IS Security GRC Analyst

About The Position

Requirements

• A minimum of 10 years of IS experience, with 5 years in an information security role.
• A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.
• Certifications Required (3 or more - Security+, CCSP, CISA, CISM, CRISC, CISSP, GIAC, Network+, ITIL, Project+)
• Strong understanding of regulatory requirements, security frameworks, and risk management methodologies (e.g., HIPAA, HITECH, NIST, ISO 27001).
• Experience with security metrics development, policy management, vendor risk assessments, and risk register maintenance.
• Excellent written and verbal communication skills, with the ability to present complex security concepts to diverse audiences.
• Working knowledge of IT/network and cloud architectures sufficient to map controls, evidence, and risks.
• Proficiency with O365; advanced Excel and Power BI for dashboards; Visio for process & control maps.
• Strong written and verbal communication skills.
• Ability to communicate security guidance to a non-technical audience.
• Experience in developing, documenting, and maintaining security policies, processes, procedures, and standards.

Responsibilities

• Develop, review, and update information security policies, procedures, and standards to reflect best practices, regulatory requirements, and evolving threats.
• Monitor regulatory changes and industry trends to ensure ongoing compliance and policy relevance.
• Maintain crosswalks between organization policies and regulatory standards.
• Assist in ensuring compliance with relevant regulatory standards, including HIPAA, HITECH, PCI-DSS, NIST, and other applicable frameworks.
• Design and implement metrics to measure the effectiveness of the information security program, including incident trends, security stack deployment, and risk levels.
• Develop dashboards and reports for senior management, detailing the status of the information security program and highlighting areas for improvement.
• Continuously refine metrics to provide meaningful insights into the organization's security posture.
• Facilitate the process for security policy exceptions, including reviewing requests, meeting with business owners, assessing risk, and documenting approvals.
• Ensure that exception requests are properly tracked, periodically reviewed, and managed according to organizational policies.
• Conduct and/or oversee vendor security risk assessments, evaluating third-party practices for alignment with the organization's security requirements.
• Monitor and reassess vendor risks regularly to account for changes in services, technology, or vendor practices.
• Identify opportunities for improvement in governance, risk, and compliance practices, recommending updates to processes and controls.
• Stay current with emerging security risks, regulatory requirements, and best practices to ensure the ongoing effectiveness of the GRC program.
• Provides expert level guidance to IT staff and the business regarding all Information Security policies, standards, processes, and procedures.
• Works with various infrastructure teams and business units to ensure policy compliance and adherence to security best practices.
• Participates in security projects and provides expert guidance on security policy, process, and procedures for other IT projects.
• Attends various IT meetings that require an IS Security representative.
• Participates in compliance / audit activities as requested by internal and external auditors.
• Supports Brown University Health's Legal e-discovery processes to include identification, collection, preservation and processing of relevant data.
• Manages Governance, Risk and Compliance platform.
• Maintains work effort status within SLA's on Brown University Health's Service Desk and Task Management Platforms.
• Performs other duties as assigned.

Benefits

• Pay Range: $113,519.22-$187,305.66
• Equal Opportunity employer