TherapyNotes, LLCRemote
GRC Engineer
United States of America
Full Time
4 days ago
$100,000 - $140,000 USD
H1B Sponsor Likely
Key skills
Governance RiskCompliance (GRC)Risk AssessmentsPolicy ManagementThird-Party Risk Management (TPRM)Security Compliance Frameworks SOC 2Security Compliance Frameworks ISO 27001Security Compliance Frameworks HIPAASecurity Compliance Frameworks NISTSecurity ControlsSecurity EngineeringScriptingProgramming PythonProgramming GoCloud Platforms AWSCloud Platforms AzureCloud Platforms GCPInfrastructure as Code TerraformInfrastructure as Code CloudFormationAPI IntegrationAutomation PipelinesContinuous Control Monitoring (CCM)GRC Automation PlatformsPolicy-as-Code ToolsSecurity InformationEvent Management (SIEM)Security Orchestration AutomationResponse (SOAR)Security Telemetry SystemsAudit Evidence SystemsCertifications CISSPCertifications CISMCertifications CRISCCertifications Cloud SecurityPythonGoAWSAzureGCPTerraformCloudFormationRisk ManagementCloud Security
About this role
TherapyNotes is a leading provider of behavioral health Practice Management and EHR software, dedicated to innovating and enhancing patient care. The GRC Engineer role involves executing core GRC functions and designing automated solutions to improve and modernize risk management processes.
Responsibilities:
- Conduct third-party risk assessments (TPRM), including vendor reviews, security questionnaires, and risk evaluations
- Maintain and update security policies, standards, and procedures
- Support compliance initiatives across frameworks (SOC 2, ISO 27001, HIPAA, NIST, etc.)
- Perform internal risk assessments, control testing, and gap analyses
- Identify manual, repetitive GRC processes and design automated solutions
- Build and maintain automated evidence collection (via APIs, scripts, and integrations)
- Implement continuous control monitoring (CCM) to replace point-in-time audits
- Translate compliance requirements into technical controls and system configurations
- Validate control effectiveness through automated testing and monitoring
- Enable real-time or near-real-time risk visibility through dashboards and reporting systems
- Work with Security Engineering to continuously audit configurations and remediate drift programmatically
- Build scalable workflows for vendor risk assessments, re-assessments and tracking
- Integrate vendor data into centralized risk systems
- Automate intake, review, and monitoring processes for third-party security posture
- Develop self-service audit evidence systems and dashboards
- Partner with auditors to provide API-driven or system-generated evidence
Requirements:
- Bachelor's degree in Computer Science, Engineering, or related field (or equivalent experience)
- 3-6+ years in security engineering, GRC, GRC engineering, or cloud security roles
- Strong experience with scripting/programming (Python, Go, or similar)
- Hands-on experience with cloud platforms (AWS, Azure, or GCP)
- Familiarity with Infrastructure as Code (Terraform, CloudFormation, etc.)
- Deep understanding of security controls and how they map to compliance frameworks
- Experience integrating APIs and building automation pipelines
- Experience with policy-as-code tools
- Experience with GRC automation platforms
- Familiarity with SIEM, SOAR, and security telemetry systems
- Experience building internal tools or platforms for compliance and risk management
- Certifications such as CISSP, CISM, CRISC, or cloud security certifications