SIPR Governance, Risk, and Compliance (GRC) & Security Specialist

About The Position

Requirements

• Active TS clearance
• 10+ years of position related experience in GRC systems, SAP ECC/BI Security, Audit & Compliance, Critical Access Monitoring.
• MA/MS degree
• The candidate must demonstrate mastery of the GRC system and its related processes:
• Ticket & Workflow Management: Experience managing the full lifecycle of GRC tickets to support user access provisioning. Must be able to articulate the purpose of each stage in the GRC workflow.
• Segregation of Duties (SOD) Analysis: Experience conducting SOD simulations to identify and mitigate potential conflicts before assigning roles.
• User Support & Training: Experience delivering GRC training to groups of end-users.
• Process Documentation: Experience guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates. Ability to develop job aids and process documentation (e.g., how to request a FireFighter ID).
• Issue Resolution: Understand the utilization of GRC "escape paths" to resolve complex access issues.
• The candidate must have a strong technical foundation in SAP ECC/BI Security concepts and administration.
• SAP Transactions: Proficiency in executing and understanding the purpose of key SAP transactions, including: SE16n, SU01D, SUIM, SU53, WE02, FMZ3, and SM37.
• Role Design & Objects: Experience & knowledge of SAP role design (single vs. composite) and a thorough understanding of core authorization objects (e.g., S_TABU_DIS, S_PROGRAM, S_USR_ tables).
• Requirements Translation: Proven ability to gather functional requirements from business users and translate them into clear, actionable specifications for the SAP Security team.
• The candidate must be experienced in Audit & Compliance, navigating the demands of both internal and external audits.
• Audit Participation: Direct experience participating in multiple cycles of internal and external audits, including responding to Provided by Client (PBC) requests.
• SOC Audits: Direct experience facilitating SOC-1 and SOC-2 audits in a federal environment. Must be able to articulate their specific role, contributions, and challenges faced.
• Auditor Communication: Adept at discussing Segregation of Duties (SOD) controls and policies with internal and external auditors.
• Control Examination: Ability to examine controls related to security, availability, processing integrity, and privacy, and provide concrete examples of evidence supplied for audit reviews such as responding to NFRs (notice of findings and recommendations), describing significance of a POAM (plan of action & milestones), and responding to PBCs (provided by client).
• Must be experienced in User Access Reviews & System Proficiency, in cyclical user access reviews and must be proficient in using a help desk system.
• Critical Access Monitoring (CAM): Experience with the CAM process, including its purpose, risks, and benefits, as well as engaging directly with end-users.
• User Reaffirmation: Proven ability to execute User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts.
• ServiceNow: Proficiency in using ServiceNow as a help desk ticketing system to manage and resolve incidents.

Nice To Haves

• Experience in Physical Security is a plus:
• Role requires availability to either open SIPR office space at 0700EST daily or close SIPR 1700EST M-F.
• Experience using DISS: creating Visitor Access Requests (VARS) and verifying background clearances.

Responsibilities

• Managing GRC system and its related processes:
• Manage the full lifecycle of GRC tickets to support user access provisioning.
• Conduct Segregation of Duties (SOD) Analysis simulations to identify and mitigate potential conflicts before assigning roles. This includes creating mock requests to troubleshoot user-reported issues.
• Deliver User Support & GRC training to groups of end-users, such as Supervisors and Role Approvers.
• Guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates, Developing job aids and process documentation.
• Working on SAP ECC/BI Security concepts and administration:
• Execute SAP Transactions.
• Conducging SAP Role Design & Objects.
• Gathering functional requirements from business users and translating them into clear, actionable specifications for the SAP Security team.
• Navigating Audit & Compliance
• Participating in multiple cycles of internal and external audits.
• Facilitating SOC-1 and SOC-2 audits.
• Conducting Control Examination related to security, availability, processing integrity, and privacy.
• Responsible for User Access Reviews & Systems
• Conducting Critical Access Monitoring (CAM) and engaging directly with end-users.
• Executing User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts.
• Managing and resolving incidents in ServiceNow.
• As a part of FSO duties, conducting Physical Security in SCIF:
• Either opening SIPR office space at 0700EST daily or close SIPR 1700EST M-F.
• Creating Visitor Access Requests (VARS) and verifying background clearances.
• Maintain sign-in and sign-out roster for visitors; Monitor and assist during on-site classified meetings.

Benefits

• competitive compensation
• industry-leading 401k contribution