GRC Engineer
About the role
About the Role
The GRC Engineer is responsible for transforming Charlie Health’s compliance, risk and control programs into automated, measurable and continuously monitored systems. This is a hands-on engineering role focused on building the technical foundations that support HIPAA, SOC 2, NIST and other compliance requirements.
This role will partner closely with Information Security, IT Engineering, Compliance, Legal, Engineering and business teams to translate regulatory, contractual and risk requirements into automated controls, evidence pipelines, dashboards, workflows and continuous control monitoring.
Our Information Security and IT organizations treat compliance as an engineering discipline. We value ownership, automation, measurable outcomes, reliability, auditability and continuous improvement. The GRC Engineer will help move Charlie Health from manual, point-in-time compliance activities toward scalable, system-driven assurance.
Charlie Health operates in a highly regulated healthcare environment. This role will help ensure that controls protecting patient, clinician, employee and company data are well-designed, consistently operated and supported by reliable evidence.
Responsibilities
Compliance Engineering & Control Automation
- Design, build and operate automated controls that support HIPAA, SOC 2, NIST, ISO 27001 and other applicable frameworks
- Translate compliance requirements into technical control logic, workflows, integrations, dashboards and evidence pipelines
- Build scalable systems that reduce manual compliance work and improve confidence in control effectiveness
- Partner with Security, IT, Compliance and Engineering teams to embed control requirements into systems and operating processes
Continuous Control Monitoring
- Build and maintain continuous control monitoring capabilities across identity, endpoints, cloud, SaaS platforms, security tools and business systems
- Define control health metrics, thresholds, alerts and reporting mechanisms
- Identify control gaps, exceptions and drift, then partner with control owners to drive remediation
- Improve visibility into the design, operation and effectiveness of key controls
Evidence Automation & Audit Readiness
- Automate audit evidence collection across systems such as Okta, Google Workspace, Jamf, Intune, SentinelOne, Wiz, AWS, Jira, Confluence, Slack and GRC platforms
- Build repeatable evidence workflows that support HIPAA, SOC 2, customer due diligence and other audit and regulatory requirements
- Support internal and external audit activities with automated evidence retrieval and reporting
- Reduce manual evidence collection effort and improve audit cycle time