GRC Analyst

About The Position

Requirements

• Requires practical knowledge of area typically obtained through advanced education combined with experience.
• Minimum high school diploma or equivalent (GED) required.
• Typically requires a university degree or equivalent experience and minimum 2-4 years of prior relevant experience.
• Depth of knowledge with cybersecurity control frameworks (NIST CSF preferred).
• Working knowledge of cybersecurity policy lifecycle, standards, and guidelines.
• Experience with PCI-DSS and SOX.
• Working knowledge of data governance and privacy regulations.
• Experience with security awareness techniques and processes in an enterprise environment.
• Exceptional written and verbal communication skills that can be adjusted to relevant audiences.
• Analytic and problem-solving skills.

Responsibilities

• Develops and maintains cybersecurity policies, standards, and guidelines.
• Implements and monitors compliance with cybersecurity control framework.
• Ensures policies are up-to-date and align with industry best practices, regulatory requirements, and cyber frameworks.
• Communicates policies to relevant stakeholders.
• Independently develops security awareness training programs and materials.
• Plans and executes cybersecurity awareness events and communication campaigns.
• Develops, organizes, and delivers training sessions to employees on security policies and best practices.
• Monitors and reports on the effectiveness of security awareness initiatives.
• Collects, analyzes, and presents cybersecurity program performance metrics and key risk indicators (KRIs).
• Independently conducts regular assessments of cyber risks within applications, platforms, and processes.
• Identifies risks and develops mitigation strategies and risk management plans.
• Manages third-party risk by assessing the security posture of external vendors and partners, implementing risk mitigation measures and fostering secure third-party relationships.
• Ensures appropriate design and operating effectiveness of regulatory and PCI-DSS controls.
• Manages privacy-related data subject access requests.
• Monitors compliance and reports effectiveness.
• Independently performs periodic gap assessments to validate compliance.
• Monitors regulatory environment and performs impact assessments.
• Partners with auditors and manages action plans in response to audit discoveries.
• Performs other duties as assigned.