Senior Risk and Compliance Analyst

About The Position

Requirements

• Bachelor’s degree in information systems, IT audit, cybersecurity or a related degree program is required.
• Three to seven years of experience in IT audit, GRC, cloud security compliance or related roles.
• Relevant certifications such as CISA, CRISC, CISM or AWS are required
• Hands-on experience supporting IT audits, compliance assessments or GRC programs.
• Experience with industry regulations (e.g., HIPAA, GDPR, CCPA), GovRAMP, FedRAMP, CMMC and leading frameworks such as AICPA Trust Services Criteria, NIST 800-53 and ISO 27001.
• Practical experience navigating the AWS Management Console for security and compliance evidence collection and understanding key AWS security concepts.
• Strong technical skills in auditing, controls and cybersecurity; Big Four experience a plus.
• Excellent communication, presentation and negotiation skills, with the ability to influence internal and external stakeholders and write policies and controls documentation.
• Exceptional organizational and program management skills with a keen attention to detail.
• Applicants must be authorized to work for Laserfiche in the United States on a full-time basis without the need for employer sponsorship. We are unable to sponsor new employment visas, or take over sponsorship of existing employment visas, at this time.

Responsibilities

• Perform internal audits, IT general computer controls testing, application security assessments and ongoing risk assessments.
• Update risk registers and track findings, corrective action plans and remediation activities.
• Support ongoing risk reporting and metrics tracking for internal stakeholders and executive leadership.
• Ensure evidence is accurate, current and audit-ready.
• Coordinate and manage external audits and assessments, including evidence requests, with auditors, 3PAOs, GovRAMP PMO, FedRAMP PMO and security firms.
• Prepare and submit continuous monitoring reports and supporting artifacts to GovRAMP.
• Safeguard Laserfiche information in accordance with Laserfiche Information Security Policies.
• Perform technical validation of security controls using the AWS Management Console.
• Review and collect evidence related to AWS services, configurations and security controls, including IAM, logging, encryption and monitoring.
• Partner with ITS and Development to validate cloud control implementation and operating effectiveness.
• Support corporate and cloud security documentation and evidence mapping to NIST 800-53, ISO 27001, SOC 2, CIS controls and other applicable control frameworks and standards.
• Identify control gaps or inconsistencies and escalate findings through established GRC processes.
• Document, test and monitor IT, application and data privacy controls as part of an ongoing GRC program.
• Maintain control matrices, control narratives and framework mappings.
• Collaborate with department stakeholders and Legal to perform privacy impact assessments (PIAs) and data protection impact assessments (DPIAs).
• Support data mapping, data inventories and data privacy compliance documentation.
• Update policies, procedures and standards under the direction of GRC leadership.
• Perform vendor risk management assessments for third-party service providers.
• Track vendor remediation activities and risk treatment plans.
• Update business impact analyses (BIAs) and business continuity plans (BCPs).
• Coordinate with ITS and Development on disaster recovery plan updates and testing.
• Respond to customer security questionnaires, RFPs and security and AI due diligence requests.
• Maintain and update standard assurance artifacts such as HECVAT, CAIQ and similar documents for customer distribution.
• Partner with Sales, Legal and ITS to ensure responses are accurate, consistent and approved.
• Monitor customer contractual security and compliance requirements and flag risks or gaps.

Benefits

• Generous time off:
• 15 Days of Vacation
• 3 Floating Holidays
• 2 Paid Volunteer Days
• 9 Paid Holidays
• Hybrid Work Environment
• Free Parking: covered and EV charging stations
• Various 401 (k) Investment Options and Generous Company Match
• HMO and PPO Medical Care Options