GRC & Policy Specialist

Role: GRC Consultant

Location: Oakland, CA (Remote/Hybrid)

Duration: 4–5 months (initial engagement)

Overview

The Client is seeking a hands-on Cyber GRC & Data Security Governance Consultant to lead a foundational "clean-and-build" initiative. This is not an advisory or project management role; we require a true GRC practitioner who can independently own and execute governance processes end-to-end.

The ideal candidate will have deep, hands-on experience working within GRC platforms, building and managing controls, risk, compliance, and audit processes, and will also support the development of a comprehensive Data Security Governance program.

Core Responsibilities & Deliverables

• GRC Process Ownership & Execution: Own and execute core Cyber GRC functions including building and managing control libraries, risk registers, compliance workflows, evidence collection processes, policy exceptions, and audit response activities
• NIST CSF Validation: Conduct a deep-dive review of current security controls (Identity, Network, Cloud) to assess alignment, effectiveness, and documentation gaps against NIST CSF / NIST 800-53
• GRC Platform Management: Hands-on configuration and management of GRC tools (Archer, Hyperproof, ServiceNow GRC, OneTrust, AuditBoard or similar), including centralizing policies, controls, risks, and audit artifacts
• Data Security Governance (DSG): Design and implement a data governance framework including data classification, data handling standards, access governance, retention policies, encryption requirements, DLP controls, and third-party data risk management
• Policy Centralization: Review, rationalize, and migrate existing policies and SOPs into the GRC platform while ensuring alignment to controls, standards, and regulatory requirements
• Audit Readiness: Establish sustainable audit and compliance processes including documentation standards, evidence tracking, version control, and review cadences
• Control & Risk Management: Perform hands-on risk assessments, control design, and validation while mapping controls to policies, standards, and regulatory frameworks
• Incident Response Modernization: Review and enhance the Incident Response Plan and associated processes to align with NIST and organizational requirements

Required Experience

• 5+ years in Cyber GRC (hands-on): Proven experience owning and executing GRC programs, not just coordinating or supporting them
• GRC Tool Expertise: Hands-on experience configuring and managing GRC platforms such as Archer, ServiceNow GRC, OneTrust, Hyperproof, AuditBoard, or similar
• Framework Expertise: Strong experience implementing and operationalizing NIST CSF and/or NIST 800-53
• GRC Process Depth: Demonstrated experience building and managing control libraries, risk registers, compliance workflows, audit processes, and governance deliverables
• Data Security Governance: Experience defining and implementing data classification, handling standards, access governance, retention, encryption, DLP, and third-party data risk
• Technical Writing: Proven ability to develop detailed, actionable security policies, standards, and SOPs
• Cyber Literacy: Strong understanding of security controls (MFA, EDR, SIEM, Encryption, etc.) to validate effectiveness of implementations