top of page

Sr Program Manager - Governance, Risk & Compliance

Apply Now

United States (Remote)

Job Type

Full Time



Application Deadline

April 13, 2024

About the Role

Develop an understanding of HealthEquity business processes and systems to support the Security GRC team.
Conduct comprehensive risk assessments and vulnerability analyses to identify potential security risks and recommend appropriate mitigation strategies. This will require leading and influencing cross-functional teams and stakeholders at all levels of the company.
Guide external assessors in conducting NIST CSF, HITRUST, PCI DSS, FedRAMP, and other assessments. Act as a liaison between assessors and internal teams to ensure clear communication and timely completion of evidentiary requests. Participate in control walkthroughs, assist in gathering audit evidence requests, and coordinate follow-up requests. Oversee exception remediation and monitoring.
In conjunction with Attack Surface Management and Vulnerability Management teams, plan and support penetration tests, vulnerability scans, and remediation actions required by compliance programs, including PCI DSS and FedRAMP.
Develop and implement security metrics and key performance indicators (KPIs) to measure the effectiveness of security controls, risk mitigation strategies, and compliance efforts. Regularly analyze and report on security metrics to senior management, identifying trends, areas of improvement, and actionable insights.
Lead and support information-gathering efforts related to HealthEquity’s complex data environment and apply new or changing security practices to new and existing processes and controls.
Manage identification and rollout of scalable innovative technologies to support security governance, including developing usage policies and guidelines, audit, and control processes.
Maintain “auditor-ready” toolkits for response to audits, assessments, and regulator inquiries.
Drive continuous improvement efforts by identifying opportunities for enhancing security governance, risk management, and compliance practices.


  • Bachelor’s Degree, focus on information security, information technology, or related discipline is preferred.
  • 5+ years of professional experience in a role involving Information Security GRC, IT Compliance, IT Audit, legal, or privacy, preferably in a technology setting or highly regulated industry.
  • Experience with O365 applications (Word, PowerPoint, Excel)
  • Additional Education/Certification preferred but not required, e.g. CIPP or CIPM, CDPSE, CISSP, CISM, CISA, CCSA
  • Experience interacting with and working directly with/for internal/external business partners.
  • Able to work collaboratively in a fast-paced technology environment, where willingness to learn and adapt is critical.
  • At least one certification from ISO 27001 Lead Auditor, CISA, HIPAA Expert, SOX Expert Certification (Preferred) or applicable project management certifications.
  • Strong level of knowledge in at least one of industry standards and best practices such as SOC1, SOC2 Type II, ISO/IEC 27001 Certification, HIPAA Compliance, HITRUST, and PCI/DSS
  • Strong exposure to and knowledge of Information Technologies and IT security best practices
  • Strong working experience in establishing information security risk management, governance, compliance and audits in different regions and business units from scratch and achieve maturity over next 2 years.
  • Ability to work autonomously or as part of a team, within targets and deadlines
  • Excellent written and verbal communication skills.
  • Experience influencing others to take action.

About the Company

HealthEquity is a leading administrator of Health Savings Accounts (HSAs) and other consumer-directed benefits—FSA, HRA, COBRA, and Commuter. Benefits advisors, health plans, and retirement providers partner with us to help over 13 million members work toward long-term health and financial wellbeing. Visit to see our intuitive technology and remarkable service in action.

Apply Now
bottom of page