Manager, IT Risk & Compliance
Intellia Therapeutics, Inc.
4 hours ago
Remote friendly (Cambridge, MA)
United States
IT
Manager, IT Risk & Compliance
Responsibilities
- Third-Party Risk Management (TPRM): Oversee the security risk lifecycle for IT suppliers and applications (SaaS, on-prem, clinical and commercial systems). Evaluate security attestations (SOC 2, ISO 27001), credentials, and evidence to report supply-chain risk posture.
- Sustained Compliance (SOX/ISO): Lead continuous monitoring of IT General Controls (ITGCs) to ensure SOX 404 readiness and ongoing compliance. Partner with Finance, Legal, and IT to map controls across ISO and regulatory frameworks, minimizing redundant testing.
- Audit Management & Execution: Serve as primary lead/point of contact for external and internal IT audit cycles (e.g., year-end SOX testing). Manage evidence collection, coordinate walkthroughs, and ensure timely remediation of deficiencies.
- Data Privacy Liaison: Ensure IT systems and third-party vendors comply with GDPR, CCPA/CPRA, and HIPAA. Conduct Privacy Impact Assessments (PIAs) for new systems handling sensitive patient/employee data.
- Risk Assessment & Remediation: Perform IT risk assessments for internal systems and third-party ecosystems. Maintain the IT Risk Register and track mitigation strategies to completion.
- Policy & Governance: Develop and maintain information security policies, standards, and SOPs for consistent IT service delivery, commercial readiness, and audit readiness.
- Cross-Functional Collaboration: Act as primary IT GRC liaison to Quality Management; coordinate integrated risk reporting so IT ISO/SOC 2 vetting complements clinical/GxP quality auditing.
Qualifications / Required Skills
- Bachelorโs degree in information systems, computer science, or related field; Masterโs preferred.
- 4โ6 years in IT risk, audit, or compliance; minimum 3 years focused on information security.
- Core certifications strongly preferred: CISA, CRISC, CTPRP, or CISM (if not held, obtain within 9โ12 months).
- Proficiency with GRC systems (e.g., OneTrust, ServiceNow) and security rating tools (e.g., BitSight, Blackkite).
- Experience with continuous monitoring and integrating tools (e.g., CrowdStrike) into a vendor risk lifecycle.
- Ability to provide high-volume, accurate communication with internal stakeholders and external auditors; sustained concentration for risk analysis.
- Minimal travel (<10%), primarily for on-site vendor audits or team offsites.
Preferred Skills / Knowledge
- Understanding of life sciences regulations (GxP, 21 CFR Part 11) and/or privacy frameworks (GDPR, CCPA).
- Direct experience implementing/maturing SOX (ITGC) and ISO 27001 in a regulated biotech/life sciences environment.
- Strong documentation/evidence rigor for audit defensibility.
- Proven record liaising with internal/external auditors and resolving cross-functional issues; ability to negotiate security remediation with third parties.
Application
- Applications accepted on a rolling basis until the position is filled.
Responsibilities
- Third-Party Risk Management (TPRM): Oversee the security risk lifecycle for IT suppliers and applications (SaaS, on-prem, clinical and commercial systems). Evaluate security attestations (SOC 2, ISO 27001), credentials, and evidence to report supply-chain risk posture.
- Sustained Compliance (SOX/ISO): Lead continuous monitoring of IT General Controls (ITGCs) to ensure SOX 404 readiness and ongoing compliance. Partner with Finance, Legal, and IT to map controls across ISO and regulatory frameworks, minimizing redundant testing.
- Audit Management & Execution: Serve as primary lead/point of contact for external and internal IT audit cycles (e.g., year-end SOX testing). Manage evidence collection, coordinate walkthroughs, and ensure timely remediation of deficiencies.
- Data Privacy Liaison: Ensure IT systems and third-party vendors comply with GDPR, CCPA/CPRA, and HIPAA. Conduct Privacy Impact Assessments (PIAs) for new systems handling sensitive patient/employee data.
- Risk Assessment & Remediation: Perform IT risk assessments for internal systems and third-party ecosystems. Maintain the IT Risk Register and track mitigation strategies to completion.
- Policy & Governance: Develop and maintain information security policies, standards, and SOPs for consistent IT service delivery, commercial readiness, and audit readiness.
- Cross-Functional Collaboration: Act as primary IT GRC liaison to Quality Management; coordinate integrated risk reporting so IT ISO/SOC 2 vetting complements clinical/GxP quality auditing.
Qualifications / Required Skills
- Bachelorโs degree in information systems, computer science, or related field; Masterโs preferred.
- 4โ6 years in IT risk, audit, or compliance; minimum 3 years focused on information security.
- Core certifications strongly preferred: CISA, CRISC, CTPRP, or CISM (if not held, obtain within 9โ12 months).
- Proficiency with GRC systems (e.g., OneTrust, ServiceNow) and security rating tools (e.g., BitSight, Blackkite).
- Experience with continuous monitoring and integrating tools (e.g., CrowdStrike) into a vendor risk lifecycle.
- Ability to provide high-volume, accurate communication with internal stakeholders and external auditors; sustained concentration for risk analysis.
- Minimal travel (<10%), primarily for on-site vendor audits or team offsites.
Preferred Skills / Knowledge
- Understanding of life sciences regulations (GxP, 21 CFR Part 11) and/or privacy frameworks (GDPR, CCPA).
- Direct experience implementing/maturing SOX (ITGC) and ISO 27001 in a regulated biotech/life sciences environment.
- Strong documentation/evidence rigor for audit defensibility.
- Proven record liaising with internal/external auditors and resolving cross-functional issues; ability to negotiate security remediation with third parties.
Application
- Applications accepted on a rolling basis until the position is filled.