Governance Risk Compliance Analyst III

Job Summary: Members of the Governance/Risk/Compliance Section assure the risk posture of the organization is being adequately managed while maintaining related project plans. GSI is a highly dynamic environment and as such the successful employee will adequately manage competing priorities in a growing department. Risk analysts ensure that the organization is adequately aligning with the information security frameworks.

Viable candidates must be willing to work onsite at GSI's headquarters in Palm Harbor, Florida daily.

Key Responsibilities: Members of the Governance, Risk, and Compliance (GRC) team assist in analyzing the risk posture of Geographic Solutions, Inc (GSI) by:

• Collecting evidence
• Measuring existing controls against the different audit standards and information security frameworks in use
• Periodically monitoring process and procedures for alignment
• Participating in standups/scrum meetings
• Attending meetings and taking notes for discussion and socialization to other team members
• Acting as a Subject Matter Expert (SME) for all stakeholders and teams in a constructive collaborative way
• Participating in development and maintenance of policies
• Participating in development and maintenance of procedures
• Information security related training requirements
• Information security related Audit and Compliance requirements
• Information Security Framework Alignment
• Maintaining and updating Project Plans
• Responsible for updating and maintaining NIST Policy Documentation
• Responsible for updating and maintaining System Security Plans (SSPs) for each customer tenant.
• Conducting information security controls gap assessments
• Setting meetings required for GRC
• Adequately documenting meetings as needed or as requested
• Project Management
• Understand and keep up with changes to the information security frameworks
• Participate in GRC related meetings

Note: No one person is expected to manage these workloads concurrently. The workloads are spread across level III team members and individual expectations are further defined by each team member s roles and responsibilities Responsibility Assignment Matrix (RAM) chart.

Employee should be able to provide Subject Matter Expertise (SME) in the following information security frameworks initially or within the first year:

• NIST-800 Information Security Framework
• NIST-CSF (Cyber Security Framework)
• HiTRUST
• FedRAMP
• StateRAMP

Employee will have or be able to attain these key skills in the first year:

• Versed in Governance, Risk, and Compliance (each respective domain)
• Experience in conducting and participating in audits
• Capable of managing competing priorities and demanding timelines
• Managing third party vendors
• Technical writing
• Project Management
• Be highly organized
• Create and conduct risk assessments and track remediation efforts
• Develop risk metrics and risk reports
• Perform IT risk assessments, 3rd party risk assessments.
• Identify information security framework gaps
• Communicate complex risks to organization
• Identify what the risks are to critical applications, systems, and data
• Identify and organize enterprise data by the weight of the risk associated with it
• Managing key tasks and projects
• Work with customers and stakeholders to mitigate the risks
• Assess risks based on identified risk areas to develop individual risk profiles
• Assist in ongoing records and information review to determine the effectiveness of work processes and procedures
• Educate internal stakeholders about business risks brought about by industry trends
• Ensure risk management policies and guidelines are followed and report possible fraud for corrupt practices
• Execute communication plans for risk management policies and guidelines across internal stakeholders
• Manage execution of reporting methods across internal stakeholders
• Plan continuous work improvement activities and performance improvement strategies
• Prepare reports on impact of latest industry developments, market trends and regulations on business risks
• Prepare risk assessment schedule based on overall business schedules
• Review risk criteria best practices and industry trends to support risk criteria
• Review the impact of risk mitigation and plan to provide enhancements and support as needed (regarding information security frameworks and gaps)
• Support the use of technologies, electronic tools and devices for GRC automation
• Work with internal stakeholders to identify risk areas and compare industry trends
• Work with internal stakeholders to improve risk management framework alignment
• Work with partners to improve risk management policies
• Work with staff to support risk mitigation plans across functional tracks
• Experienced in information security frameworks and activities. e.g., FedRAMP, FISMA, CSF, NIST 800, ISO27001, StateRAMP, FedRAMP, HiTRUST, CIS, etc.

Qualifications / Certifications:

Employee should have or be able to obtain in the first year one or more of the following certifications:

• Certified Risk and Information Systems Control CRISC
• Certified in Governance of Enterprise IT - CGEIT
• Project Management Institute Risk Management Professional - PMI-RMP
• Information Technology infrastructure Library Expert ITIL Expert
• Certification in Risk Management Assurance CRMA
• GRC Professional GRCP
• GRC Audit Certification GRCA
• Integrated Policy Management Professional IPMP
• Project Management Professional PMP
• Integrated Data Privacy Professional - IDPP
• Integrated Governance and Oversight Professional - IGOP
• Integrated Compliance and Ethics Professional - ICEP
• Integrated Security and Continuity Professional - ISCP
• Integrated Strategy and Performance Professional - ISPP
• Integrated Audit and Assurance Professional IAAP
• CySA+ Cyber Security Analyst
• CRISC, PMP, or equivalent
• CISSP, CRM, CRA, CISM, or equivalent preferred
• Knowledge of information security frameworks and activities. e.g., FedRAMP, NIST CSF, NIST Information Security Framework, StateRAMP, ISO27001, SOC1, SOC2, SOC3, etc.
• Certified in Risk & Information Systems Control (CRISC)
• Project Management Professional Certification (PMP)
• Excel Spreadsheets
• Presentation Skills
• Logical, organized, and apply attention to detail in work and on presentations

Qualifications / Certifications:

• Bachelor s Degree with 6 years of experience (a master s degree can substitute for 2 years experience)
• Three or more years of experience
• Level of professionalism
• Level of understanding of how an enterprise class business operates

Special Requirements:

• May also be assigned various projects and tasks as needed
• Hours: Day shift. Evening and weekend hours may be required

Equal Opportunity Employer. M/F/D/V