Senior Analyst, Governance, Risk and Compliance (Denver, Los Angeles and/or Indiana)

Who You Are:

The Senior Analyst, Governance, Risk, and Compliance (GRC) is a key member of the Information Security team responsible for managing, monitoring, and advancing Formstack’s compliance with various security and privacy regulations and frameworks. This individual will play a pivotal role in ensuring that Formstack’s operations, products, and services are compliant with industry standards while helping to mitigate risks and support governance initiatives.

What You Will Do:

- Lead and manage Formstack’s compliance initiatives related to regulations such as HIPAA, SOC 2, GDPR, ISO 27001, PCI-DSS, CCPA, and others.

- Collaborate with internal teams (product, legal, IT, and engineering) to develop, implement, and maintain Formstack’s security policies, controls, and procedures.

- Perform risk assessments and conduct security audits across departments to ensure compliance with regulatory and industry standards.

- Assist in the preparation and facilitation of external audits and certifications (e.g., SOC 2 audits, ISO 27001 certification processes).

- Maintain and enhance Formstack's risk management framework, including the identification, assessment, and mitigation of operational, legal, and regulatory risks.

- Monitor security compliance trends, changes in regulatory requirements, and new compliance frameworks relevant to Formstack’s operations.

- Develop, maintain, and update internal documentation, including security policies, standards, and guidelines, to ensure they reflect current regulatory requirements and best practices.

- Manage the vendor risk management program, including the review and monitoring of vendor compliance with Formstack’s security standards.

- Support security awareness training programs across the organization to ensure that all employees are knowledgeable about GRC policies.

- Provide guidance on governance initiatives and best practices to help improve organizational alignment with compliance and risk management standards.

- Ensure incident response plans and business continuity plans are up to date and regularly tested through internal tabletops.

- Collaborate on data privacy initiatives and ensure that Formstack’s practices align with privacy regulations like GDPR and CCPA.

- Act as a liaison between external regulatory bodies, auditors, and internal teams.

What We Are Looking For:

- 5 years of experience in Governance, Risk, and Compliance (GRC) or a related field, ideally within a SaaS, technology, or healthcare-related environment.

- Strong knowledge of industry standards and frameworks, including NIST, SOC 2, or ISO 27001.

- Demonstrated experience conducting risk assessments, security audits, and managing compliance projects.

- Hands-on experience with cloud security and compliance in environments like AWS.- Strong understanding of cybersecurity principles.

- Experience with third-party vendor risk management and compliance monitoring.

- Excellent written and verbal communication skills, with the ability to translate complex regulatory requirements into actionable guidance.

- Ability to work cross-functionally with legal, IT, and engineering teams.

- Strong organizational skills, attention to detail, and the ability to manage multiple projects in a fast-paced environment.

Bonus Points:

- Bachelor’s degree in a relevant field (e.g., Information Security, IT, Business, Law, Engineering).

- Certifications such as CISSP, CISA, CISM, or CRISC.

- Familiarity with frameworks such as COBIT or ISO 31000.

- Experience in the technology or SaaS industry, with a focus on product compliance.

- Knowledge of secure software development practices and DevSecOps.

- Experience working in an agile or DevOps environment.

- Strong knowledge of industry standards and frameworks, including HIPAA, GDPR, PCI-DSS and CCPA.

Salary : $140,000 - $180,000