Senior Engineer, Information Security


CAQH recognizes that its most important asset is its growing team of smart, creative, collaborative, forward-thinking and passionate professionals – and that a comprehensive employee benefits package is an important factor for them in choosing where to work. CAQH offers competitive compensation along with an extensive benefits package for all full-time employees, including medical, dental and vision coverage, tuition assistance and a 401k. We offer full-time remote work to all staff from any location and maintain a physical office (with many amenities) in downtown Washington, D.C. 

Who we are:

Named one of the "Best Places to Work" by Modern Healthcare for five consecutive years, CAQH has helped nearly 1,000 health plans, 1.6 million providers, government entities and vendors connect, exchange information and operate more efficiently. CAQH technology-enabled solutions and its Committee on Operating Rules for Information Exchange (CORE) bring the healthcare industry together to make sharing business information more automated, predictable and consistent. CAQH Explorations researches opportunities to reduce the burden of manual processes in healthcare administration.


Senior Engineer, Information Security

Finance and Administration
Reports To

Senior Manager, Information Security

The Senior Engineer, Information Security is responsible for the successful delivery of complex security program initiatives that safeguard CAQH protected information. Through methodical planning, rigorous execution and continuous oversight, the Senior Engineer will enhance the security and privacy posture of CAQH solutions and corporate IT assets. The Senior Engineer, Information Security reports to the Senior Manager, Information Security. This is a full-time, exempt, remote position.

Specific Responsibilities
  • Analyze applications and recommend and develop security measures to protect information against unauthorized modification or loss.
  • Design and implement Application security methodology and activities to support organizational needs.
  • Design, build and drive SecDevOps security automation approach to allow secure CI/CD development cross our growing DevOps needs.
  • Focus on finding new tools and models/methods of work to meet next-gen application security related challenges and needs.
  • Work with the different organization’s technical teams to create and implement information security policies and procedures.
  • Work closely with the development teams within a Scaled Agile Framework (SAFe) development process to fix security issues identified in largescale user-facing web applications.
  • Provide technical support in evaluating application security requirements, technologies, and workflows across solutions.
  • Work collaboratively across the organization to support and remediate security gaps.
  • Design and implement security architecture controls to ensure a proper shift left approach and secure by design mindset.
  • Develop and execute security assessment test plans, document, and present results.
  • Review security threats, provide feedback and perform security and risk assessment for CAQH Solutions, services, and future technology.
  • Perform design analysis, review, piloting, and selection of security technologies that meet specified CAQH’s business requirements.
  • Identify and define Solutions security requirements and security baselines for the various classes of assets and environments in use at CAQH or its partners.
  • Lead and mentor Infrastructure and Application Operations teams as well as development teams to utilize secure techniques and libraries.
  • Provide guidance during architecture and design activities of new and existing solutions, while also conducting architectural risk and impact assessments on new and existing tools.
  • Maintain knowledge of current and emerging secure mechanisms, technologies, products, trends related to architectural solutions; actively and continuously share this knowledge with others.
  • Communicate Findings/Remediation Guidance/Security Design Patterns to solutions and development teams in a concise and succinct manner.
  • Increase knowledge in solutions and application security through self-study, training, and certifications.
  • Research and gather secure code specifications and requirements based on OWASP.
  • Stay connected to emerging technologies/industry trends and apply them into operations and activities.
  • Implement and conduct threat modeling for CAQH web solutions and provide guidance and prioritization of remediation efforts identified throughout the process.
  • Work with monitoring team to integrate solutions layer logging with SIEM and provide guidance on monitoring use case development.
  • Review and provide recommendations for Web App Firewall (WAF) rules and configurations that align with best practices and remediate any gaps in protection.
  • Support HITRUST & SOC2 compliance assessments/audits and drive the remediation of any gaps that have been identified in the application tier.
  • Support completion of customer security & privacy questionnaires/assessments regarding Application Security.
  • Coordinate annual 3rd party penetration testing and work with support teams to create and execute a remediation plan.
Knowledge, skills and abilities
  • SAST, DAST, and SCA application vulnerability scanning.
  • Working knowledge of web application security.
  • Ability to understand and provide recommendations around the technological design and architecture of an application.
  • Demonstrated understanding of modern authentication and authorization mechanisms.
  • Demonstrated ability to manage a mix of established programs and projects of varying sizes, as well as new initiatives that span application and infrastructure security.
  • Demonstrated ability to support project teams to meet critical deadlines and realize program benefits.
  • Ability to efficiently and effectively communicate plans, schedules, decisions, status, risks and issues and to implement corrective actions to ensure organizational objectives are met.
  • Demonstrated understanding of the threats and attack vectors of web-based applications and how to mitigate them.
  • Ability to work collaboratively in fast-paced, schedule-driven matrixed organizations.
  • Ability to communicate clearly and concisely with all levels of business and technical stakeholders both verbally and in written form.
  • Proven command of secure software development lifecycles execution and oversight.
  • Strong team player able to influence the outcome of projects without direct authority.
  • Experience implementing and refining processes, policies and standards.
  • The ability to balance risk mitigation with business needs.
  • 7+ years of hands-on experience managing application security monitoring, vulnerability scanning, and data loss prevention tools.
  • 7+ years leading cross-functional teams successfully deliver comprehensive security solutions.
  • Microsoft Azure secure web app development experience.
  • Hands-on experience with containerization & orchestration and microservice architecture.
  • Hands-on development experience in multiple programming languages.
  • CISSP certification and detailed HITRUST governance experience preferred.

Bachelor’s degree required; business and technology disciplines preferred.

PDF version
Download (128.39 KB)
Employment Type
Hiring Organization