Project Manager II, Governance, Risk & Compliance

Job Description:

The Project Manager II, Governance, Risk & Compliance will manage Governance, Risk & Compliance (GRC) projects and initiatives to help drive continuous improvements in NextGen's security GRC.

• Manage projects related to Governance, Risk and Compliance (GRC) processes. This includes, but not limited to: including phishing campaigns, cybersecurity awareness training, Data Subject Access Request (DSAR), HITRUST and SOC 2 recertification, data classification, Data Loss Prevention (DLP), Role Based Access Control (RBAC), etc.
• Apply basic project management principles from Project Management Body of Knowledge (PMBOK) to manage project life cycle including project requirements, tasks, resources, risks, schedules, and budget.
• Work with IT partners to integrate GRC value-add into their secured software development life cycle, software engineering, infrastructure, network, and operation needs.
• Maximize the utilization of GRC and IT / Security tools and technology.
• Facilitate the collaboration of GRC efforts with key departments such as Legal / Privacy, HR, IT, Product, etc. to forge alignments.
• Assist with the development of GRC policies and procedures.
• Stay current with changes in GRC regulations, industry frameworks, and best practices, and maintain NextGen mapping and compliance of those.
• Streamline or automate NextGen methodology for maintaining accreditations or certifications (e.g., SOC 2, HITRUST, etc.).
• Streamline or automate NextGen methodology for responding to customer security assessments or questionnaires.
• Lead risk management redesign initiative. May occasionally perform risk assessments, and maintain the security risk register.
• Lead Third Party Risk Management (TPRM) efforts and make improvements to the TPRM processes.
• Host inspection and assessments by customers, partners, and regulators.
• Work with NextGen IT / Security partners to leverage technology to advance the GRC efforts.
• Analyze GRC related data to produce metrics and reports to show GRC gaps and improvements.
• Perform other duties that support the overall objective of the position.

Experience Required:

• 7+ years’ project management experience managing or leading technology related projects.
• 7+ years’ experience in security GRC, IT, audit, compliance or education program that covers audit, compliance, cybersecurity, healthcare.
• Experience with one or more of the following frameworks: COSO, NIST CSF, RMF, ISO, COBIT.
• Experience working in an environment with one or more of the following: Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Security Operation Center (SOC), Payment Card Industry (PCI), GRC
• Experience working with IT partners and adequate exposure to their areas such as SSDLC, software engineering, infrastructure, networking, service desk, desktop support, security operations, etc. This includes experience or sufficient exposure and familiarity with the tools they use.

License/Certification Required:

• Information security or cybersecurity related certifications such as CISA, CISSP, CISM, CRISC, CEH, GIAC (GCFA), or ability to acquire certification within 18 months.

Knowledge, Skills & Abilities:

• Knowledge of: HITRUST Framework and CSF certification knowledge. Governance, Risk and Compliance tools. GRC, information security, and cybersecurity principles, phishing campaigns, cybersecurity awareness and training, risk assessments, risk registers, privacy requests such as DSAR, privacy events and incidents, security and privacy frameworks, standards, guidelines, controls, federal and state security and privacy regulations and trends, current cybersecurity threats, data governance and protection, administrative, technical and physical security controls, third party risk management (TPRM).  Familiarity with IT / security processes or tools such as IRP, backups, DR & BCP, playbooks, MSP or MSSP, MDR or XDR, 24x7 SOC, endpoint security, SIEM, vulnerability scans, patching, pen testing, red/blue/purple teaming, tabletop exercises, encryption at rest and in transit, networking, firewalls, infrastructure, and colo data centers. 
• Skill in: Leading projects and initiatives, working as member of a team; communicating effectively; establishing and maintaining effective working relationships. 
• Ability to: Determine how a system should work and how changes in conditions, operations, and the environment will affect outcomes; work in a fast-paced environment; stay organized, prioritize workload, multi-task, and meet deadlines.

The company has reviewed this job description to ensure that essential functions and basic duties have been included. It is intended to provide guidelines for job expectations and the employee's ability to perform the position described. It is not intended to be construed as an exhaustive list of all functions, responsibilities, skills and abilities. Additional functions and requirements may be assigned by supervisors as deemed appropriate. This document does not represent a contract of employment, and the company reserves the right to change this job description and/or assign tasks for the employee to perform, as the company may deem appropriate.

NextGen Healthcare is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.