Information Security Governance Risk and Compliance Analyst II

GoHealth Intro: As a leader in the health insurance marketplace, Go Health’s mission is to improve access to healthcare in America. For customers, enrolling in a health insurance plan is confusing and difficult, and seemingly small differences between plans can lead to significant out-of-pocket costs or lack of access to critical medicines and even providers. We use our technology, agents, and expertise to cut through the confusion and get customers enrolled in a plan with the right coverage and benefits. 

Why Apply: GoHealth has established a culture where our employees feel empowered, engaged, and inspired. We are looking for builders who will contribute to the long-term health of the company. We also understand that you may not check every box in our requirements list, most applicants don’t! In fact, frequently cited statistics show that women and underrepresented groups apply to jobs only if they meet 100% of the qualifications. GoHealth encourages you to break that statistic and to apply today! 

About the role: The Analyst for Information Security Governance, Risk, and Compliance (GRC) is responsible for assessing and documenting the company’s compliance and risk levels as they relate to its products and supporting information assets. 

The purpose of this position is to provide skilled technical and information security risk experience to drive the maturation of information security risk management and compliance programs. Responsibilities require technical and program-building experience and ensuring effective full-stack security analysis; standards and testing; risk assessment, and compliance reviews.  The goal is to provide risk and compliance visibility at the product level, within each GoHealth solution stack. This role reports to the Lead GRC Analyst of GoHealth based in Chicago, IL. The GRC analyst interacts with leadership on a regular basis; strong communications skills and experience in managing programs are essential. 

What you’ll do: 

• Support the development and implementation of the system-wide risk management function of the information security program, to ensure information security risks are identified and monitored 
• Provide visibility into risk at the product level 
• Knowledge of applicable US laws and regulations as they relate to Information Security and the effective management of Information Security Risks. 
• Assess contractual and regulatory compliance at the business level 
• Internally assess, evaluate, and make recommendations to management regarding the adequacy of the security controls for systems supporting business solution stacks and associated products. 
• Develop and implement effective and reasonable procedures and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. 
• Must be able to assess computer hardware, software, and cloud-based systems for security risks and compliance violations and work with internal customers, to review and assess solutions. 
•  Must have a strong customer service orientation and the ability to project that attitude to business and technology stakeholders.
• Liaise with policy and standards workgroup and business stakeholders to advise on language related to information security risk and compliance requirements. 
• Conduct information security risk assessments; assess and document control deficiencies;  identify and report on gaps and opportunities to automate processes & procedures.   

What we’re looking for: 

• Minimum of 3 years’ experience working in an information security risk & compliance management program. 
• Solid understanding of the NIST CSF  
• Strong demonstrated knowledge of enterprise systems, cloud solutions, and associated IT/security technologies. 
• Strong knowledge of information security risk management frameworks and compliance practices, specifically NIST SP800-37r2 Risk Management Framework
• Experience with Information Security risk analysis  
• Understanding of common compliance regulations (e.g., HiTrust, HIPAA, SOX IT, SOC1, SOC2) 
• Understanding of key cloud security architecture principles, as well as appropriate enterprise data handling practices 
• Understanding of CIS Cloud Security Benchmark guidelines  

Benefits and Perks: 

• Open vacation policy, because work-life balance is important 
• 401k program with company match 
• Employee Stock Purchase Program 
• Medical, dental, vision, and life insurance benefits 
• Paid maternity and paternity leave 
• Professional growth opportunities 
• Generous employee referral bonuses 
• Employee Resource Groups
• Work from Home Stipend 
• GoHealth is an Equal Opportunity Employer  

Education 

• Bachelor’s degree in computer science, CIS, Engineering, Cybersecurity, or related field (or equivalent work or military experience in a related field) 

Certifications 

• CISSP
• CRISC  

Location: Onsite/Hybrid 

#LI-DI1