GRC Analyst – Enterprise & Third Party Risk

About The Position

Requirements

• Bachelor’s degree in Information Security, Risk Management, or a related field; or equivalent work experience.
• Minimum of 4 years of experience in Information Security Risk Management, Third-Party Risk, or GRC functions.
• Strong understanding of internal control assessments, exception management, and third-party/vendor risk practices.
• Familiarity with legal and regulatory compliance standards such as HIPAA, SOX, GDPR, etc.
• Knowledge of security and risk frameworks such as NIST Cybersecurity Framework, ISO 27001, and CIS Controls.
• Excellent communication skills with the ability to collaborate effectively across technical and non-technical teams.
• Ability to translate technical risks into business impacts for non-technical audiences.
• Strong analytical and problem‑solving abilities with experience interpreting risk data to drive decision-making.
• Demonstrated ability to manage multiple assessments or projects simultaneously in a fast‑paced environment.
• Experience writing policies, standards, procedures, or risk documentation.
• Working knowledge of data protection concepts such as data classification, encryption, access management, and secure data handling.
• Proficiency in Microsoft Excel, PowerPoint, and other data/reporting tools commonly used to support risk analysis and presentations.
• Ability to work independently with minimal supervision while maintaining a high attention to detail.

Nice To Haves

• Industry certifications such as CISA, CRISC, CISSP are highly desirable.
• Experience using GRC or IRM platforms (e.g., Compyl, AuditBoard, RSA Archer, LogicGate, or similar).
• Experience with SOC 2, PCI-DSS, HITRUST, or other security compliance frameworks.
• Experience in healthcare or life sciences industry is a plus.
• Background supporting cloud security or assessing cloud service providers (AWS, Azure, GCP).
• Experience conducting business impact analyses (BIA) or participating in business continuity/disaster recovery planning.
• Prior involvement in incident response processes or evaluating post-incident risk implications.
• Strong understanding of contract language related to security, privacy, liability, and service-level obligations.
• Familiarity with quantitative risk analysis methodologies (e.g., FAIR).
• Experience working in organizations undergoing rapid growth, security transformation, or compliance maturity improvements.

Responsibilities

• Conduct internal risk assessments across business units, systems, applications and processes to identify potential security, operational, and compliance risks.
• Develop and maintain the internal risk register and facilitate periodic risk reviews with control owners and business stakeholders.
• Develop dashboards, reports, and metrics to communicate risk status, trends, and program effectiveness to leadership.
• Evaluate risk exception requests, perform risk-based analysis, and ensure appropriate documentation, approval, and tracking.
• Lead and support third-party risk management activities including vendor due diligence, risk assessments, contract reviews, and ongoing monitoring.
• Partner with procurement, legal, and business stakeholders to embed security and risk requirements into vendor lifecycle processes.
• Assist in defining and maintaining IT and organizational policies, standards, and procedures related to security, risk, and compliance.
• Support internal and external audits (e.g., HIPAA, SOX, GDPR) by collecting evidence and addressing audit findings and recommendations.
• Collaborate with IT and business teams to assess the adequacy and effectiveness of internal controls and drive remediation efforts.
• Conduct periodic gap assessments and ensure controls are maintained to support ongoing compliance.
• Stay abreast of changes in regulatory requirements and industry best practices related to risk management, third-party governance, and cybersecurity.
• Assist with the creation and delivery of security awareness training related to risk, vendor management, and compliance requirements.
• Participate in the development and maintenance of business continuity, disaster recovery, and incident response processes from a risk perspective.

Benefits

• Individual must successfully complete pre-employment process, which includes criminal background check, drug screening, credit check ( applicable for certain positions) and reference verification.