Senior Information Security Engineering Consultant - Governance Risk And Compliance

Optum is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health optimization on a global scale. Join us to start Caring. Connecting. Growing together.

Primary Responsibilities

• This role is responsible for developing, implementing, and maintaining governance, risk, and compliance (GRC) frameworks while managing third-party risk for our clients. The position ensures adherence to regulatory requirements, internal policies, and industry standards, while proactively identifying and mitigating risks associated with internal processes and external vendors
• Develop and maintain GRC frameworks aligned with organizational goals and regulatory requirements
• Perform risk assessments, maintain risk registers, and manage risk acceptance and policy exceptions
• Ensure compliance with regulatory requirements for clients and internal policies
• Monitor information security risks and drive remediation of policy exceptions
• Conduct control testing to evaluate the maturity and effectiveness of security controls (HIPAA, HITRUST, NIST 800-53)
• Define risk thresholds, implement risk frameworks, and remediate identified gaps
• Manage risk and policy exceptions through GRC platforms
• Review High and Critical risks monthly with risk owners and executive leadership
• Create executive dashboards and reports for leadership visibility into risk posture and KPIs
• Stay current on regulatory changes, security trends, and compliance requirements
• Track key risk register and policy exception metrics
• Establish a baseline of vendor risk and identify areas of potential exposure
• Design and implement a consistent Third-Party Risk Management (TPRM) program aligned with internal policy and regulatory requirements
• Conduct pre-contract due diligence and ongoing vendor risk assessments
• Develop mitigation plans and partner with internal stakeholders to monitor vendor performance post-contract
• Provide guidance to business units and sourcing teams on VRM requirements
• Maintain structured governance for vendor risk and procurement compliance
• Ensure compliance with SOC 1 and SOC 2 audit requirements
• Continually reassess operational risks and emerging threats related to vendors
• Create executive summaries with recommendations for remediation and risk disposition
• Track key vendor-related metrics
• Comply with the terms and conditions of the employment contract, company policies and procedures, and any and all directives (such as, but not limited to, transfer and/or re-assignment to different work locations, change in teams and/or work shifts, policies in regard to flexibility of work benefits and/or work environment, alternative work arrangements, and other decisions that may arise due to the changing business environment). The Company may adopt, vary or rescind these policies and directives in its absolute discretion and without any limitation (implied or otherwise) on its ability to do so
  
  

• Bachelors degree or higher level of education
• 5 + years of technical experience in Information Security
• GRC platform implementation experience (such as NAVEX Service Now, LogicGate, Rsam)
• Experience with federal cyber security standards (such as NIST 800-53)
• Experience in performing vendor & Product assessment (manual or tool-based)
• Auditing skills and the ability to manage risk assessments / projects independently
• Proven excellent communication skills both verbal and written
• Good presentation skills particularly ability to present technology elements in manner personnel can follow and act.
• Good understanding of HIPAA, HITRUST and Security Core Concepts