The Opportunity

As a Third Party Risk Analyst at One Medical, your primary focus will be assessing vendors and partners on our third party security risk management team and working as a trusted business advisor on risk and security. This is an evolving opportunity in technology compliance (GRC), with many interesting challenges ahead. The team is growing with opportunities for ownership, autonomy, innovation, and growth. You will work directly with builders and leadership across One Medical Security, IT, Product, and cross-functional partners from One Medical and Amazon Health Services (AHS) businesses and Security, as well as subject matter experts in Legal and Privacy to improve our security and compliance posture. While driven by regulations and industry standards in technology governance, we are business advisors, helping the organization by ensuring the security and privacy of our member's, provider's and employee's information.

What you'll work on:

Primary Focus Areas:

• Serve as a business liaison and advisor during the third party onboarding and reassessment process
• Execute risk-based assessments of third parties' technology processes and control areas in a timely manner
• Help determine the security posture and program maturity of our critical third parties
• Work with business owners and third parties to identify and implement security improvements
• Participate in maintaining and updating the master third party data inventory
• Participate in improving One Medical's Third Party Risk Program

Secondary Focus Areas:

• Design, implement, and validate compensating controls, collaborating with security, privacy, IT, and engineering teams.
• Engage in audit readiness activities for various frameworks as they relate to the third party environment (SOC2, PCI, HIPAA, HITRUST, CCPA/CPRA etc).
• Partner with the business as a trusted third party risk and security compliance advisor, providing timely and effective guidance to departments on requirements.

You'll be set up for success if you have:

• 2+ years performing Vendor Assessments
• 3+ years experience in technical compliance, security and/or technology/IT audit (internal, or external); or 4+ years of experience at a Big 4 in a similar role
• Experience reading and interpreting external audit / assessment reports (HITRUST, PCI, SOC2, etc)
• Identified, assessed, and advised on compliance risks and controls to a variety of stakeholders and customers
• General knowledge in some combination of Network Security, Vulnerability & Patch Management, Secure Development and Third Party Risk Lifecycle Management
• Experience with at least one of the following: HIPAA, PCI, SOC, HITRUST
• Ability to lead through influence and communication

Nice to haves:

• Experience in product development or security engineering
• Experience at an audit firm
• Extensive hands on experience with two or more of the following: HIPAA, PCI, SOC, HITRUST, ISO, FedRAMP, CCPA, SOX
• Certifications such as: CISA, CISM, CISSP, CRISC, CIPP

Benefits designed to aid your health and wellness:

Taking care of you today

• Paid sabbatical after 5 and 10 years
• Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
• Competitive Medical, Dental and Vision plans
• Free One Medical memberships for yourself, your friends and family
• Pre-Tax commuter benefits
• PTO cash outs - Option to cash out up to 40 accrued hours per year

Protecting your future for you and your family

• 401K match
• Opportunity to participate in company equity programs
• Credit towards emergency childcare
• Company paid maternity and paternity leave
• Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
• Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance

This is a full-time remote role based in the United States. One Medicalis committed to fair and equitable compensation practices. The base salary range for this role is $90,400 to $161,000 Actual compensation packages are based on several factors that are unique to each candidate, including but not limited to skill set, depth of experience, certifications, and specific work location. The total compensation package for this position may also include RSUs, benefits and/or other applicable incentive compensation plans. For more information, visit

#LI-DNI