Senior GRC Analyst - IT Governance, Risk & Compliance

Atlanta, GA, US • Posted 11 hours ago • Updated 2 hours ago
Contract W2
On-site
USD55 - USD65/hr
Fitment

Dice Job Match Score™

🫥 Flibbertigibetting...

Job Details

Skills

  • Senior GRC Analyst - IT Governance
  • Risk & Compliance

Summary

job summary:

GDOT is building a Governance, Risk, and Compliance (GRC) function within the Office of Information Technology to establish formal risk management, regulatory framework alignment, and audit readiness practices. This senior-level role is responsible for designing the GRC program structure, implementing and operating core GRC processes, and influencing risk-based decision-making across the department. This is a foundational, high-ownership role for an experienced GRC professional who can operate independently, establish processes from the ground up, and build a function that scales.





location: Atlanta, Georgia

job type: Contract

salary: $55 - 65 per hour

work hours: 8am to 5pm

education: Bachelors



responsibilities:

Risk Register Stewardship


- Establish and maintain the Enterprise IT Risk Register, including risk identification, categorization, likelihood/impact scoring, and ownership assignment.


- Provide leadership with regular risk reporting and a clear view of GDOT's IT risk environment.


- Track remediation of identified risks to closure and escalate high/critical risks appropriately.


Framework Implementation & Gap Analysis


- Lead the mapping of GDOT's IT controls against applicable state-mandated and industry frameworks (e.g., NIST 800-53, NIST CSF).


- Perform gap analyses, document findings, and develop remediation roadmaps in partnership with control owners.


- Track control maturity over time and report progress to leadership.


Policy & SOP Governance


- Draft, maintain, and periodically audit GDOT IT policies and standard operating procedures.


- Manage the policy lifecycle - drafting, technical review, approval routing, publication, and periodic re-certification.


- Verify SOPs are being followed by IT teams through documented evidence rather than self-attestation.


Third-Party Risk Management (TPRM)


- Own the vendor and cloud service provider risk review process, including intake, contract review, and risk documentation.


- Evaluate vendor security posture (e.g., SOC 2 reports, architecture review findings) in coordination with technical subject matter experts.


- Maintain the vendor risk register and manage risk acceptance documentation when vendor posture does not fully meet GDOT requirements.


Evidence Collection & Audit Readiness


- Serve as a primary liaison for state and external auditors.


- Build and maintain a centralized Library of Evidence, ensuring change control logs, access reviews, and other compliance artifacts are organized and audit-ready at all times.


- Coordinate evidence requests across IT teams and track completion against defined timelines.


Access Governance


- Define and maintain the schedule and standards for periodic access reviews of mission-critical systems.


- Validate completed access reviews against the principle of least privilege and document findings.


- Track remediation of excessive or inappropriate access identified during reviews.


Program Leadership Scope


This role carries direct responsibility for the following program-level functions:


- Designing the overall GRC program structure, including process design, tooling strategy, and prioritization roadmap.


- Establishing GRC policy and methodology standards that scale as the function grows.


- Mentoring and providing technical direction to additional GRC team members as the function expands.


Representing GRC in cross-functional governance discussions and advising leadership on risk-based prioritization.


What Success Looks Like in the First 12 Months



90 days



Risk register

established and populated. Initial framework gap analysis underway. Evidence

library structure in place.




6 months



Framework gap

analysis complete with a documented remediation roadmap. Vendor risk review

process operating for new vendor engagements. First formal policy review

cycle completed.




12 months



Functioning

evidence collection cadence across IT teams. Access review program operating

on a defined schedule. GDOT positioned with organized, audit-ready

documentation ahead of the next external review cycle.







qualifications:

- 5+ years of experience in GRC, IT audit, information security compliance, or a closely related field, including experience building or significantly maturing a GRC function from an early stage.


- Direct hands-on experience with at least one major framework - NIST 800-53, NIST CSF, ISO 27001, or equivalent - including control mapping and gap analysis.


- Experience conducting or supporting third-party/vendor risk assessments, including review of SOC 2 reports and contract risk language.


- Experience supporting or leading evidence collection and audit response for an external audit (state, federal, or industry).


- Strong written communication skills - demonstrated ability to draft clear policy and procedure documentation.


- Ability to operate independently in an environment where processes and tooling are still maturing, and to design new processes where none currently exist.


- Demonstrated experience designing program structure, methodology, or process strategy for a GRC or compliance function - not solely executing within an established one.


Preferred Qualifications


- Experience in a state or local government environment, or with government-specific frameworks and audit bodies.


- Relevant certification such as CISA, CRISC, CGRC, or equivalent.


- Experience with GRC platforms (e.g., ServiceNow GRC, Archer, AuditBoard, or similar) or building structured compliance processes without dedicated tooling.


- Experience managing or mentoring junior GRC staff.




Equal Opportunity Employer: Race, Color, Religion, Sex, Sexual Orientation, Gender Identity, National Origin, Age, Genetic Information, Disability, Protected Veteran Status, or any other legally protected group status.

At Randstad Digital, we welcome people of all abilities and want to ensure that our hiring and interview process meets the needs of all applicants. If you require a reasonable accommodation to make your application or interview experience a great one, please contact

Pay offered to a successful candidate will be based on several factors including the candidate's education, work experience, work location, specific job duties, certifications, etc. In addition, Randstad Digital offers a comprehensive benefits package, including: medical, prescription, dental, vision, AD&D, and life insurance offerings, short-term disability, and a 401K plan (all benefits are based on eligibility).

This posting is open for thirty (30) days.


Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.
  • Dice Id: cxsapwma1
  • Position Id: 1338167
  • Posted 11 hours ago
Create job alert
Set job alertNever miss an opportunity! Create an alert based on the job you applied for.

Similar Jobs

Atlanta, Georgia

18d ago

Easy Apply

Contract

60 - 70

Conyers, Georgia

Today

Full-time

USD 83,300.00 - 164,400.00 per year

Atlanta, Georgia

Today

Full-time

USD 135,000.00 - 150,000.00 per year

Remote

Today

Easy Apply

Contract

Search all similar jobs