IT/IS GRC Consultant

Health Care Service Corporation•Chicago, IL

4d•$84,400 - $152,300

About The Position

This position is responsible for the governance, architecture, implementation, and enforcement of Information Technology (IT) and Information Security (IS) policies, standards, and procedures to ensure the confidentiality, integrity, and availability of enterprise systems, applications, data, and information resources. The role oversees the analysis, tracking, and remediation of IT and IS policy exceptions, assessment findings, and internal or external risk assessments. The position establishes, maintains, and enforces security baseline requirements across critical technology domains, including but not limited to network security (segmentation, firewalls, secure configurations), identity and access management (multi-factor authentication, least privilege, privileged access controls), endpoint security (hardening standards, endpoint detection and response), data protection (encryption, data classification), and resilience controls such as secure, immutable, and tested backup and recovery capabilities. These requirements are defined in accordance with ISO and NIST control objectives and are regularly assessed for effectiveness. The position maintains continuous awareness of emerging technologies, cybersecurity threats, regulatory requirements, and industry best practices, and provides strategic recommendations for the adoption or modification of technologies, controls, processes, and policies as appropriate. It proactively identifies gaps or deficiencies in existing IT and IS governance frameworks and leads the development or revision of policies, standards, and procedures to address evolving business needs, technology advancements, and future organizational growth. The role conducts and presents risk summaries, metrics, executive briefings, and formal reports to management, advising on material IT and information security risks that may impact business objectives, operational resilience, or regulatory compliance. It collaborates closely with enterprise stakeholders and contributes risk intelligence and control evaluation results to the Enterprise Risk Management (ERM) program. Additionally, the position evaluates and recommends IT and information security products, services, and processes to mitigate identified risks and ensure compliance with applicable corporate policies, contractual obligations, laws, and regulatory mandates. It implements and supports IT and information security awareness and training programs, delivering education on security policies, standards, controls, and best practices across the organization. The role partners with subject matter experts (SMEs) to develop and document corrective action and remediation plans, and monitors remediation progress. It serves as a project lead and mentor to junior GRC team members and may lead cross-functional initiatives, functional teams, or compliance-related projects as required.

Requirements

Bachelor Degree and 4 years of IT / IS work experience with a broad range of exposure to systems analysis, application development, database design and administration or 8 years of IT / IS work experience with a broad range of exposure to systems analysis, application development, database design and administration.
Understand IT / IS concepts and how to articulate those in terms of risk.
Interpret internal or external business issues and concepts and translate those into IT concepts that must be addressed via policy.
Understand key IT / IS laws and regulations, such as the Health Insurance Portability and Accountability Act, as well as governance and compliance frameworks (e.g. NIST, COBIT, ITIL, HITRUST).
Experience with audit and compliance controls, including previous IT auditing experience and/or technical controls implementation, as well as the ability to respond appropriately to audit and assessment findings.
Initiate and invoke creativity to solve complex problems; takes an “outside –in” perspective to identify innovative solutions.
Collaborate well with individuals across the business and IT, as well as at all levels of the organization.
Verbal and written communication skills, including the ability to articulate complex concepts to various technical and non-technical audiences.
Experience with and understanding of overall GRC concepts.
Work independently, with guidance in only the most complex situations.
May lead functional teams or projects.

Nice To Haves

Bachelor Degree in Computer Science, Information Systems, or other related field.
Experience with a GRC solution.

Responsibilities

Governance, architecture, implementation, and enforcement of IT and IS policies, standards, and procedures.
Analysis, tracking, and remediation of IT and IS policy exceptions, assessment findings, and risk assessments.
Establishment, maintenance, and enforcement of security baseline requirements across critical technology domains.
Continuous awareness of emerging technologies, cybersecurity threats, regulatory requirements, and industry best practices.
Proactive identification of gaps or deficiencies in IT and IS governance frameworks.
Development or revision of policies, standards, and procedures.
Conducting and presenting risk summaries, metrics, executive briefings, and formal reports to management.
Collaboration with enterprise stakeholders and contribution to the Enterprise Risk Management (ERM) program.
Evaluation and recommendation of IT and information security products, services, and processes.
Implementation and support of IT and information security awareness and training programs.
Development and documentation of corrective action and remediation plans, and monitoring remediation progress.
Serving as a project lead and mentor to junior GRC team members.
Leading cross-functional initiatives, functional teams, or compliance-related projects as required.