Security Risk and Compliance Analyst

Asana•San Francisco, CA

17h•Hybrid

About The Position

As a Security Risk and Compliance Analyst, you will play a hands-on role in maturing and operating Asana’s compliance and certification program. This includes focusing on controls maturity, policy governance, and audit execution. The role sits at the intersection of traditional GRC work and compliance engineering, involving the maintenance of control frameworks, running audit cycles, and contributing to automation initiatives for scalability and repeatability. This is an opportunity for someone with early-career GRC experience to grow technical skills and influence how a high-growth SaaS company approaches compliance automation. You will collaborate with Security Engineering, Legal, Privacy, and R&D to ensure effective controls, reliable evidence pipelines, and rigorous maintenance of certifications like SOC 2, ISO 27001, and FedRAMP. This role is based in the San Francisco office with an office-centric hybrid schedule, with standard in-office days on Monday, Tuesday, and Thursday, and the option to work from home on Wednesdays.

Requirements

3+ years of experience in Governance, Risk, and Compliance (GRC), information security, or a closely related field—internships and co-ops count.
Foundational knowledge of security compliance frameworks such as SOC 2, ISO 27001, NIST CSF, or FedRAMP.
Comfortable engaging with a wide variety of teams—Engineering, People, IT, Legal—to explain compliance requirements, gather evidence, and build the relationships needed to close control gaps.
Organized and deadline-driven: you can manage multiple workstreams, track time-sensitive obligations (like monthly FedRAMP submissions), and keep audit artifacts tidy.
A clear communicator who can translate compliance requirements into plain language for both technical and non-technical stakeholders.
Curious about how modern SaaS engineering works—comfortable asking questions and learning the technical context behind a control.

Nice To Haves

Exposure to compliance automation or evidence collection tooling (GRC platforms, scripting, API integrations) is a plus, but not essential—curiosity and a willingness to grow technically matter more.
Identify opportunities to automate repetitive evidence-gathering tasks.

Responsibilities

Support the maintenance and continuous improvement of Asana’s control framework, tracking control effectiveness across SOC 2, ISO 27001, FedRAMP Moderate, and other applicable standards.
Proactively engage with teams like Engineering, IT, and People to work through controls maturity activities, close existing gaps, and drive remediation efforts to completion with clear documentation of progress.
Build strong working relationships across the business so that control owners feel supported and accountability is shared.
Contribute to controls maturity scoring and reporting, providing ongoing visibility into program health for senior leadership.
Support external compliance audits end-to-end: coordinating evidence requests, liaising with auditors, and tracking findings through to closure.
Own the monthly FedRAMP ConMon package submission, ensuring it is accurate, complete, and delivered on time.
Track and drive completion of all timebound FedRAMP requirements by working closely with Engineering, People, and other responsible teams.
Maintain a clear calendar of FedRAMP deliverables and proactively flag risks to timelines, escalating where needed.
Serve as a day-to-day point of contact for FedRAMP-related queries from internal teams, helping them understand their obligations.
Own evidence collection workflows within our GRC platform, ensuring controls are reliably mapped, evidence is current, and audit artifacts are ready year-round.
Document evidence collection procedures so that processes are transparent, auditable, and maintainable by the broader team.