IT Security Governance, Risk, & Compliance Analyst

About The Position

Requirements

• Three years to five years of similar or related experience.
• A bachelor's degree (e.g., Information Technology, Computer Science, Information Systems), or an equivalent combination of education and demonstrated GRC Analyst experience.
• Ability to read, interpret, and apply regulatory guidance and examination materials (e.g., FFIEC IT Handbook, GLBA, NCUA guidance).
• Working knowledge of information security frameworks and standards (e.g., NIST, CRI, ISO 27001).
• Strong documentation, evidence management, and attention to detail skills suitable for audit and regulatory scrutiny.
• Effective written, verbal, and presentation communication skills, with the ability to translate technical or compliance information into clear, user-friendly formats.
• Strong organizational, prioritization, and time management skills to manage multiple concurrent GRC activities.
• Ability to work independently while collaborating effectively across technical, operational, and business teams.
• Foundational understanding of common IT infrastructure, security concepts, and control environments.
• Complete required online regulatory training courses with a score of 80% or higher.

Nice To Haves

• GRC or audit related certifications (e.g., Security+, CISA, CRISC, or similar) are preferred but not required.

Responsibilities

• Coordinate, collect, and maintain evidence required for internal audits, external audits, and regulatory examinations (e.g., NCUA, FFIEC, GLBA).
• Support regulatory and audit examinations by preparing documentation, responding to evidence requests, and tracking follow-up items.
• Track audit and examination findings, remediation activities, and management responses to ensure timely and documented closure.
• Perform periodic internal compliance reviews and control testing to validate adherence to approved security policies, standards, and procedures.
• Support the Vendor Risk Management (VRM) program by reviewing third-party security documentation, SOC reports, and due-diligence artifacts in accordance with established risk assessment standards.
• Maintain and update the Information Security Risk Register, ensuring risks are clearly documented, assessed, tracked, and mapped to appropriate mitigation or acceptance decisions.
• Monitor risk remediation timelines and escalate overdue or unresolved items through established governance and reporting channels.
• Assist in the drafting, updating, maintenance, and version control of Information Security policies, standards, and operational procedures.
• Ensure governance documentation remains current, internally consistent, and aligned with regulatory updates, audit outcomes, and business practices.
• Track required policy and procedure reviews and coordinate stakeholder input as directed by the Information Security Officer (ISO).
• Facilitate recurring governance activities including Role-Based Access Control (RBAC) reviews, access attestations, and control validation by coordinating with HR, IT, and business unit leaders.
• Coordinate and track Information Security awareness training and phishing simulation activities, maintaining required evidence and completion metrics.
• Prepare governance materials, dashboards, and summaries for committees (e.g., IT Steering Committee) focused on compliance posture, control coverage, and risk status.
• Support execution of approved Information Security and Insider Threat Program elements by monitoring policy adherence and control effectiveness.
• Maintain key compliance, governance, and risk metrics (KPIs/KRIs) used for management and executive reporting.
• Provide accurate, timely data and documentation to support management review and decision making; interpretive analysis and risk acceptance decisions remain with the ISO and executive leadership.
• Perform other duties as assigned by supervisor.
• Employees shall be trained annually, demonstrate an understanding of, and follow the requirements of the BSA/AML Compliance Program as it specifically relates to their job.