Invitae is dedicated to bringing comprehensive genetic information into mainstream medicine to improve healthcare for billions of people. Our team is driven to make a difference for the patients we serve. We are leading the transformation of the genetics industry, by making genetic testing affordable and accessible for everyone to guide health decisions across all stages of life.

As a Senior Information Security Governance and Compliance Manager, you will identify, manage, and report on the company’s security, regulatory, and compliance obligations. Responsibilities will include performing reviews, assessments, and audits, conducting research, and facilitating communication to internal and external stakeholders where necessary. The position will monitor, coordinate, and implement policies, standards, procedures, controls, and guidelines to support security, compliance, and audit requirements.

Responsibilities:

• Develop, review, and modify information security and privacy policies.
• Improve existing compliance programs and processes.
• Serve as the subject matter expert for ISO-27001, SOC 1, SOC 2, PCI DSS, and other internal compliance programs
• Design and execute audit procedures to assess and measure company compliance with its security policies and procedures.
• Monitor advancements in information privacy laws to ensure organizational adaptation and compliance.
• Evaluate security incidents for violations of privacy principles or legal standards.
• Manage compliance testing and monitoring of current and future regulatory obligations, and other regulatory matters as required.
• Conduct internal security risk assessments and security compliance audits.
• Establish IT security audit procedures relevant to security frameworks and client requests
• Assist external auditors and conduct internal audits as required
• Coordinate third-party audits.
• Develop materials and tools to effectively communicate compliance and corporate requirements.
• Develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
• Collect, analyze, and prepare reports required for senior management, regulators, and other relevant stakeholders.
• Document, investigate, and report cybersecurity compliance issues and incidents, where necessary.
• Work with business leaders to ensure information security risk findings are reviewed and solutions are implemented.
• Understand, develop, and deliver meaningful reports on the program state and adherence to frameworks and standards.
• Lead the escalation and resolution of risk and compliance issues with appropriate stakeholders.
• Liaise with relevant parties to commission activities related to contingency planning, business continuity management, and IT disaster recovery.
• Assist the Business team in responding to RFPs and security questionnaires; maintain a library of security and compliance RFP responses.

Requirements:

• Significant knowledge and experience with legal, privacy, and regulatory compliance standards such as SOC 2, ISO 27001, PCI-DSS, HITRUST, HIPAA.
• The ability to work in a fast-paced environment and the skills to deal with ambiguity.
• Experience with IT governance, risk, and compliance management.
• Experience coordinating tasks to complete third party assessments.
• Experience writing policies, procedures, and controls in one or more standards/frameworks.
• Knowledge of risk management processes, in both a compliance and security context.
• Knowledge of cyber threats and vulnerabilities.
• Ability to handle multiple competing priorities.

Qualifications:

• 5+ years of experience implementing information security risk, governance, and control frameworks such as ISO-27001, SOC1, SOC2 and PCI DSS.
• 5+ years of experience of familiarity with security related activities such as: penetration testing, security boundary reviews (eg. Firewall rules, AWS security groups/IAM, etc.)
• 3+ years of proven experience working effectively with distributed teams across North America and/or India and other countries around the globe
• CISM or CISA
• ISO 27001 Implementer / Auditor

Preferred Qualifications:

• Experience successfully implementing strong DevSecOps practices
• Detail oriented and experience balancing multiple tasks and deadlines
• Ability to interact with internal and external stakeholders at executive level

Professional Skill Requirements:

• Excellent written and verbal communication skills
• Strong organizational skills
• Excellent analytical, problem-solving, and decision-making abilities
• Able to effectively prioritize tasks in a high-pressure environment
• Ability to perform at a high level within a technical team
• Ability to work independently with minimal supervision

At Invitae, we value diversity and provide equal employment opportunities (EEO) to all employees and applicants without regard to race, color, religion, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of the San Francisco Fair Chance Ordinance.