Information Security GRC Engineer ( OneTrust / NIST)

Information Security GRC Engineer ( OneTrust / NIST)

Hybrid, Plano, Texas

12+ months ongoing contract.

Description:

We are seeking a hands on GRC Engineer & Risk Analytics professional who will implement and scale a NIST aligned control and risk framework in OneTrust while also conducting targeted risk and control assessments to validate design and operating effectiveness. Reporting to the TFSB CISO, you will connect process, data, and automation so department leaders can see—and reduce—risk in near real time through role based dashboards and scorecards. You’ll partner with Security Engineering, IT, Audit, and business control owners to streamline assessments, evidence collection, POA&M tracking, and reporting.

Focus split: approximately 70% OneTrust configuration, integrations, data modeling, and dashboards; approximately 30% targeted assessments and facilitation.

Module ownership on Day 1: OneTrust Integrated Risk Management (IRM) and Third Party Risk Management (TPRM).

What you’ll be doing:

•             Model the control framework in OneTrust: map NIST CSF and NIST 800 53 control families, control objectives, test procedures, evidence types, and ownership.

•             Configure assessment templates (application/infrastructure, inherent/residual risk, third party due diligence, control attestations) with automated workflows, notifications, and approvals.

•             Stand up a POA&M lifecycle (defect creation, risk acceptance, due dates, escalations, verifications) and connect to tickets for remediation traceability.

•             Build role based dashboards and departmental scorecards that surface KRIs/KPIs (e.g., control coverage, overdue actions, risk heatmaps, SLA adherence).

•             Establish data taxonomy and metadata (assets, business processes, data classifications) aligned to controls and obligations to support consistent analytics.

•             Own the end to end third party risk workflow in OneTrust: inherent risk profiling, tiering, questionnaire selection, and residual risk calculation.

•             Design and maintain due diligence questionnaires and control attestations; streamline evidence collection and follow ups via automated reminders and SLAs.

•             Track remediation and POA&Ms for vendors; manage risk acceptances, exceptions, and expirations with clear ownership and timelines.

•             Publish vendor scorecards and portfolio level insights for department leaders; highlight concentration risk, critical suppliers, and overdue actions.

•             Integrate TPRM data with IRM objects (assets, processes, controls) to show end to end exposure and dependencies.

•             Integrate OneTrust with CMDB, Risk reporting platforms to auto enrich risks, controls, and assets.

•             Define data quality rules and reconciliation checks; implement connectors or API jobs to keep dashboards near real time and reduce manual evidence collection.

•             Partner with Analytics to publish curated Power BI datasets for executives and technical teams.

•             Conduct spot assessments and control testing to validate design and operating effectiveness and calibrate automation.

•             Translate FFIEC/GLBA/SOX and policy requirements into measurable controls and department owned obligations; document rationales and residual risk.

•             Facilitate remediation planning with control owners; track POA&Ms and risk acceptances to closure with clear RACI and deadlines.

•             Create playbooks, test scripts, and user guides; run enablement sessions for control owners and assessors to drive adoption.

What you’ll deliver in the first 6–12 months:

•             A fully modeled NIST-aligned control catalog in OneTrust IRM and TPRM, complete with owners, testing procedures, evidence, and mapped obligations.

•             3–5 data integrations operational (for instance, CMDB, Archer, Posture Management) enabling automated evidence and asset-to-control mapping.

•             Departmental scorecards along with an executive dashboard (showing trendlines, heatmaps, top risks, overdue actions, and risk reduction by department).

•             Enhanced assessment throughput with a reduced cycle time (targeting a 30–40% improvement from baseline).

•             Improved on-time completion of POA&M (targeting an increase of 20–30%) with a decrease in repeat findings through structured root-cause identification.

•             Published and operational governance framework artifacts (including a governance calendar, defined roles, training materials, and standard operating procedures).

Requirements:

• 5+ years hands on experience implementing/administering GRC platforms (OneTrust preferred; Archer/ServiceNow GRC acceptable with commitment to OneTrust ramp up).

• Working knowledge of NIST CSF and NIST 800 53 and how to translate obligations into measurable controls and tests.

• Experience configuring questionnaires, workflows, object models, APIs, and building role based dashboards.

• Data skills in Power BI, SQL, or Python for data prep/transformations that feed analytics.

• Ability to tell the risk story—translate technical signal into business relevant insights for department leaders.

• Bachelor’s degree or equivalent practical experience.