Job Description

This role has dual accountability, owning two distinct but interrelated compliance pillars:
(1) DOJ Compliance Program Management (EO 14117 Final Rule / 28 CFR Part 202) and
(2) Cybersecurity Compliance Review of Supplier Contracts.

While closely coordinated in practice, these responsibilities are governed, executed, and evaluated separately.

About the role

DOJ Compliance Program Management: For purposes of this role, “DOJ compliance” refers specifically to the U.S. Department of Justice Final Rule implementing Executive Order 14117, codified at 28 CFR Part 202, including security requirements defined at 28 CFR § 202.248 (Cybersecurity and Infrastructure Agency “CISA” Security Requirements for Restricted Transactions) - Access to US sensitive personal data and government-related data by countries of concern or covered persons. Legal retains enterprise ownership of the DOJ compliance program, including legal interpretation and regulatory positioning. This role, positioned within the IT organization, is accountable for operationalizing, executing, and sustaining the DOJ compliance program across systems, processes, and third party integrations.
You will serve as the IT organization’s operational owner and executor of the DOJ compliance program, responsible for translating Legal owned DOJ requirements into implemented, monitored, and defensible controls across digital systems, operational processes, and third party supported activities While overall DOJ program ownership resides with Legal, this role is accountable for end to end execution, ingress, scoping, monitoring, and audit readiness within the IT and digital domain.

Cybersecurity Compliance Review of Supplier Contracts: You will ensure that GEHC’s cybersecurity compliance requirements are consistently embedded in supplier contracts. You will work closely with Legal, Risk, Internal Audit, Sourcing, Privacy, Product Security, application owners to drive it consistently and address proposed deviations.
This role is ideal for someone who is hands on, detail oriented, legally trained, and comfortable owning complex, cross functional workflows and compliance programs end to end, with a strong understanding of how controls and evidence are evaluated under regulatory and enforcement scrutiny.

Key Responsibilities

DOJ Compliance Program Execution & Operational Ownership

• Act as the IT‑side owner for DOJ compliance execution, operating under the enterprise program framework owned by Legal.
• Operationalize Legal‑defined DOJ requirements across systems, processes, data flows, and third‑party‑enabled activities.
• Design, remediate, and maintain the DOJ ingress and scoping process, ensuring consistent identification of DOJ‑relevant systems and processes.
• Expand DOJ scope beyond initially identified systems to include process‑based and workflow‑based risks where applicable.
• Coordinate scoping decisions/conclusions with Legal, Risk, Internal Audit, and relevant stakeholders to ensure scope coverage is complete and defensible.
• Design and run a continuous assessment process to identify, evaluate, and prioritize DOJ compliance risks across in-scope systems and processes.
• Support development/delivery of targeted awareness materials and training to promote consistent execution of DOJ compliance expectations.
• Ensure timely remediation of identified issues in partnership with process/control owners; track actions through closure with appropriate evidence.
• Build and execute a structured monitoring/testing program to validate that required DOJ controls are implemented and operating effectively.
• Establish and perform independent monitoring, testing, and targeted reviews of DOJ‑relevant controls.
• Maintain audit‑ready evidence demonstrating how DOJ requirements are implemented, monitored, and enforced within IT.
• Create and maintain a DOJ-aligned control requirement framework mapped to internal standards and industry practices.
• Act as the primary IT liaison for DOJ‑related audits, internal assurance activities, coordinate responses and evidence packages.
• Provide clear reporting to leadership on program execution status, coverage, key risks, findings, and remediation progress.

DOJ Compliance Program Governance & Accountability Model

• The DOJ compliance program is owned at the enterprise level by the Legal function, including interpretation of regulatory expectations and formal regulatory engagement.
• This role, within the IT organization, is accountable for program execution, including control implementation, scoping, monitoring, remediation, and evidence management.
• Legal is engaged for:
  • interpretation of DOJ requirements,
  • validation of compliance positions,
  • and regulatory strategy as needed.
• This role is empowered to escalate execution risks, scoping gaps, or resourcing constraints where DOJ compliance may be impacted.

Supplier Contract Cybersecurity Compliance Review

• Maintain and update cybersecurity and compliance language within supplier contract templates to ensure alignment with internal security and regulatory standards.
• Ensure that GEHC defined cybersecurity and compliance requirements are consistently included in supplier and third‑party contracts.
• Review supplier contracts to confirm inclusion of required cybersecurity, data protection, audit, and assurance provisions.
• Review and evaluate deviations from approved cybersecurity/compliance clauses in supplier contracts; assess risk and recommend acceptable alternatives and mitigations.
• Coordinate with Legal, Sourcing, Privacy, and Product Security teams to assess risks and determine acceptable alternatives when suppliers propose non‑standard terms.
• Provide guidance to internal stakeholders during supplier negotiations on:
  • Required cybersecurity and data protection controls
  • Acceptable residual risk levels
  • Contractual mechanisms for monitoring, assurance, and audit rights
• Ensure that cybersecurity and compliance obligations included in supplier contracts are clear, enforceable and protect GEHC.
• Identify and escalate systemic or high‑risk contractual gaps that may introduce regulatory, security, or operational exposure.
• Legal/Sourcing retain ownership for commercial negotiation strategy, contract execution mechanics, and final legal drafting decisions; this role provides compliance requirements, risk assessment, and approval recommendations.

Qualifications

• Legal training or legal‑adjacent experience, including a law degree (e.g., prior law firm, in‑house counsel, regulatory, or enforcement‑related roles).
• Demonstrated experience in compliance, IT audit, risk management, internal audit.
• Demonstrated ability to interpret and apply legal and regulatory requirements in operational, technology, and third‑party contexts.
• Strong understanding of DOJ compliance expectations, enforcement actions, and regulatory frameworks.
• Experience designing and implementing compliance programs, control frameworks, or monitoring/testing processes.
• Strong stakeholder management skills; ability to influence and drive outcomes across Legal, IT, Security, Sourcing, Privacy, and business teams.
• Experience reviewing or supporting security and compliance requirements in supplier or third‑party contracts.
• Exceptional communication skills and the ability to influence stakeholders at all levels.
• Strong analytical, investigative, and problem‑solving skills.
• Strong ability to connect technical findings to legal and compliance risk
• Proven ability to manage complex regulatory interactions with professionalism and clarity.

Preferred Qualifications

• Experience in a regulated industry (e.g., healthcare, financial services, technology, manufacturing).
• Prior exposure to DOJ‑related matters, remediation programs, monitorships, or enforcement‑facing compliance work.
• Professional certifications such as CISA, CIA, CFE, or similar.

Pay Range

For Poland based positions, Annual Salary Range: 325 600 PLN - 447 700 PLN

Placement within this range depends on:

• Relevant skills and qualifications

• Prior job-related experience

• Internal equity considerations (alignment with colleagues in similar roles) e.t.c.

We review pay ranges regularly to ensure they remain competitive with the external market and align with our internal equity considerations.

Benefits & Rewards in Poland:

In addition to base salary, our employees have access to a comprehensive package of benefits and allowances, which may include:

• Health & wellness coverage

• Retirement and or savings plans

• Allowances or benefits to support role requirements (e.g., mobility, transport, or role-specific needs such as a company car or allowance where applicable)

• Work-life balance support (e.g., flexible working, leave programs)

• Recognition and incentive programs aligned with performance and company success

The exact benefits package depends on the role, location, and employment terms as specified in the Colleague Value Proposition document that will be shared prior to the interview or at the offer discussion stage.

• Performance Bonus:Details to be shared during offer discussions

#LI-HYBRID

#LI-BJ1

Additional Information