Overview

Fred Hutchinson Cancer Center is an independent, nonprofit organization providing adult cancer treatment and groundbreaking research focused on cancer and infectious diseases. Based in Seattle, Fred Hutch is the only National Cancer Institute-designated cancer center in Washington.

With a track record of global leadership in bone marrow transplantation, HIV/AIDS prevention, immunotherapy and COVID-19 vaccines, Fred Hutch has earned a reputation as one of the world's leading cancer, infectious disease and biomedical research centers. Fred Hutch operates eight clinical care sites that provide medical oncology, infusion, radiation, proton therapy and related services, and network affiliations with hospitals in five states. Together, our fully integrated research and clinical care teams seek to discover new cures to the world's deadliest diseases and make life beyond cancer a reality.

At Fred Hutch we value collaboration, compassion, determination, excellence, innovation, integrity and respect. These values are grounded in and expressed through the principles of diversity, equity and inclusion. Our mission is directly tied to the humanity, dignity and inherent value of each employee, patient, community member and supporter. Our commitment to learning across our differences and similarities make us stronger. We seek employees who bring different and innovative ways of seeing the world and solving problems. Fred Hutch is in pursuit of becoming an anti-racist organization. We are committed to ensuring that all candidates hired share our commitment to diversity, anti-racism and inclusion.

The GRC (Governance, Risk, and Compliance) Engineer is responsible for participating in the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected. The GRC engineer is responsible for identifying, evaluating, and reporting on information security risk to information assets. The GRC engineer will proactively work with business units and partners to assess and design controls to reduce information security risk. The GRC engineer should understand and articulate the impact of information security controls on the business and be able to communicate this to stakeholders. The GRC engineer must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations.

Responsibilities

Governance and Awareness

• Assist in managing a targeted information security awareness training program for all staff and affiliates; establish metrics to measure the effectiveness of this security training program for the different audiences.
• Understand and interact with other business units to ensure the consistent application of policies and standards across all technology projects, systems and services, including risk management and compliance.
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.

Operations

• Participate in a risk-based process for the assessment and mitigation of any information security risk in the organization (including vendors, business partners and other third parties).
• Assist in managing a governance, risk, and compliance platform to facilitate risk management and incident management.
• Facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of remediation efforts.
• Consult with project managers to ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines.
• Act as a member of the IIRP during information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the organization's reputation.
• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
• Facilitate periodic security compliance reviews and audits of on-premises and hosted environments, including AWS and Azure.
• Maintain compliance documentation, including managing and tracking policy exceptions.
• Assist in managing security awareness training.
• Assist in the assessment and review of new and existing technology infrastructure to ensure adequate levels of control are in place to address identified risks and develop risk mitigation techniques and processes when necessary.
• Assist in the development and ongoing oversight of a robust vulnerability management program.
• Conduct risk assessments on business and IT operational processes, procedures, and policies; interpret audit results and make conclusions on the adequacy and reliability of controls; prepare and present reports, as necessary.
• Stay informed about current security and privacy laws and provide guidance to the team when evaluating new projects; and perform other duties as assigned.

Qualifications

Required:

• Bachelor's degree or equivalent work experience in a technical discipline related to Information Technology
• Minimum 7 years hands-on information security experience, including experience conducting technical and non-technical risk assessments
• Strong knowledge of information security risk management and information security technologies (e.g. SIEM, vulnerability management, data loss prevention, and/or endpoint protection)
• Proven track record and experience interpreting information security policies and procedures and successfully communicating with non-security workforce.
• Excellent interpersonal skills, presentation skills, and verbal / written communication skills
• Understanding of compliance and regulatory requirements such as HIPAA and PCI
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Organized, responsive, and thorough problem solver
• Ability to work collaboratively with a broad range of staff
• High degree of initiative, dependability, and ability to work with little supervision while being resilient to change
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity

Preferred:

• Experience hardening/securing virtualization technologies, databases, and operating systems (Windows/Linux) utilizing industry best practices
• Knowledge of networking concepts (routing, switching, VLANs, ACLs), systems administration or development.
• Familiarity with information security policies, standards, industry best practices, and frameworks. (ISO 27K, NIST 800-53, CIS, HITRUST, etc.)
• General information security certification (e.g., CISSP, CISA, etc.)
• Experience with Infrastructure as a Service (IaaS), such as AWS or Azure
• Knowledge of industry best practices related to security concepts

This position is patient facing and/or requires access to Fred Hutch clinical facilities. As such, full COVID-19 vaccination is required as a condition of employment, without exception. Booster doses are strongly recommended but not required. If declining a booster, completion of the COVID-19 Vaccination Status Form Questionnaire and COVID-19 Booster Declination Training is required. Because of our immunocompromised patient population, there are no medical or religious accommodations available for any employee who is patient facing and/or requires access to Fred Hutch clinical facilities. Only employees whose positions are fully remote, who are not patient facing and/or require no access to clinical facilities, may apply for medical or religious accommodations. As a condition of employment, newly hired employees must provide proof of vaccination before their first day of employment.

A statement describing your commitment and contributions toward greater diversity, equity, inclusion, and antiracism in your career or that will be made through your work at Fred Hutch is requested of all finalists.

The annual base salary range for this position is from $106,427 to $168,223 and pay offered will be based on experience and qualifications.

Fred Hutchinson Cancer Center offers employees a comprehensive benefits package designed to enhance health, well-being, and financial security. Benefits include medical/vision, dental, flexible spending accounts, life, disability, retirement, family life support, employee assistance program, onsite health clinic, tuition reimbursement, paid vacation (12-22 days per year), paid sick leave (12-25 days per year), paid holidays (13 days per year), paid parental leave (up to 4 weeks), and partially paid sabbatical leave (up to 6 months).

Our Commitment to Diversity

We are proud to be an Equal Employment Opportunity (EEO) and Vietnam Era Veterans Readjustment Assistance Act (VEVRAA) Employer. We are committed to cultivating a workplace in which diverse perspectives and experiences are welcomed and respected. We do not discriminate on the basis of race, color, religion, creed, ancestry, national origin, sex, age, disability (physical or mental), marital or veteran status, genetic information, sexual orientation, gender identity, political ideology, or membership in any other legally protected class. We are an Affirmative Action employer. We encourage individuals with diverse backgrounds to apply and desire priority referrals of protected veterans. If due to a disability you need assistance/and or a reasonable accommodation during the application or recruiting process, please send a request to our Employee Services Center at hrops@fredhutch.org or by calling 206-667-4700.