Address
Form of workTITLE: Governance, Risk, and Compliance (GRC) Analyst
JOB CODE: E1012
GRADE LEVEL: 29
FLSA JOB STATUS: Exempt
DEPARTMENT: IT Security
REPORTS TO: Chief Information & Security Officer
DATE WRITTEN: February 2024
General Description
We are seeking a highly skilled and detail-oriented individual to join our team as a Governance, Risk, and Compliance (GRC) Analyst. In this role, you will play a crucial part in ensuring our organization adheres to client and regulatory requirements and manages risks and risk assessments effectively. Work performed by this individual results in the measurable reduction of costs and/or risks relating to risk management and controls. The ideal candidate will possess experience working in highly regulated environments, particularly healthcare and financial services. This position may require occasional work after hours or on weekends. Management reserves the ability to request other functions from this position. Exceptional customer service, written, and oral communication skills are a must.
Responsibilities
o Work with Corporate Compliance to monitor and assess regulatory changes to ensure that IT fulfills client and regulatory requirements.
o Collaborate with cross-functional teams to communicate, implement, and maintain IT compliance initiatives.
o Conduct internal and external risk assessments to identify potential threats and vulnerabilities.
o Develop, maintain, and perform outbound assessments to vendors, suppliers, and partners.
o Evaluate the impact and likelihood of identified risks.
o Complete inbound assessments from clients and regulators.
o Work closely with business units to develop and implement risk mitigation strategies.
o Maintain the IT Risk Register.
o Supports the establishment and maintenance of Enterprise Risk Management (ERM) infrastructure, in line with industry standards such as COBIT, ISO 27001, and ISO 31000.
o Conduct audits to assess IT compliance with policies, standards, and regulations.
o Coordinate user entitlement reviews and assist with ensuring data safeguards and controls are in place.
o Develop and implement monitoring programs to track compliance and risk metrics.
o Collaborate with internal and external auditors during scheduled audits.
o Document audit procedures performed ensuring audit methodology is consistently followed and conclusions are appropriately reached.
o Generate regular reports for management review.
o Communicate findings and recommendations to relevant stakeholders.
o Collaborate with business units to enhance awareness of compliance and risk management principles.
Education, Skills, Personal Attributes, and Experience Required
Work Condition
Physical Requirements
The physical requirements described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Specific vision abilities require the ability to focus distant and near objects clearly. While performing the duties of this job, the employee is regularly required to sit, talk, and hear. The employee is frequently required to use hands and arms to handle, feel and reach as well as operate a personal computer.
JOB CODE: E1012
GRADE LEVEL: 29
FLSA JOB STATUS: Exempt
DEPARTMENT: IT Security
REPORTS TO: Chief Information & Security Officer
DATE WRITTEN: February 2024
General Description
We are seeking a highly skilled and detail-oriented individual to join our team as a Governance, Risk, and Compliance (GRC) Analyst. In this role, you will play a crucial part in ensuring our organization adheres to client and regulatory requirements and manages risks and risk assessments effectively. Work performed by this individual results in the measurable reduction of costs and/or risks relating to risk management and controls. The ideal candidate will possess experience working in highly regulated environments, particularly healthcare and financial services. This position may require occasional work after hours or on weekends. Management reserves the ability to request other functions from this position. Exceptional customer service, written, and oral communication skills are a must.
Responsibilities
- IT Compliance:
o Work with Corporate Compliance to monitor and assess regulatory changes to ensure that IT fulfills client and regulatory requirements.
o Collaborate with cross-functional teams to communicate, implement, and maintain IT compliance initiatives.
- Risk Assessment and Management:
o Conduct internal and external risk assessments to identify potential threats and vulnerabilities.
o Develop, maintain, and perform outbound assessments to vendors, suppliers, and partners.
o Evaluate the impact and likelihood of identified risks.
o Complete inbound assessments from clients and regulators.
o Work closely with business units to develop and implement risk mitigation strategies.
o Maintain the IT Risk Register.
o Supports the establishment and maintenance of Enterprise Risk Management (ERM) infrastructure, in line with industry standards such as COBIT, ISO 27001, and ISO 31000.
- Audit and Monitoring:
o Conduct audits to assess IT compliance with policies, standards, and regulations.
o Coordinate user entitlement reviews and assist with ensuring data safeguards and controls are in place.
o Develop and implement monitoring programs to track compliance and risk metrics.
o Collaborate with internal and external auditors during scheduled audits.
o Document audit procedures performed ensuring audit methodology is consistently followed and conclusions are appropriately reached.
- Reporting and Communication:
o Generate regular reports for management review.
o Communicate findings and recommendations to relevant stakeholders.
o Collaborate with business units to enhance awareness of compliance and risk management principles.
Education, Skills, Personal Attributes, and Experience Required
- Candidate will have obtained bachelor's degree in information systems, computer science, or other relevant discipline.
- 5+ years of experience working in a similar industry or with a consulting firm.
- Experience internally leading projects or advising programs to effectively establish risk management frameworks and practices in a highly technical organization.
- Experience reviewing and completing security questionnaires.
- Experience reviewing compliance and security reports (SOC 2, PCI, ISO, etc.)
- Experience working cross-functionally to achieve objectives.
- Experience performing security and privacy due diligence reviews of vendors.
- In-depth knowledge in information security best practices and frameworks, such as NIST Special Publications and Cyber Security Framework, CIS Controls, ISO/IEC 17000/31000 series, and OWASP.
- Knowledge of common cloud infrastructure platforms and applications (e.g., AWS, Azure, M365) is a plus.
- Proficiency in tools like JIRA and Confluence preferred.
- One or more of the following certifications is preferred: CISA, CRISC, CISSP.
- Proven subscription to the company's core values of integrity, trust and respect, innovation, stewardship, excellence, and celebration.
Work Condition
- General office working conditions which may require sitting for extended periods of time.
- Infrequent overnight travel may be required.
Physical Requirements
The physical requirements described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Specific vision abilities require the ability to focus distant and near objects clearly. While performing the duties of this job, the employee is regularly required to sit, talk, and hear. The employee is frequently required to use hands and arms to handle, feel and reach as well as operate a personal computer.
