The Cloud Regulatory Program Manager serves as a subject matter expert on regulatory obligations (e.g., NIST) and related regulatory inquiries at Duke Health Technology Solutions (DHTS) with regards to DHTS Cloud PaaS/IaaS compliance. This role will serve as the primary program manager and liaison among offices and teams doing Cloud regulatory work within DHTS and interfacing with customers of DHTS cloud platform(s). This position is an expert resource and will provide guidance regarding interpretation, applicability, and implementation of regulatory controls in the DHTS Cloud platform(s). 

Essential Tasks and Responsibilities 

• Serve as a key resource and program manager for Cloud platform regulatory work within the DHTS Cloud platform(s)
• Create, maintain and update DHTS Cloud compliance documentation, including DHTS NIST Manual, End User Agreement (EUA), source policy rule sets, mitigations, waivers, and Plans of Action & Milestones (POA&Ms) specific to the DHTS Cloud platform(s).
• Coordinate with teams within and external to DHTS to address POA&Ms timely
• Train DHTS Cloud subscription owners and, as needed, applications owners on the documented controls, including elements that they are responsible for (non-inherited controls).
• Maintain record of Subscription owner EUAs
• Collaborate and liaise with Duke offices (ex, ISO, CTO, OASIS, OARC, SOM) as well as study teams and the Duke community on inherited technical control requirements and expectations related to NIST SP800-53 and other regulations
• Provide guidance, assistance, and strategic advice regarding regulatory compliance matters, such as the interpretation of regulations, policies, requirements and/or their applicability to the DHTS Cloud platform(s)
• Facilitates internal audits or third-party audits of the DHTS Cloud platform(s), as required.
• Liaise with Duke contracts offices as requested to ensure DHTS Cloud platform(s) is appropriately complying with regulatory requirements and contracted expectations inherited from platform
• Prepares regular status reports for DHTS Cloud platform(s) and submits to management, including metrics, documentation on systems impacted by these regulations, information on compliance, and other documentation, as required.

The above statements describe the general nature and level of work being performed by individuals assigned to this classification. This is not intended to be an exhaustive list of all responsibilities and duties required of personnel so classified.

Minimum Qualifications

Education

• Level 1, 2 and 3 - Bachelor's degree in a related clinical or technical field, or four years of equivalent technical experience required.
• Level 3 - A Master's degree in computer science, information systems, business management, engineering, mathematics, healthcare, a physical science, or other related field is preferred.

Licensure/Certification

• Level 1: N/A
• Level 2: In addition to the requirements described for the Level 1, the Level 2 requires: One or more information security industry certifications (e.g. CISSP, CISM, CISA, CEH, or equivalent) are preferred. Additional technical or management certifications (e.g. MCSE, CCNP, CCIE, or PMP) are preferred.
• Level 3: In addition to the requirements described for the Level 2, the Level 3 requires: One or more information security industry certifications (e.g. CISSP, CISM, CISA, CEH, or equivalent) are required.

Experience

• Level 1 - No experience required beyond the minimum education (or equivalency) requirement.
• Level 2 - Two years of related experience is required.
• Level 3 - Four years of related experience is required.

Preferred Qualifications 

Experience:

• Minimum 3 years of related IT regulatory experience, ideally in an organization involved in the conduct of clinical research such as a pharmaceutical, biotechnology, or medical device company; contract research organization; academic medical center; or regulatory agency.
• Strong familiarity with NIST SP-800-53
• Leading projects and teams with measurable deliverable outcomes.
• Managing team related projects.
• Knowledge of IT regulations and requirements.
• Experience documenting requirements for or managing IT-related projects or products in the area of clinical research. 
• Familiarity with Azure Defender for Cloud, Azure Cloud.
• Familiarity with other regulations (GxP, HIPAA/HITECH, etc.).

Skills:

• Must possess strong communicating skills with the ability to communicate effectively up and down, at all levels of the organization.
• Excellent organizational and documentation skills. Possess an acute attention to detail.
• Demonstrates comprehensive decision making skill by taking independent and timely decisions; and communicates, influences and escalates issues.
• Strong partnering and negotiating with multiple internal, and frequently also external stakeholders.
• Be a leader with a clear understanding of regulatory expectations.
• Team player with sense of urgency to carry out tasks in a timely and accurate manner.
• Ability to interact well with employees at all levels.
• Adapt to changing priorities effectively.
• Ability to work independently on assignments.

The intent of this job description is to provide a representative and level of the types of duties and responsibilities that will be required of positions given this title and shall not be construed as a declaration of the total of the specific duties and responsibilities of any particular position. Employees may be directed to perform job-related tasks other than those specifically presented in this description.

This position may have an opportunity to work remotely. All Duke University and Duke Health remote workers must reside in one of the following states or districts: Arizona; California; Florida; Georgia; Hawaii; Illinois; Maryland; Massachusetts; Montana; New Jersey; New York; North Carolina; Pennsylvania; South Carolina; Tennessee; Texas; Virginia or Washington, DC.

Duke is an Affirmative Action/Equal Opportunity Employer committed to providing employment opportunity without regard to an individual's age, color, disability, gender, gender expression, gender identity, genetic information, national origin, race, religion, sex, sexual orientation, or veteran status.

Duke aspires to create a community built on collaboration, innovation, creativity, and belonging. Our collective success depends on the robust exchange of ideas-an exchange that is best when the rich diversity of our perspectives, backgrounds, and experiences flourishes. To achieve this exchange, it is essential that all members of the community feel secure and welcome, that the contributions of all individuals are respected, and that all voices are heard. All members of our community have a responsibility to uphold these values.

Essential Physical Job Functions: Certain jobs at Duke University and Duke University Health System may include essentialjob functions that require specific physical and/or mental abilities. Additional information and provision for requests for reasonable accommodation will be provided by each hiring department.

Logo

About Duke University Health System

As a world-class academic and health care system, Duke Health strives to transform medicine and health locally and globally through innovative scientific research, rapid translation of breakthrough discoveries, educating future clinical and scientific leaders, advocating and practicing evidence-based medicine to improve community health, and leading efforts to eliminate health inequalities.

Connections working at Duke University Health System