Security Risk and Compliance Analyst

About The Position

Requirements

• 3+ years of experience in Governance, Risk, and Compliance (GRC), information security, or a closely related field—internships and co-ops count.
• Foundational knowledge of security compliance frameworks such as SOC 2, ISO 27001, NIST CSF, or FedRAMP; you don’t need to be an expert in all of them.
• Comfortable engaging with a wide variety of teams—Engineering, People, IT, Legal—to explain compliance requirements, gather evidence, and build the relationships needed to close control gaps.
• Organized and deadline-driven: you can manage multiple workstreams, track time-sensitive obligations (like monthly FedRAMP submissions), and keep audit artifacts tidy without being reminded.
• A clear communicator who can translate compliance requirements into plain language for both technical and non-technical stakeholders.
• Curious about how modern SaaS engineering works—comfortable asking questions and learning the technical context behind a control.

Nice To Haves

• Exposure to compliance automation or evidence collection tooling (GRC platforms, scripting, API integrations) is a plus, but not essential—curiosity and a willingness to grow technically matter more.
• Identify opportunities to automate repetitive evidence-gathering tasks—this is a nice-to-have rather than a core requirement, but curiosity and initiative here will be valued.

Responsibilities

• Support the maintenance and continuous improvement of Asana’s control framework, tracking control effectiveness across SOC 2, ISO 27001, FedRAMP Moderate, and other applicable standards.
• Proactively engage with a wide range of teams—including Engineering, IT, and People—to work through controls maturity activities, close existing gaps, and drive remediation efforts to completion with clear documentation of progress.
• Build strong working relationships across the business so that control owners feel supported and accountability is shared, not siloed within the compliance team.
• Contribute to controls maturity scoring and reporting, providing ongoing visibility into program health for senior leadership.
• Support external compliance audits end-to-end: coordinating evidence requests, liaising with auditors, and tracking findings through to closure.
• Own the monthly FedRAMP ConMon package submission, ensuring it is accurate, complete, and delivered on time every month.
• Track and drive completion of all timebound FedRAMP requirements by working closely with Engineering, People, and other responsible teams.
• Maintain a clear calendar of FedRAMP deliverables and proactively flag risks to timelines, escalating where needed to ensure nothing slips.
• Serve as a day-to-day point of contact for FedRAMP-related queries from internal teams, helping them understand their obligations and what good looks like.
• Own evidence collection workflows within our GRC platform, ensuring controls are reliably mapped, evidence is current, and audit artifacts are ready year-round.
• Document evidence collection procedures so that processes are transparent, auditable, and maintainable by the broader team.

Benefits

• Mental health, wellness & fitness benefits
• Career coaching & support
• Inclusive family building benefits
• Long-term savings or retirement plans
• In-office culinary options to cater to your dietary preferences