Governance Risk & Compliance Analyst

Who We Are:

PE-backed start-up, DoseSpot is a dynamic and innovative leader in the electronic prescribing software market, and its subsidiary, pVerify, is an industry leading insurance verification solution. We are on a hyper-growth curve at the intersection of the software and healthcare industries. We need great team members to capitalize on these opportunities and improve the healthcare experience for patients and doctors alike. DoseSpot and pVerify have an exciting opportunity to join a fun and growing team, benefit from strong market tailwinds, and be part of an exciting opportunity to ensure mission-critical prescriptions and verifications are delivered on time and without error.

The Role:

As the Governance Risk & Compliance (GRC) Analyst, you will be a critical force in operationalizing and evolving DoseSpot’s security and compliance programs. You’ll collaborate cross-functionally to drive alignment and industry frameworks, proactively manage risk, and build scalable processes that keep us audit-ready and patient data secure. You’ll own day-to-day of compliance operations – from SOC 2 and HITRUST audits, to refining third-party risk assessments, to supporting the transformation of DoseSpot’s compliance program.

We welcome applicants from all U.S. time zones, though we have a preference for those based in Central or Eastern time zones.

What You'll Do:

• Managed risk and vulnerability assessments, validation testing, compliance reviews, and audit in accordance with both NIST and HITRUST standards.

• Manage and support SOC2 and HITRUST audits.

• Conduct and manage recurring risk and vulnerability assessments, control validation, and compliance reviews aligned to NIST, HITRUST, HIPAA, and ISO 27001.

• Lead end to end SOC2 and HITRUST audits, including readiness assessments, evidence collection, gap remediation, and audit response.

• Proactively manage audit timelines and ensure completeness and accuracy of submissions using GRC tools such as Drata and Vanta.

• Promote widespread implementation of HITRUST and NIST based controls across security, engineering, and business operations.

• Maintain an organized, audit-ready repository of evidence and artifacts through GRC platforms.

• Inform stakeholders of risk management concerns.

• Translate risk and compliance insights into clear, actionable updates for security, IT, product, and legal teams.

• Manage the development, maintenance, and version control of security policies and standards ensuring compliance with emerging regulations and company practices

• Support vendor due-diligence process and help to lead and define the overall third-party risk management (TPRM) efforts.

What You'll Bring:

• Bachelor’s degree in information security or related field.

• 5+ years of experience in information security, with an emphasis on risk and compliance.

• At least 3+ years of experience managing SOC2 and HITRUST audits

• Thorough understanding of regulatory and compliance requirements, including HIPAA

• Familiarity with ISMS and security frameworks, including NIST, HITRUST, ISO27001

• Knowledge of identity management standards, storage, and disaster recovery in the cloud.

• Knowledge of GRC tools and best practices, including solutions such as Vanta, Drata, OneTrust

• Proven track record of organizing and carrying out several risk and compliance projects independently.

• Ability to manage third-party audits and organize audit responses in detail proactively.

• Effective written and verbal communication skills and capability to communication and collaborate with cross-functional teams

• CISA, CISM, CRISM, or CISSP certifications are preferred, but not required.

You Will Enjoy This Role If:

• You like to be hands on and work with GRC tools to better automate and operationalize GRC programs.

• You enjoy collaborating with teams on risk management.

DoseSpot is an Equal Employment Opportunity/Affirmative Action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, age, national origin, protected veteran status, disability status, sexual orientation, gender identity or expression, marital status, genetic information, or any other characteristic protected by law.