Governance, Risk & Compliance (GRC) Senior Specialist

The Position:

We are seeking a detail-oriented experienced Governance, Risk & Compliance (GRC) Senior Specialist to assist with leading and supporting the organization’s governance, risk, and compliance initiatives. Under the direction of Management the incumbent will perform IT risk assessments, ensure controls, policies and procedures and resources are in place for IT and Security teams to effectively manage risk. The GRC Specialist will articulate risk appetite and advocate risk culture; act as a challenge function by providing questions and feedback across multiple functions. In addition, the specialist will work to ensure that the company’s operations align with relevant regulations, internal policies, standards and risk management frameworks. The ideal candidate will have a strong understanding of risk management principles, compliance standards, and information security best practices. As the program evolves the role will be responsible for maturing the GRC operations. 

Essential Responsibilities:

Governance & Compliance: 

• Assist in developing and maintaining internal control frameworks, policies, and procedures that align with industry regulations (e.g., ISO 27001, SOX, GDPR, HIPAA). 
• Ensure organizational compliance with legal and regulatory requirements. 
• Monitor and report on compliance with data privacy regulations and internal security policies. 
• Collaborate with departments to implement and improve governance processes. 
• Track and report on GRC metrics, KPIs, and audit remediation activities 

Risk Management: 

• Contribute to enhancing IT and Security risk management program 
• Perform risk assessments, identifying vulnerabilities, threats, and control gaps. 
• Conduct vendor risk management reviews, evaluating the risk posed by third-party service providers. 
• Support the implementation of risk management frameworks and tools. 
• Provide recommendations for mitigating identified risks and ensuring effective remediation strategies. 
• Monitor and track risk treatment plans and risk acceptance decisions. 

Internal Audit Support: 

• Assist in internal and external audits to ensure audit testing are conducted in a cooperative, timely efficient manner with value added reporting and cost effective recommendation being provide to management to strengthen IT and Security conrols. 
• Conduct audits of high risk processes within IT and Security functions to ensure compliance with policies and standards. 
• Work with IT process owners to identify/improve and document detail controls for key applications, security and infrastructure components relating to compliance with SOX, GDPR, HIPPA, ISO27000 etc. 
• Provide periodic reports to leadership on open issues and remediation status. 
• Establish and maintain IT and Cybersecurity risk register. 
• Track audit findings in the appropriate risk and audit findings registers. Work with control owners to ensure findings are remediated on a timely basis. 

Incident Response: 

• Assist in developing and improving the organization's incident response plan. 
• Participate in incident investigations and support post-incident reviews to identify control weaknesses. 
• Familiar with risk management and controls frameworks, cyber kill chain and NIST incident response lifecycle 
• Document and define improvements over incident playbooks 
• Perform root cause analysis and lessons learned reporting 
• Maintain incident response tracker

Training & Awareness: 

• Contribute to the development of security awareness training programs and conduct training sessions as needed. 
• Ensure the organization’s Cybersecurity Training and Awareness program meets industry regulations, standards , and compliance requirements. 
• Communicate changes in regulatory requirements and provide guidance on compliance best practices to employees. 

Who You Are:

• Bachelor’s degree in Information Security, Risk Management, Business Administration, or a related field. 
• 5+ years of experience in GRC, information security, risk management, or compliance. 
• Experience with regulatory frameworks such as ISO 27001, NIST, SOX, PCI-DSS, GDPR, HIPAA, etc. 
• Experience in risk assessments and compliance audits is preferred. 
• Strong knowledge of risk management and compliance frameworks. 
• Familiarity with third-party vendor risk management practices. 
• Excellent communication and report-writing skills. 
• Detail-oriented with the ability to analyze complex regulatory requirements. 
• Proficient in using GRC tools and software for tracking and managing compliance/risk activities. 
• Ability to manage multiple projects and take on other security tasks as needed 

Certifications (Preferred): 

• Certified Information Systems Auditor (CISA) 
• Certified Information Security Manager (CISM) 
• Certified Information Systems Security Professional (CISSP) 
• Certified in Risk and Information Systems Control (CRISC) 
• Certified Information Privacy Professional (CIPP) 

#LI-Remote