Virtual
GRC Analyst
Virtual, Pittsburgh, Pennsylvania, us, 15289
THIS ROLE IS NOT AVAILABLE FOR C2C or VISA SPONSORSHIP
We currently have a 6-month contract to hire the opportunity available for a Governance, Risk, & Compliance (GRC) Analyst with one of our local clients here in Pittsburgh. This is a hybrid opportunity with a split work schedule of 3 days on site and 2 days remote. This individual must be located in the Pittsburgh area.
Working as an integral member of the Security & Privacy Compliance group within the Information Security team, the GRC Analyst will contribute to the continual effort of the Governance, Risk, Compliance, and Audit program.
The GRC Analyst will implement, maintain, and improve policies, standards, procedures, and internal controls to assure compliance with applicable regulatory and legal requirements, and information security best practices.
The GRC Analyst will be adept at conducting gap analysis, audit management, and risk assessments as it relates to Client’s risk management posture.
Additional GRC Analyst responsibilities require program documentation, program leadership, and project management experience.
Essential Responsibilities:
Continuously improving Client’s Information Security Management program.
Managing the remediation of risks identified through the risk register process and contributing to the improvement of risk treatment plans and the overall risk management program.
Assisting in the development and maintenance of all relevant program documentation, policies, standards, guidelines, and frameworks.
Educating risk owners on risk management best practices and working with key stakeholders in the development and implementation of risk controls and risk treatment plans.
Assisting in the identification of risk trends by establishing and monitoring key performance and key risk indicators via risk and business impact assessments.
Internally assessing, evaluating, and making recommendations regarding the adequacy of implemented security controls.
Exploring opportunities to improve GRC processes through automation and continuous monitoring of information security controls, risks, and exceptions, and development of reporting metrics, dashboards, and evidence artifacts.
Managing the security exception process, including the completion of security exceptions, tracking, and following up on alternative mitigating action items detailed within approved security exceptions.
Coordinating and tracking security-related audits including scope of audits, stakeholder engagement, and deliverable timelines.
Working with teams as appropriate to keep audit focus in scope.
Providing guidance, evaluation, and advocacy on audit responses.
Tracking and implementing corrective action plans resulting from audit findings.
Documenting and reporting control failures and gaps to stakeholders.
Providing remediation guidance and preparing management reports to track remediation activities.
Maintaining the vendor risk management program including vendor reviews and vendor risk assessments; improving the program with the build-out of repositories, tools, and documentation for third-party vendor risk assurance.
Desired Knowledge, Skills, and Abilities:
Strong understanding of fundamental information security concepts and technology.
Knowledge of information security risk management frameworks and compliance practices.
Knowledge of applicable information security management, governance, and compliance principles, practices, laws, rules, and regulations.
Understanding of technical and organizational security vulnerabilities, threats, and risks.
Excellent analytical, problem-solving, and decision-making skills.
Strong communication (written and verbal) and presentation skills.
Strong work ethic with attention to detail.
Willingness to learn and adapt as the situation arises.
Skilled at applying a risk-based approach to planning, executing, and reporting on audit engagements and auditing process.
Skilled in security project management and planning.
Ability to effectively communicate technical issues to diverse audiences, both in writing and verbally.
Ability to work with cross-functional teams across organizational and cultural boundaries to achieve policy and process compliance.
Ability to develop security standards and guidelines based on best practices and industry standards.
Ability to work independently and manage a fluid workload.
Preferred Qualifications:
5+ years of experience in Information Technology, Security Analysis, Governance, Risk and Compliance and/or Internal Audit management.
2+ years of Project Management experience.
Experience working in a highly regulated industry vertical.
Experience working with GRC automation platforms.
Experience in a SaaS company environment; Cloud Security experience is a plus.
Experience performing information security audits or risk assessments.
Experience managing compliance-driven readiness activities as well as remediation and certification efforts.
(e.g., ISO 27001, HIPAA, HITRUST, SOC2, FedRAMP)
Bachelor’s degree in related field or equivalent work experience.
