Senior Engineer, IT Governance and Compliance - Third Party Certifications

Company Overview :

Cardinal Health, Inc. (NYSE : CAH) is a global healthcare services and products company. We provide customized solutions for hospitals, healthcare systems, pharmacies, ambulatory surgery centers, clinical laboratories, physician offices and patients in the home. We are a distributor of pharmaceuticals and specialty products; a global manufacturer and distributor of medical and laboratory products; an operator of nuclear pharmacies and manufacturing facilities; and a provider of performance and data solutions. Working to be healthcare's most trusted partner, our customer-centric focus drives continuous improvement and leads to innovative solutions that improve the lives of people every day. With approximately 50,000 employees worldwide, Cardinal Health ranks among the top fifteen in the Fortune 500.

Department Overview :

Information Technology oversees the effective development, delivery, and operation of computing and information services. This function anticipates, plans, and delivers Information Technology solutions and strategies that enable operations and drive business value.

Information Security and Risk develops, implements, and enforces security controls to protect the organization's technology assets from intentional or inadvertent modification, disclosure, or destruction. This job family develops system back-up and disaster recovery plans, conducts incident responses, threat management, vulnerability scanning, virus management and intrusion detection as well as completes risk assessments.

The IT Governance and Compliance function within the organization develops, enhances, and maintains security policies and IT compliance programs in alignment with regulatory, legal, and contractual requirements, while collaborating closely with key stakeholders to maintain a security and compliant technology environment.

We are committed to building a resilient, secure, and compliant digital ecosystem, and you will play a critical role in safeguarding our information and supporting our mission to improve the lives of people every day.

Job Overview :

This role is a leader position within the team and requires having an in-depth understanding of local, national and international privacy and security regulations such as HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and PCI DSS (Payment Card Industry Data Security Standard) as well as third-party certifications (e.g., HITRUST, SOC 2, ISO) available that enable in meeting those regulatory requirements.

Senior Engineer will co-lead third-party certification (e.g., HITRUST and SOC 2) program to confirm policies, standards, procedures, and audit activities are in alignment with CAH customer, business, IT, and HITRUST and SOC 2 requirements, while working with members of the Information Security and Risk Management team as well as key stakeholders throughout the enterprise such as enterprise architects, IT solution owners, training teams, etc. Success in the role will be measured by the effectiveness of the implementation and operation of HITRUST and SOC 2 program including the ability to retain all current HITRUST and SOC 2 certifications and provide guidance / advice on future certifications from cost models to balancing between compliance, risk, and business benefit.

Daily Responsibilities :

Partner with Sales, Business and IT organizations to determine third-party certifications needs and recommend best approach on obtaining and maintaining third-party certifications such as HITRUST and SOC 2 that meet the business needs, while balancing cost of compliance.

Develop and implement cost and resource models to help leadership understand funding and resource requirements to obtain and maintain third-party certifications such as HITRUST and SOC-2

Manage third-party certification Program from both build and run perspective. Some of the key responsibilities include :

Partner with HITRUST Alliance and external assessor to identify, understand and incorporate HITRUST and SOC 2 requirements into existing and future CAH certifications.

Partner with internal CAH teams to confirm there are processes in place to appropriately meet the needs of HITRUST and SOC 2 requirements, including tracking and resolution of corrective action plans.

Coordinate and manage all activities across the third-party certification program including planning, scoping, testing, reporting, and educating key stakeholders as needed to successfully obtain and maintain HITRUST certifications.

Develop and manage relevant artifacts to manage the third-party certification program (e.g., SOP, roadmap, RACI, etc.)

Build and implement metrics to report on effectiveness of the third-party certification Program

Lead and mentor team members through all third-party certification activities.

Facilitate / assist in response to security assessments and questionnaires.

Identify opportunities to streamline and automate processes to manage third-party certification programs more effectively and efficiently, while reducing the overall cost of compliance.

Effectively manage and implement changes throughout the organization.

Any other duties as assigned.

Qualifications :

Bachelor's Degree in related field or equivalent work experience

10+ years' experience in related field preferred

Prior experience leading HITRUST and SOC 2 audits in a large healthcare organization

Demonstrated leadership in driving cross-functional governance initiatives

Deep understanding of healthcare industry regulations and standards (e.g., PCI DSS, HIPAA, GDPR, NIST, HITRUST, SOC 2)

Proven experience supporting IT due-diligence and integration during M&A initiatives.

Experience building or significantly improving GRC programs within high-growth technology organizations, particularly those dealing with emerging technologies

Experience gathering and analyzing business requirements, translating them into actionable plans and technical specifications

Strong technical knowledge of enterprise IT environments (cloud, network, infrastructure, applications, data lake / data warehouse) and ability to design and implement control framework across it

Hands-on experience with GRC platforms, project management tools, and service management systems, with a focus on scaling and automating GRC processes

Experience in analyzing data and creating reports / dashboards / views to provide visibility into risk and control landscape.

Excellent analytical and problem-solving skills - able to translate technical concepts into business outcomes

Excellent communication skills (both verbal and written) - able to facilitate discussions with leaders at all levels within the organization, work in a matrixed environment to drive results, and clearly define and execute repeatable processes.

Excellent time management, active listening, meeting facilitation, and influencing skills.

Professional certifications preferred : CGEIT (Certified in the Governance of Enterprise IT), CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control)

Anticipated salary range : $123,400 - $176,300

Bonus eligible : Yes

Benefits : Cardinal Health offers a wide variety of benefits and programs to support health and well-being.

Medical, dental and vision coverage

Paid time off plan

Health savings account (HSA)

401k savings plan

Access to wages before pay day with myFlexPay

Flexible spending accounts (FSAs)

Short- and long-term disability coverage

Work-Life resources

Paid parental leave

Healthy lifestyle programs

Application window anticipated to close : 12 / 20 / 2025

• if interested in opportunity, please submit application as soon as possible.

The salary range listed is an estimate. Pay at Cardinal Health is determined by multiple factors including, but not limited to, a candidate's geographical location, relevant education, experience and skills and an evaluation of internal pay equity.

Candidates who are back-to-work, people with disabilities, without a college degree, and Veterans are encouraged to apply.

Cardinal Health supports an inclusive workplace that values diversity of thought, experience and background. We celebrate the power of our differences to create better solutions for our customers by ensuring employees can be their authentic selves each day. Cardinal Health is an Equal Opportunity / Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, ancestry, age, physical or mental disability, sex, sexual orientation, gender identity / expression, pregnancy, veteran status, marital status, creed, status with regard to public assistance, genetic status or any other status protected by federal, state or local law.

To read and review this privacy notice click here ()