This description is a summary of our understanding of the job description. Click on 'Apply' button to find out more. Role Description The IT Security Governance, Risk & Compliance (GRC) Specialist plays a critical role in ensuring that the organization adheres to healthcare regulations, mitigates risks, and maintains a robust compliance program. This individual will support governance, risk, and compliance initiatives by assessing regulatory requirements, identifying potential risks, and ensuring alignment with industry standards such as HIPAA, HITECH, NIST CSF, and other relevant frameworks. - Governance: Assist in developing, maintaining, and enforcing healthcare policies and procedures. Support the implementation and management of governance frameworks, ensuring alignment with organizational objectives and healthcare regulations. Collaborate with stakeholders to ensure compliance with applicable standards and best practices. - Risk Management: Conduct risk assessments, including the identification, analysis, and prioritization of risks related to healthcare operations, IT systems, and third-party vendors. Develop and maintain the organization’s risk register and track remediation efforts. Participate in incident response planning and tabletop exercises to improve organizational preparedness. - Compliance: Monitor and ensure compliance with regulatory requirements such as HIPAA, HITECH, CMS guidelines, and state-specific healthcare laws. Support audit and assessment processes, including preparing documentation, responding to audit requests, and implementing corrective actions. Assist in managing third-party risk assessments, ensuring vendor compliance with healthcare security and privacy standards. - Reporting and Documentation: Prepare and deliver compliance and risk reports to leadership, including metrics, dashboards, and key performance indicators (KPIs). Maintain accurate documentation of compliance activities, risk assessments, and governance efforts. - Collaboration and Training: Partner with internal teams (e.g., IT, Legal, Operations) to address compliance gaps and enhance security posture. Provide training and awareness sessions to staff on healthcare compliance, risk management, and policy requirements. Act as a liaison with external auditors, regulatory agencies, and third-party vendors. Qualifications - At least 1 year of experience in governance, risk and compliance roles, preferably within healthcare - required - Familiarity with healthcare regulations (HIPAA, HITECH, CMS) and industry standard (NIST CSF, HITRUST, ISO 27001) - preferred - Four-year bachelor's degree or equivalent experience in Healthcare administration, Information Security, Risk Management, or a related field - required Requirements - CHC, CISA, CCSFP or CISSP certification - preferred Benefits - Employee portion of medical plan premiums are covered after 3 years. - 4%-10% employee savings plan match based on tenure - Paid Parental Leave (up to 12 weeks) - Caregiver Leave - Adoption and surrogacy reimbursement

• Represent Regulatory Affairs on cross functional project teams and provide strategic input and technical guidance on product lifecycle planning and regulatory requirements for non-medical devices, and medical devices. • Assess the acceptability of documentation for medical device submissions and effectively communicate regulatory guidance. • Assist in SOP development and review in support of "next-gen" product offerings. • Revisit and compare regulatory outcomes with initial product concepts to make recommendations on future actions. • Understand and investigate regulatory history/background of class, disease/ therapeutic context in order to assess regulatory implications for approval. • Create and ensure maintenance of technical documentation (such as clinical evaluation reports, risk management reports, 510(k) notification) as required for obtaining and/or maintaining regulatory approval/clearance for DeepHealth products. • Assist in preparation and review of regulatory submission to authorities. • Evaluate proposed design, labeling, and distribution changes for regulatory impact and implement any required regulatory action. • Utilize technical regulatory skills to propose strategies on complex issues. • Ensure compliance with product post marketing requirements. • Review product labeling to ensure compliance with relevant regulatory requirements. • Individual may provide limited work direction and guidance to peers and/or skilled non-exempt levels of employees. • Participates in the development of less experienced staff by setting an example, providing guidance, and offering counsel. • Work with the clinical teams to ensure compliance for pre- and post-market clinical studies in support of DeepHealth products and product changes. • Ensuring timely submission of adverse events to the appropriate regulatory bodies.

• Execute the approved U.S. regulatory strategy for assigned programs and represent the region on global governance teams (e.g., GRT; may include GDT/CST/LWG as applicable) • Plan and lead U.S. regulatory submissions (e.g., clinical trial and marketing applications) in alignment with global filing plans, U.S. regulatory requirements, and Amgen standards • Lead U.S. regulatory document development, including labels, briefing packages, and key submission components consistent with product strategy • Drive U.S. labeling strategy and execution in collaboration with the Labeling Working Group (LWG), including negotiation approach, timelines, and deviation/waiver decisions as applicable • Provide regulatory direction on U.S. mechanisms and pathways to optimize development (e.g., expedited programs, orphan considerations, pediatric plans, compassionate use where applicable) • Lead Health Authority interactions for assigned products: build relationships, prepare/lead engagements, and document/communicate outcomes to GRT and senior management • Manage Responses to Questions (RTQs) and other agency feedback by coordinating cross-functional inputs, driving alignment, and ensuring timely, high-quality responses • Assess regulatory risk and likelihood of success; communicate scenarios, expectations, and contingencies to GRT and line management • Ensure ongoing regulatory compliance for assigned products (e.g., commitments, obligations, regulatory history/record accuracy) and escalate issues proactively • Maintain and apply U.S. regulatory intelligence: monitor evolving legislation/guidance and assess/communicate impact (including competitor labeling where relevant) • Partner with cross-functional teams (Clinical, Medical, Safety, Commercial) to ensure strategy alignment, including support for U.S. promotional/data applicability considerations as needed • If applicable, lead and develop staff through clear prioritization, coaching, and resource planning to meet program objectives

• Manage the Information Assurance Control Calendar by completing assigned compliance activities (e.g., access reviews) and coordinating with stakeholders to ensure periodic tasks (e.g., contingency and incident response plan testing) are completed on schedule. • Ensure company policies, plans, procedures, and standards are reviewed and updated regularly for accuracy and compliance. • Maintain and manage the Plan of Action & Milestones (POA&M) for FedRAMP, CMMC, and internal findings to ensure timely resolution of security gaps. • Lead and facilitate monthly FedRAMP meetings, providing authorizing officials with briefings on all deliverables and program status. • Lead and oversee the company’s supply chain risk management program, conducting risk assessments for all new and existing vendors, suppliers, and services. • Lead the CVE (Common Vulnerabilities and Exposures) meeting, providing detailed explanations of vulnerabilities, their impact, and recommended remediation steps to relevant stakeholders. • Assist the Governance Risk & Compliance Manager in preparing for external assessments (e.g., FedRAMP audits, SOC 2 attestations) by maintaining audit-ready documentation, collecting evidence, and coordinating with stakeholders during the process. • Ensure all personnel complete mandatory training during onboarding and on a periodic basis as required, and collaborate with relevant teams to develop and update training materials yearly based on evolving security protocols and company requirements. • Support current and potential customers by providing detailed and timely responses to Requests for Information (RFI). • Ensure continuous adherence to established regulatory frameworks, including FedRAMP, ISO 27001, CMMC, SOC 2, HIPAA, GDPR, and PCI DSS.