GRC Analyst

About the Role

The GRC Analyst is responsible for supporting the organization's information security governance, risk, and compliance activities. This role involves ensuring that the organization’s security policies, procedures, and practices are aligned with regulatory requirements, industry standards, and best practices. The ideal candidate will have a strong understanding of information Security & Privacy principles, Third Party Vendor Risk management, ITGC & SOC2 audit controls, and the ability to communicate complex security issues to various stakeholders.

Duties and Responsibilities:

Governance:

1. - Develop, implement, and maintain information security policies and procedures.
   • Ensure alignment of security governance frameworks with business objectives and regulatory requirements.
   • Assist in the creation and maintenance of the information security governance structure.
2. Risk Management:
   • Conduct information security risk assessments and evaluate the effectiveness of existing controls.
   • Identify, assess, and document risks related to information security & privacy across the organization.
   • Conduct regular risk assessments for existing and potential vendors.
   • Monitor and report on the organization’s information security risk posture.
3. Compliance:
   • Ensure compliance with relevant information security regulations, standards, and frameworks (e.g., ISO 27001, SOC2, ITGC, NIST, PCI-DSS, CCPA, NYDFS, HIPAA).
   • Conduct regular security compliance assessments and audits.
   • Track and report on compliance gaps and work with relevant teams to address deficiencies.
   • Stay current on emerging security regulations and industry best practices.
   • Develop and deliver information security awareness and training programs to staff at all levels.
4. Reporting and Documentation:
   • Maintain comprehensive and accurate documentation related to information security governance, risk, and compliance.
   • Prepare and present reports on the organization’s information security activities, risk assessments, and compliance status to senior management.
   • Ensure all documentation is up-to-date and in compliance with regulatory and organizational requirements.

Qualifications and Skills:

• Bachelor’s degree in Information Security, Computer Science, Cybersecurity, or a related field.
• 3+ years of experience in information security, risk management and compliance.
• Strong knowledge of information security frameworks, standards, and regulations (e.g., ISO 27001, NIST, CCPA, PCI-DSS, NYDFS, HIPAA).
• Experience with security & privacy risk assessment and management methodologies.
• Extensive experience in Third Party/Vendor Risk Management (TPRM) with hands-on expertise in managing VRM tools (e.g.,OneTrust, ProcessUnity, Vanta).
• Experience in supporting security audits (SOC2, Customer & Partners Audits) - At least 2 complete audit cycles of SOC2.
• Excellent communication skills, with the ability to convey complex security concepts to non-technical stakeholders.
• Relevant certifications such as ISO 27001 LA LI, CISA, CRISC are highly desirable.

#LI-DG1

#LI-Hybrid