Back to Jobs

Security & Compliance Engineer (SOC 2 / HIPAA)

Not Disclosed

Job Description & Details

Security & Compliance Engineer (SOC 2/HIPAA) – a hands‑on role where you’ll own the security control build‑out for a fast‑growing cloud SaaS. It’s not a paper‑pusher gig; you’ll actually design, code and validate controls that keep healthcare and government data safe.

What You'll Actually Be Doing

You’ll start by mapping the existing platform to SOC 2 Trust Service Criteria and HIPAA Security Rule, then write the policies, standards and evidence collection scripts needed for auditors. Day‑to‑day you’ll be wiring up RBAC, MFA, encryption at rest/in‑flight, and audit‑logging pipelines in AWS or Azure, while embedding those controls into CI/CD pipelines. Expect frequent risk‑assessment workshops, rapid remediation of findings, and on‑call incident‑response drills that simulate PHI breaches.

The Core Tech Stack

The non‑negotiables are deep AWS/Azure security knowledge (IAM, KMS, CloudTrail, GuardDuty) plus a solid grasp of NIST CSF and how it maps to SOC 2 and HIPAA. You’ll need to be comfortable scripting in Bash/Python to automate evidence collection, and you should have built Secure SDLC/DevSecOps gates (e.g., Terraform Sentinel, Snyk, or Checkov). Those skills let the team prove compliance continuously rather than once a year.

Interview Expectations

  1. “Walk me through how you would design a SOC 2‑ready logging architecture on AWS, and how you’d prove its completeness to an auditor.” – They’re looking for a clear data‑flow diagram, use of CloudWatch Logs, S3 bucket immutability, and a retention policy that satisfies the five Trust Service Criteria.
  2. “A vulnerability scan flags a misconfigured S3 bucket exposing PHI. Explain the remediation steps and how you’d document the fix for HIPAA compliance.” – Expect them to hear about immediate bucket policy changes, bucket encryption enablement, logging activation, a root‑cause analysis, and updating the risk register and SOPs.

Application Advice

Tailor your résumé to echo the exact phrasing from the JD: “SOC 2 implementation,” “HIPAA security controls,” “RBAC,” “MFA,” “audit logging,” “NIST Cybersecurity Framework,” and “DevSecOps.” Highlight any AWS Security Specialty or Azure Security Engineer certs you hold, and surface concrete metrics (e.g., reduced audit remediation time by 30%). A short cover note that mentions “remote‑first, US‑based compliance work for healthcare SaaS” will help you pass the ATS and catch the recruiter’s eye.