Director, Governance, Risk & Compliance Remote GA

Job Description: The Director, Governance, Risk & Compliance leads a team of analysts to build and maintain an effective GRC program at NextGen Healthcare. The ideal candidate will collaborate closely with the rest of the Information Security department, along with Product, R&D, and Engineering teams to define and partner on appropriate security controls across NextGen products and systems, including NextGen SaaS offerings and platforms. This team will also have responsibility for NextGen Healthcare’s Security Governance and various regular Certification cycles and partnering with Legal on Information Security related contracts and requirements.

• Establish IT audit procedures relevant to HITRUST/HIPAA, ISO 27001, SOC 2, and other data protection or privacy-related regulations
• Provide governance and security oversight around the company’s adoption and use of AI, LLMs, and other generative-AI capabilities
• Evaluate and test the design and operating effectiveness of technical and administrative security controls
• Maintain and manage the Third-Party Risk Management program and integration with Vendor and Customer related Security obligations, requirements, and contractual agreements
• Work closely with the CISO to develop and implement strategies for governance and compliance related to corporate-wide security initiatives
• Design and implement data protection policies, process and procedures to align with HIPAA and Information Security policies, especially for cloud-hosted data environments and customer data handling throughout the development lifecycle
• Implement and manage an Identity Governance Program to ensure appropriate authorization to key resources, including the development of a Role Based Access Control and Role Review process.
• Develop training programs and FAQs related to data protection, privacy and secure data handling procedures
• Provide oversight and guidance for periodic security assessments to ensure compliance with information security policies and established security controls
• Develop metrics and compliance dashboards to measure progress for security initiatives and communicate team accomplishments and the effectiveness of audited security controls and processes
• Maintain and mature the Risk Register, Policy Exception Tracking, and Security Dashboard processes, standards, and components
• Ensure applications, networks, systems, cloud services, people, and process are assessed, monitored and audited in accordance with security controls related to SOC 2, ISO 27001, HITRUST/HIPAA and the corporate Information Security Policy
• Work closely with cross-functional teams to ensure security controls have been designed effectively and are working as intended
• Identify control deficiencies and weaknesses and recommending remediation plans for improvements
• Create, manage and hold staff accountable for corrective action plans (CAPs)
• Implement a process for continuous improvement of IT controls
• Work with internal and external resources to conduct and manage an assessment program for compliance requirements, including auditing and monitor privileged access to critical information systems; authentication and authorization processes; change control processes and IT operations processes
• Work closely with the Engineering teams to automate monitoring and auditing to reduce manual effort required for compliance activities
• Develop communication plans for executive-level reporting
• Lead the team in the development and evolution of security roadmaps, embodiment of strategic plans, understanding controls and process gaps, providing architectural vision, and enabling the larger information security team.
• Hire, grow and retain team members to expand the team and its capabilities within the organization.
• Perform assessments of security tools, vendors, and solutions to support information security roadmap initiatives
• Act as an advocate for mentoring and technical career growth in the information security organization
• Act as a liaison with other internal NextGen teams or driving new capabilities, product investments, and research to fill coverage gaps.
• Provide assistance and guidance to Sales and Support teams across various customer engagements.
• Regularly provide key performance and risk indicator metrics for management visibility into the status, health, and maturity of the Information Security Program at NextGen. Education Required:
• Bachelor’s degree in Computer Science, Programming, Engineering, or similar field.
• Or, any combination of education and experience which would provide the required qualifications for the position. Experience Required:
• 4+ years of experience in Information Security with an emphasis on IT audit, IT risk management and/or IT compliance.
• Prior experience with managing a GRC team.
• Extensive background in information security services and operations and the people, process, and technology components.
• Significant experience in fulfilling business needs through the development of solutions through well-organized processes.
• Experience in client-facing discussions with new and existing customers to discuss security controls and implementations.
• Significant Service Management and or vendor management experience. License/Certification Required:
• Appropriate certifications a plus. Knowledge, Skills & Abilities:
• Knowledge of: Knowledge of technical security control environments and compliance frameworks including CSA CCM, ISO 270001 and SOC 2, HITRUST/HIPAA and GDPR.
• Skill in: Excellent analytical, technical and internal audit skills. Excellent organizational and documentation skills. Strong project management skills highly desired.
• Ability to: Proven ability to manage priorities & deadlines and to work independently in a highly dynamic and diverse environment with multiple concurrent projects happening simultaneously. The company has reviewed this job description to ensure that essential functions and basic duties have been included. It is intended to provide guidelines for job expectations and the employees ability to perform the position described. It is not intended to be construed as an exhaustive list of all functions, responsibilities, skills and abilities. Additional functions and requirements may be assigned by supervisors as deemed appropriate. This document does not represent a contract of employment, and the company reserves the right to change this job description and/or assign tasks for the employee to perform, as the company may deem appropriate. NextGen Healthcare is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. Apply tot his job

Apply tot his job Apply To this Job