Information Security GRC Analyst II - Information Solutions (Remote)

About The Position

Requirements

• Bachelor's degree in information security, information assurance, computer science, cybersecurity, risk management, or a related field required.
• Minimum 2 years of IT security experience with a Bachelor's degree, OR 4-7 years of hands-on experience in information security, GRC, compliance, audit, or related IT experience.
• Advanced analytical and problem-solving skills with the ability to assess complex security and compliance issues.
• Solid understanding of information security risk concepts, principles, and assessment methodologies.
• Experience with security and compliance frameworks including one or more of: ISO 27000 series, HIPAA/HITECH, FERPA, PCI-DSS, and NIST/FISMA frameworks.
• Strong written and verbal communication skills with the ability to communicate technical concepts to non-technical stakeholders.
• Ability to work independently and collaboratively across multiple departments and teams.
• Proficiency with GRC tools, risk assessment methodologies, and compliance tracking systems.

Nice To Haves

• Strong familiarity with compliance requirements affecting academic medical centers.
• Knowledge of NIST Cybersecurity Framework 2.0 and NIST SP 800-53 controls.
• Experience conducting risk assessments in healthcare or higher education environments.
• Experience with GRC platforms (e.g., ServiceNow GRC or similar).
• Advanced level certifications such as: CISSP, CCSP, or SSCP (ISC²), GIAC Security Essentials (GSEC), Healthcare Information Security and Privacy Practitioner (HCISPP).

Responsibilities

• Develop, maintain, and communicate information security policies, standards, procedures, and guidelines in alignment with organizational objectives and regulatory requirements.
• Support the information security governance framework and participate in security steering committees.
• Maintain comprehensive documentation of security controls, processes, and procedures.
• Coordinate security program initiatives and track remediation efforts across departments.
• Facilitate security review processes for new technologies, systems, and business initiatives.
• Conduct information security risk assessments and business impact analyses for systems, applications, and business processes.
• Identify, analyze, and evaluate security risks to information assets using quantitative and qualitative methodologies.
• Develop risk treatment plans and track risk mitigation activities to completion.
• Maintain the information security risk register and provide regular risk reporting to leadership and stakeholders.
• Support third-party vendor risk assessments and ongoing vendor management activities.
• Participate in change advisory boards to assess security risks of proposed changes.
• Monitor and assess compliance with applicable regulations including HIPAA/HITECH, FERPA, PCI-DSS, and other relevant frameworks.
• Coordinate and support internal and external audits and assessments.
• Conduct gap analyses against regulatory requirements and industry frameworks including NIST Cybersecurity Framework 2.0.
• Track and report on compliance metrics, control effectiveness, and key performance indicators.
• Develop and implement remediation plans for compliance deficiencies.
• Support incident response activities with a focus on regulatory reporting and breach notification requirements.
• Maintain evidence of compliance for audit purposes.