Promaxo
Information Technology Security Engineer
We are looking for a hands‑on and highly motivated IT and Security Engineer to own and shape our corporate IT, security, and compliance landscape. This is a unique opportunity to build our systems from the ground up – establishing the infrastructure, governance practices, and operational controls necessary for a secure, compliant, and efficient medical device company.
You will be our go‑to expert for employee devices, cloud services, SOC 2, HIPAA, and overall security governance, driving compliance across all Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The ideal candidate has significant experience owning SOC 2 programs end‑to‑end and thrives in an environment where security, compliance, and operational excellence are critical.
Key Responsibilities IT Infrastructure & Operations
Build, manage, and maintain our corporate IT environment, ensuring high levels of availability, performance, and compliance with SOC 2 operational requirements.
Administer and support all employee devices (laptops, peripherals) using modern MDM solutions; ensure secure configurations, baselines, and monitoring aligned with SOC 2 controls.
Manage our core SaaS applications and identity lifecycle processes, RBAC, SSO, MFA, and least‑privilege policies.
Oversee cloud infrastructure (AWS/GCP/Azure), implementing guardrails, logging, monitoring, and access governance consistent with SOC 2, HIPAA, and industry best practices.
Provide exceptional on‑site IT support, ensuring timely and compliant handling of incidents, change requests, and asset tracking.
Compliance and Governance
Own the end‑to‑end SOC 2 Type I and Type II compliance program, including annual planning, evidence gathering, auditor coordination, remediation management, and continuous control monitoring.
Develop, document, and maintain a comprehensive library of policies, procedures, and technical standards covering all SOC 2 Trust Services Criteria.
Build and manage a governance framework, including risk assessments, internal controls testing, access reviews, change management processes, disaster recovery and business continuity planning, and third‑party/vendor risk management.
Conduct ongoing SOC 2 gap analyses and drive cross‑functional remediation initiatives.
Manage security and compliance training programs across the organization, ensuring measurable improvement in security awareness.
Maintain HIPAA‑aligned safeguards for PHI, including administrative, technical, and physical controls.
Security & Threat Management
Lead the company’s threat modeling program for systems, applications, cloud services, and data flows; partner with engineering to identify threats, validate mitigations, and track closure.
Manage security tools and programs, including endpoint detection & response (EDR), vulnerability scanning and patch management, log management and SIEM, configuration monitoring, and data loss prevention (DLP).
Own the penetration testing lifecycle, including scoping, vendor coordination, remediation tracking, and executive reporting.
Maintain security incident response procedures, perform incident triage, and lead coordination with internal stakeholders and external partners.
Ensure compliance with SOC 2 security controls, including audit logging, network security, access control, encryption at rest and in transit, system hardening, backup and recovery.
Protect the confidentiality, integrity, and availability of company data, intellectual property, and PHI.
Additional Security Experience Requirements
Serve as the primary technical point of contact for security related questions from mid‑size urology groups and other healthcare practices evaluating our security posture.
Demonstrate deep knowledge of business associate agreements (BAAs), including how SOC 2 controls map to HIPAA requirements.
Clearly articulate whether BAAs, security controls, and vendor practices meet SOC 2 and HIPAA standards in external discussions.
Own the process of responding to external security questionnaires, RFPs, and due diligence reviews from healthcare clients and partners.
Prepare and maintain standardized security documentation, including security whitepapers, SOC 2 control summaries, and HIPAA safeguard explanations.
Lead patch management and vulnerability remediation programs, ensuring timely rollout, risk prioritization, and audit‑ready documentation.
Manage vulnerability testing schedules, reporting, and remediation workflows across cloud services, endpoints, and third‑party vendors.
Collaborate with compliance and legal teams to ensure BAAs, DPAs, and vendor contracts accurately reflect required security obligations.
Required Qualifications
Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or equivalent practical experience.
3+ years of experience owning SOC 2 audits, including evidence collection, control implementation, remediation plans, auditor relationships, and continuous monitoring.
Experience speaking with external customers or partners about security posture, compliance, and IT controls.
Strong understanding of SOC 2 Trust Services Criteria and how to operationalize controls across IT, security, and engineering teams.
Demonstrated experience with threat modeling frameworks (STRIDE, LINDDUN, PASTA, etc.).
Hands‑on experience with penetration testing processes, vulnerability management, SIEM, EDR, and cloud security controls.
Technical proficiency managing modern IT environments, with expertise in MDM, IAM/SSO, Cloud security, SaaS administration, and endpoint hardening.
Strong understanding of incident response, secure system design, network security, and compliance frameworks.
Excellent documentation and communication skills.
Ability to work full‑time and onsite in our Oakland, CA office.
Preferred Qualifications
Experience building compliance programs for medical device, healthcare, or similarly regulated environments.
Familiarity with BAAs, HIPAA Security Rule requirements, and vendor security assessments.
Experience scaling an IT/security program in a fast‑paced startup.
Familiarity with additional frameworks such as HIPAA, NIST 800‑53/800‑171, ISO 27001, HITRUST, FDA cybersecurity, and CIS Controls.
