Governance Risk and Compliance Analyst

Governance Risk and Compliance Analyst

Job Summary

The GRC Analyst plays a critical role in supporting the organization’s governance, risk management, and compliance programs. The individual will work to identify, assess, and monitor risks, ensure compliance with regulatory requirements, and help implement and maintain internal security policies and controls. The GRC Analyst is responsible for managing risk assessments, monitoring security and compliance activities, and supporting the overall security posture of the organization.

Key Responsibilities

Governance:

• Assist in the development, implementation, and monitoring of the organization’s governance frameworks, security policies, standards, and procedures to ensure alignment with regulatory and compliance requirements.
• Monitor and support the organization’s compliance with relevant standards (e.g., NIST, ISO 27001, HIPAA, GDPR, SOC 2) and legal requirements.
• Coordinate audits and assessments (internal and external) to ensure ongoing compliance and address audit findings.

Risk Management:

• Conduct risk assessments to identify vulnerabilities, threats, and potential impact to the organization’s information assets.
• Maintain the risk register, tracking identified risks and mitigation efforts.
• Collaborate with various departments to develop and implement risk mitigation strategies and ensure risks are reduced to an acceptable level.
• Perform third-party vendor risk assessments to evaluate the security posture of external partners and service providers.

Incident Response & Management:

• Assist with incident response activities, including coordinating with stakeholders to ensure risks and compliance issues are addressed in a timely manner.
• Help to establish corrective action plans for identified issues and follow up to ensure remediation is completed.

Policy and Procedure Development:

• Contribute to the creation and maintenance of security-related policies and procedures.
• Ensure that policies and controls are communicated effectively to stakeholders and staff, and that proper training is conducted.

Training and Awareness:

• Assist in the development and delivery of training programs to raise awareness on risk management, compliance obligations, and security best practices.
• Track the completion of required compliance training and ensure ongoing awareness of relevant risks.

Reporting:

• Prepare reports and dashboards for senior management, highlighting key risk indicators, audit results, and compliance status.
• Provide insights and recommendations based on risk and compliance findings.

Continuous Improvement:

• Stay up-to-date on evolving regulatory requirements, industry standards, and best practices in risk management and information security.
• Identify opportunities for improving the GRC program and participate in initiatives to enhance security and compliance posture.

Required Qualifications:

• Bachelor’s degree in Information Security, Business, or a related GRC field.
• 2-3 years of experience in governance, risk, and compliance roles, preferably within a regulated industry (e.g., healthcare)
• Familiarity with regulatory knowledge of GRC frameworks, such as NIST, ISO 27001, COBIT, HIPAA, SOC 2 and PCI-DSS.
• Proven experience in conducting risk assessments, managing compliance audits, and implementing GRC solutions.
• Strong project management skills, with the ability to lead and execute cross-functional initiatives.
• Excellent written and verbal communication skills

Preferred Qualifications:

• Master’s degree in Information Security, Business, or a related GRC field
• 3-5 years of experience in governance, risk, and compliance roles, preferably within a regulated industry (e.g., healthcare)
• Professional certifications such as: CGRC (Governance Risk and Compliance Certification) Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), or Certified Information Security Manager (CISM).