ISACA or (ISC)2 Certification is a plus.
We currently have a 6-month contract to hire the opportunity available for a Governance, Risk, & Compliance (GRC) Analyst with one of our local clients here in Pittsburgh. This is a hybrid opportunity with a split work schedule of 3 days on site and 2 days remote. This individual must be located in the Pittsburgh area.
Working as an integral member of the Security & Privacy Compliance group within the Information Security team, the GRC Analyst will contribute to the continual effort of the Governance, Risk, Compliance, and Audit program.
The GRC Analyst will implement, maintain, and improve policies, standards, procedures, and internal controls to assure compliance with applicable regulatory and legal requirements, and information security best practices.
The GRC Analyst will be adept at conducting gap analysis, audit management, and risk assessments as it relates to Client’s risk management posture.
Additional GRC Analyst responsibilities require program documentation, program leadership, and project management experience.
Essential Responsibilities:
Continuously improving Client’s Information Security Management program.
Managing the remediation of risks identified through the risk register process and contributing to the improvement of risk treatment plans and the overall risk management program.
Assisting in the development and maintenance of all relevant program documentation, policies, standards, guidelines, and frameworks.
Educating risk owners on risk management best practices and working with key stakeholders in the development and implementation of risk controls and risk treatment plans.
Assisting in the identification of risk trends by establishing and monitoring key performance and key risk indicators via risk and business impact assessments.
Internally assessing, evaluating, and making recommendations regarding the adequacy of implemented security controls.
Exploring opportunities to improve GRC processes through automation and continuous monitoring of information security controls, risks, and exceptions, and development of reporting metrics, dashboards, and evidence artifacts.
Managing the security exception process, including the completion of security exceptions, tracking, and following up on alternative mitigating action items detailed within approved security exceptions.
Coordinating and tracking security-related audits including scope of audits, stakeholder engagement, and deliverable timelines.
Working with teams as appropriate to keep audit focus in scope.
Providing guidance, evaluation, and advocacy on audit responses.
Tracking and implementing corrective action plans resulting from audit findings.
Documenting and reporting control failures and gaps to stakeholders.
Providing remediation guidance and preparing management reports to track remediation activities.
Maintaining the vendor risk management program including vendor reviews and vendor risk assessments; improving the program with the build-out of repositories, tools, and documentation for third-party vendor risk assurance.
Desired Knowledge, Skills, and Abilities:
Strong understanding of fundamental information security concepts and technology.
Knowledge of information security risk management frameworks and compliance practices.
Knowledge of applicable information security management, governance, and compliance principles, practices, laws, rules, and regulations.
Understanding of technical and organizational security vulnerabilities, threats, and risks.
Excellent analytical, problem-solving, and decision-making skills.
Strong communication (written and verbal) and presentation skills.
Strong work ethic with attention to detail.
Willingness to learn and adapt as the situation arises.
Skilled at applying a risk-based approach to planning, executing, and reporting on audit engagements and auditing process.
Skilled in security project management and planning.
Ability to effectively communicate technical issues to diverse audiences, both in writing and verbally.
Ability to work with cross-functional teams across organizational and cultural boundaries to achieve policy and process compliance.
Ability to develop security standards and guidelines based on best practices and industry standards.
Ability to work independently and manage a fluid workload.
Preferred Qualifications:
5+ years of experience in Information Technology, Security Analysis, Governance, Risk and Compliance and/or Internal Audit management.
2+ years of Project Management experience.
Experience working in a highly regulated industry vertical.
Experience working with GRC automation platforms.
Experience in a SaaS company environment; Cloud Security experience is a plus.
Experience performing information security audits or risk assessments.
Experience managing compliance-driven readiness activities as well as remediation and certification efforts.
(e.g., ISO 27001, HIPAA, HITRUST, SOC2, FedRAMP)
Bachelor’s degree in related field or equivalent work experience.
ISACA or (ISC)2 Certification is a plus.