GRC Analyst

Responsibilities

• Policy Governance: Establish, maintain, and enforce the organizations information security strategy, policies, and standards.
• Vendor Risk Management: Oversee and manage the organizations Vendor Risk Management Program, ensuring third-party compliance with security requirements.
• Cyber Risk Register: Maintain and manage the cyber risk register to document and track identified risks, mitigation efforts, and progress.
• Customer Contract Reviews: Partner with Legal to review customer contracts for compliance with security requirements and organizational standards.
• Customer Security Questionnaires: Respond to customer security questionnaires to address inquiries about the organization’s security posture.
• Customer Trust Center: Maintain and update the Customer Trust Center to ensure transparency and confidence in the organization’s security practices.
• Legal, Regulatory, and Compliance Tracking: Research, track, and ensure the organization remains compliant with relevant legal, regulatory, and compliance requirements.

Key skills

• Responsible for identifying, evaluating, and reporting on information security risk to information assets
• Acting as a subject-matter expert on relevant compliance and regulatory frameworks (E.g. HIPAA, ISO standards, PCI, SOC 2, GDPR, CCPA, etc), and staying on top of industry best practices.
• Engaging in risk management and updating playbooks to align with current industry standards, regulatory changes, and best practices
• Engaging in Disaster Recovery (DR) and Business Continuity Planning (BCP), and managing the testing of these plans
• Conducting compliance audits to ensure adherence to cybersecurity standards and regulations
• Monitoring compliance with regulations and standards, typically by key cybersecurity KPIs.
• Engaging in Third-Party Risk Management (TPRM) by analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers.
• Assisting with documentation following incident response
• Security awareness and training
• Engaging in regulatory change management to make sure the companies policies and practices are adjusted following regulatory updates
• Preparing detailed reports and documentation of compliance findings and security gaps
• Developing and implementing controls to address cybersecurity and compliance needs across an organization
• Implementing GRC programs with the knowledge in Data-driven decision, Responsible operations and Improved cybersecurity
• Experience on Tools and Software such as GRC platforms (e.g., RSA Archer, MetricStream); Risk management tools (e.g., RiskWatch, LogicManager); Compliance management software (e.g., ComplyAdvantage).
• Having knowledge on best practices for GRC in the cloud era include leveraging integrated GRC platforms to centralize management of risks, controls, and compliance activities across cloud environments. Implementing robust access controls, encryption, and monitoring mechanisms helps ensure data security and compliance with regulatory requirements.
• Operational knowledge on Regular risk assessments to address cloud-related risks effectively. Additionally, fostering collaboration between IT, security, compliance, and business teams facilitates the alignment of cloud initiatives with organizational goals and GRC objectives. Experience on Continuous monitoring, training, and adaptation to evolving cloud technologies and regulatory landscapes

Educational Backgrounds

• Bachelor’s degree in information security, Business Administration, or a related field with 3 to 5 years of experience.
• Certifications such as Certified Information Systems Auditor (CISA) or Certified in Risk and Information Systems Control (CRISC) are highly beneficial