At Two Chairs, we’re building a world where everyone has access to exceptional mental health care. We’ve brought together a remarkable team at the intersection of clinical care, design, and technology to change the way people find therapists who can help them.  We’re united by our personal experiences with the mental health care system and a desire to build a better one for everyone. With that, we’re excited and honored to have been recognized as a 2024 Great Place to Work and one of the 2023 Bay Area Best Places to Work.

Diversity, equity, and inclusion are the principles guiding how we build our business and teams. We encourage interested candidates from diverse backgrounds to apply even if they don’t think they meet every expectation of the role.

Our Perks and Benefits:

To support you at work, we offer some fantastic perks and benefits that reflect our mission of self-care and support, including:

• Equity in a high-growth start-up 
• PTO program, including a Winter Office Closing: Christmas Day (Observed)  through New Year’s Day
• Comprehensive medical, dental, and vision coverage
• One-time $200 Work from Home reimbursement 
• Annual $500 professional development stipend to support your professional development
• Annual $500 subsidized company contribution to your healthcare FSA
• Annual $500 wellness stipend to encourage and support a well-rounded and healthy lifestyle
• Paid parental leave

About the role

The Staff InfoSec Analyst, GRC is critical to the success of Two Chairs’ goals to protect our clients’ data and secure our clinicians’ workflows. In this position, you will work closely with compliance, IT, Product Development teams, and various teams to promote industry security best practices; and ensure that Two Chairs’ security policies and procedures are maintained and comply with all internal and external regulations and requirements. Your clear communication will be crucial as you explain security trade-offs and create practical solutions to manage risks effectively for our clients, clinicians, and our organization overall.

You bring a proactive, self-motivated attitude, combined with curiosity and practicality that effectively handles and minimizes application and infrastructure security risks. Our team appreciates diverse work styles, recognizing both the impact of taking initiative and the insight of deliberate decision-making

You’ll be responsible for driving risk assessment and mitigation efforts across Two Chairs, partnering with clinical leadership, compliance, and IT teams on policy creation, review, and updates, and developing procedures to ensure compliance with relevant regulations and industry standards. In addition, this role will be responsible for helping Two Chairs’ obtain and maintain compliance certifications such as the SOC 2 Type II, ISO, HIPAA, etc.

Core Areas of Responsibility

Governance Risk and Compliance: 70%

• Analyze and develop information security governance, including organizational policies, procedures, standards, baselines, and guidelines with respect to information security and the use and operation of information systems
• Develop and implement security controls, and risk assessment framework that align with HIPAA
• Evaluate risks and develop security standards, procedures, and controls to manage risks
• Drive internal audits to assess compliance and partner with key stakeholders such as security, legal, and HR to identify areas for improvement
• Working cross-functionally to help Two Chairs get SOC2 Type II, ISO 27001, ISO, HIPAA, and other certifications that entice confidence in our clients and clinicians

IT Security: 10%

• Perform email security and phishing audits
• Perform IT risk assessments, identify vulnerabilities, and work closely with technical teams to ensure that risks are mitigated appropriately

Vendor Security Review: 10% 

• Perform security assessments on third-party vendors and integrations
• Respond to security assessments, questionnaires, and audits from payers/health plans

Training/Education: 10%

• Develops and administers, or provides advice, evaluation, and oversight for, information security training and awareness programs

Impact and Success Indicators 

Where you’ll make an impact in the first 90 days:

• SOC2 Type2 Assessment and Readiness

 Where you’ll make an impact in the first year:

• Two Chairs SOC2 Certification
• First Penetration Test successfully completed
• Develop TwoChairs Security Policies

 You’ll be successful if you have:

• Proven experience working in a GRC role, preferably in the healthcare industry
• Strong understanding of risk management methodologies and best practices
• Professional experience conducting security assessments: SOC2, HITRUST, ISO 27001
• Familiarity with privacy regulations like CCPA, and GDPR
• Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications are preferred
• Experience with GRC Platform tools  like Vanta or Drata
• Strong leadership abilities with the capacity to influence and drive change within the organization
• Strong communication skills.
• Experience with HIPAA

Please stay alert to protect yourself from sophisticated job scams during the recruiting process.

Only emails that come from twochairscareers.com or twochairs.com are legitimate recruiting messages. Our People Team will not send emails from other domains, or message you using WhatsApp or text messaging in the initial stages. We conduct all interviews by phone or Google Video, and we will never ask you for money or to download software.

More tips from the FTC to avoid job scams: https://www.consumeraffairs.com/news/ftc-offers-tips-on-avoiding-job-scams-041321.html

 #LI-Remote #LI-AS1 

All applicants must be authorized to work for ANY employer in the U.S. We are unable to sponsor or take over sponsorship of an employment Visa at this time.