GRC Security Specialist (Remote)

Our mission at Curai is to make high-quality healthcare accessible to all. We are fulfilling this audacious mission by building a virtual-first primary care service. Blending high-touch clinical care augmented with artificial intelligence, we are building a scalable primary care model that provides patients with quality care anytime, anywhere, from their mobile phones at a very affordable price. 
Our company is remote-first and we consider candidates across the United States.
Privacy & Security at Curai
Patients entrust us with their sensitive information; therefore, we consider their privacy and security an important top-level concern in everything we do.  In order to continually focus the company on these service and operational goals. We are now looking for a Governance, Risk, and Compliance Security Specialist reporting to our Head of Privacy and Security.
As a GRC Security Specialist, you will streamline and maintain Curai’s security and privacy policies, monitor and maintain HIPAA compliance, manage our SOC2 Type 1 assurance to a SOC2 Type 2 report and certification, develop and maintain our vendor risk and client assurance programs, and establish our overall risk management program.

Who You Are: None of these individually are hard requirements but they do describe the type of folks that we think would be most effective and happy at Curai. You…

• Have worked remotely before, or have a strong feeling that you'd work well with a 100% remote team, spread across multiple time zones
• Love tackling complex problems that span multiple systems
• Are excited to try things out to validate new features, and move on if they no longer solve a problem
• Value breadth of knowledge as much as specialization
• Have informed opinions that you hold lightly
• Are excited about getting on the speeding train that is an early-stage startup
• Enjoy thinking through trade-offs, with both mindfulness of near-term needs and Curai’s long-term strategy
• Embrace writing concise documentation so that onboarding new team members is simple and we reduce siloed domain expertise by individuals
• Understand what a startup is and that 1 year here is like 3-4 years in a big company; You will get to work and launch lots of projects, and you have a learning mindset to tackle new challenges

What You’ll Do: A day in the life as a Curai GRC Specialist is spent doing things like:

• Utilizing the continuous compliance platform, Drata, to update and maintain security and privacy policies
• Utilizing Drata, to monitor and maintain HIPAA compliance by working with various control owners throughout the company
• Utilizing Drata, to manage our SOC2 Type 1 assurance into a SOC2 Type 2 report and certification, maintaining annual renewal thereafter
• Developing and maintaining Curai’s Vendor Risk Management program
• Developing and maintaining Curai’s Client Assurance Program
• Establishing and maintaining an overall governing Risk Management program
• Participating in annual penetration testing tracking and remediation

What You'll Need: We recognize not everyone will have all of these requirements. If you meet most of the criteria below and you’re excited about the opportunity and willing to learn, we’d love to hear from you. You should have:

• 3-5 years of experience working in security/privacy Governance, Risk, and Compliance capacities
• One or more of the following (or equivalent) certifications:  CISSP, CISA, CRISC, CISM
• Experience and comfortability with the fast pace of change and responsibility in a start-up environment
• Ability to work and thrive with diverse cross-disciplinary teams throughout the company
• Familiarity working in a MAC/Google workspace environment
• Experience in various frameworks and standards for regulatory and security compliance (PCI, HIPAA, CCPA/GDPR, ISO, HITRUST, etc.)
• Experience working with commercial grade GRC and/or continuous compliance platforms (such Drata, Vanta, SecureFrame, Archer, MetricStream, Riskconnect, ZenGRC, LogicGate, etc.) 
• Strong writing and other communications skills

You Might Also Have:

• Background in healthcare or health insurance
• Familiarity with the application of AWS security infrastructure tools, such as AWS Inspector, AWS Key Manager, Guard Duty, Cloud Watch, etc)
• Bachelor’s degree (Computer Science, Information Assurance, Business Management, or equivalent field)

What We OfferCulture: Mission driven talent with great colleagues committed to living our values, collaborating and driving performancePay: Competitive compensation and stockWellness: Unlimited PTO, flexible working hours and remote working optionsBenefits: Excellent medical, dental, vision, flex spending plans, and paid parental leaveFinancial: 401k plan with employer matching

Curai Health is a startup with a small, but world-class team from high tech companies, AI researchers, practicing physicians, to team members from non-traditional career paths and backgrounds.. We also have research partnerships with leading universities across the country and access to medical data that facilitates research in this space. We are a highly collaborative, data-driven team, focused on delivering our mission with funding from top-tier Silicon Valley investors including Morningside, General Catalyst, and Khosla Ventures.
At Curai Health, we are highly committed to building a diverse and inclusive environment. In keeping with our beliefs and values, no employee or applicant will face discrimination or harassment based on race, color, ancestry, national origin, religion, age, gender, marital domestic partner status, sexual orientation, gender identity, disability status, or veteran status. To promote an equitable and bias-free workplace, we set competitive compensation packages for each position and do not negotiate on our offers. We are looking for teammates that are mission-driven, embody our core values, and appreciate our transparent approach.