Seniority level Not Applicable
Employment type Full‑time
Job function Information Technology, Engineering, and Analyst
Industries Medical Equipment Manufacturing, Biotechnology Research, and Hospitals and Health Care
Benefits
Medical insurance
Vision insurance
401(k)
Paid maternity leave
Paid paternity leave
#J-18808-Ljbffr
You will be our go‑to expert for employee devices, cloud services, SOC 2, HIPAA, and overall security governance, driving compliance across all Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The ideal candidate has significant experience owning SOC 2 programs end‑to‑end and thrives in an environment where security, compliance, and operational excellence are critical.
Key Responsibilities IT Infrastructure & Operations
Build, manage, and maintain our corporate IT environment, ensuring high levels of availability, performance, and compliance with SOC 2 operational requirements.
Administer and support all employee devices (laptops, peripherals) using modern MDM solutions; ensure secure configurations, baselines, and monitoring aligned with SOC 2 controls.
Manage our core SaaS applications and identity lifecycle processes, RBAC, SSO, MFA, and least‑privilege policies.
Oversee cloud infrastructure (AWS/GCP/Azure), implementing guardrails, logging, monitoring, and access governance consistent with SOC 2, HIPAA, and industry best practices.
Provide exceptional on‑site IT support, ensuring timely and compliant handling of incidents, change requests, and asset tracking.
Compliance and Governance
Own the end‑to‑end SOC 2 Type I and Type II compliance program, including annual planning, evidence gathering, auditor coordination, remediation management, and continuous control monitoring.
Develop, document, and maintain a comprehensive library of policies, procedures, and technical standards covering all SOC 2 Trust Services Criteria.
Build and manage a governance framework, including risk assessments, internal controls testing, access reviews, change management processes, disaster recovery and business continuity planning, and third‑party/vendor risk management.
Conduct ongoing SOC 2 gap analyses and drive cross‑functional remediation initiatives.
Manage security and compliance training programs across the organization, ensuring measurable improvement in security awareness.
Maintain HIPAA‑aligned safeguards for PHI, including administrative, technical, and physical controls.
Security & Threat Management
Lead the company’s threat modeling program for systems, applications, cloud services, and data flows; partner with engineering to identify threats, validate mitigations, and track closure.
Manage security tools and programs, including endpoint detection & response (EDR), vulnerability scanning and patch management, log management and SIEM, configuration monitoring, and data loss prevention (DLP).
Own the penetration testing lifecycle, including scoping, vendor coordination, remediation tracking, and executive reporting.
Maintain security incident response procedures, perform incident triage, and lead coordination with internal stakeholders and external partners.
Ensure compliance with SOC 2 security controls, including audit logging, network security, access control, encryption at rest and in transit, system hardening, backup and recovery.
Protect the confidentiality, integrity, and availability of company data, intellectual property, and PHI.
Additional Security Experience Requirements
Serve as the primary technical point of contact for security related questions from mid‑size urology groups and other healthcare practices evaluating our security posture.
Demonstrate deep knowledge of business associate agreements (BAAs), including how SOC 2 controls map to HIPAA requirements.
Clearly articulate whether BAAs, security controls, and vendor practices meet SOC 2 and HIPAA standards in external discussions.
Own the process of responding to external security questionnaires, RFPs, and due diligence reviews from healthcare clients and partners.
Prepare and maintain standardized security documentation, including security whitepapers, SOC 2 control summaries, and HIPAA safeguard explanations.
Lead patch management and vulnerability remediation programs, ensuring timely rollout, risk prioritization, and audit‑ready documentation.
Manage vulnerability testing schedules, reporting, and remediation workflows across cloud services, endpoints, and third‑party vendors.
Collaborate with compliance and legal teams to ensure BAAs, DPAs, and vendor contracts accurately reflect required security obligations.
Required Qualifications
Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or equivalent practical experience.
3+ years of experience owning SOC 2 audits, including evidence collection, control implementation, remediation plans, auditor relationships, and continuous monitoring.
Experience speaking with external customers or partners about security posture, compliance, and IT controls.
Strong understanding of SOC 2 Trust Services Criteria and how to operationalize controls across IT, security, and engineering teams.
Demonstrated experience with threat modeling frameworks (STRIDE, LINDDUN, PASTA, etc.).
Hands‑on experience with penetration testing processes, vulnerability management, SIEM, EDR, and cloud security controls.
Technical proficiency managing modern IT environments, with expertise in MDM, IAM/SSO, Cloud security, SaaS administration, and endpoint hardening.
Strong understanding of incident response, secure system design, network security, and compliance frameworks.
Excellent documentation and communication skills.
Ability to work full‑time and onsite in our Oakland, CA office.
Preferred Qualifications
Experience building compliance programs for medical device, healthcare, or similarly regulated environments.
Familiarity with BAAs, HIPAA Security Rule requirements, and vendor security assessments.
Experience scaling an IT/security program in a fast‑paced startup.
Familiarity with additional frameworks such as HIPAA, NIST 800‑53/800‑171, ISO 27001, HITRUST, FDA cybersecurity, and CIS Controls.
Seniority level Not Applicable
Employment type Full‑time
Job function Information Technology, Engineering, and Analyst
Industries Medical Equipment Manufacturing, Biotechnology Research, and Hospitals and Health Care
Benefits
Medical insurance
Vision insurance
401(k)
Paid maternity leave
Paid paternity leave
#J-18808-Ljbffr