Document evidence during an incident or event investigation and remediation.
• Design, compile, and report metrics of Information Security Program, including KRI/KPI. 

What You Bring to Reify Health

• 2+ years experience in a dedicated security role in a HIPAA, or other regulated environment (e.g., GLBA, PCI, GDPR).
• Experience with vendor management and technical risk assessment methodologies.
• Familiarity with information security frameworks (e.g., ISO 27001, NIST, FISMA, SOC2).
• Security Certification is a significant plus (e.g., CISSP, CySA+, CompTIA Security+).
• Technical background sufficient to understand Cloud systems, networks, modern web applications, related vulnerabilities and to describe and weigh associated risks. 
• Understanding of the following topics as they relate to security policy, procedure, and enforcement: data classification, change management, asset management, business continuity, disaster recovery, incident response, penetration testing, vulnerability management, secure development lifecycle, source control, and endpoint protection.  
• Clear and concise writing style with excellent verbal communication and listening skills
• Ability to think critically and pragmatically while seeing tasks through to completion.