Information Security GRC Engineer (OneTrust / NIST)

Information Security GRC Engineer (OneTrust / NIST)

Plano, Texas (Hybrid)

Description

We are seeking a hands‑on GRC Engineer & Risk Analytics professional who will implement and scale a NIST‑aligned control and risk framework in One Trust while also conducting targeted risk and control assessments to validate design and operating effectiveness. You will connect process, data, and automation so department leaders can see—and reduce—risk in near‑real time through role‑based dashboards and scorecards. You’ll partner with Security Engineering, IT, Audit, and business control owners to streamline assessments, evidence collection, POA&M tracking, and reporting.

Focus split: approximately 70% One Trust configuration, integrations, data modeling, and dashboards; approximately 30% targeted assessments and facilitation.

Module ownership on Day 1: One Trust Integrated Risk Management (IRM) and Third‑Party Risk Management (TPRM).

What you’ll be doing

• Model the control framework in one Trust: map NIST CSF and NIST 800‑53 control families, control objectives, test procedures, evidence types, and ownership.
• Configure assessment templates (application/infrastructure, inherent/residual risk, third‑party due diligence, control attestations) with automated workflows, notifications, and approvals.
• Stand up a POA&M lifecycle (defect creation, risk acceptance, due dates, escalations, verifications) and connect to tickets for remediation traceability.
• Build role‑based dashboards and departmental scorecards that surface KRIs/KPIs (e.g., control coverage, overdue actions, risk heatmaps, SLA adherence).
• Establish data taxonomy and metadata (assets, business processes, data classifications) aligned to controls and obligations to support consistent analytics.
• Own the end‑to‑end third‑party risk workflow in one Trust: inherent risk profiling, tiering, questionnaire selection, and residual risk calculation.
• Design and maintain due‑diligence questionnaires and control attestations; streamline evidence collection and follow‑ups via automated reminders and SLAs.
• Track remediation and POA&Ms for vendors; manage risk acceptances, exceptions, and expirations with clear ownership and timelines.
• Publish vendor scorecards and portfolio‑level insights for department leaders; highlight concentration risk, critical suppliers, and overdue actions.
• Integrate TPRM data with IRM objects (assets, processes, controls) to show end‑to‑end exposure and dependencies.
• Integrate one Trust with CMDB, Risk reporting platforms to auto‑enrich risks, controls, and assets.
• Define data quality rules and reconciliation checks; implement connectors or API jobs to keep dashboards near‑real‑time and reduce manual evidence collection.
• Partner with Analytics to publish curated Power BI datasets for executives and technical teams.
• Conduct spot assessments and control testing to validate design and operating effectiveness and calibrate automation.
• Translate FFIEC/GLBA/SOX and policy requirements into measurable controls and department‑owned obligations, document rationales and residual risk.
• Facilitate remediation planning with control owners; track POA&Ms and risk acceptances to closure with clear RACI and deadlines.
• Create playbooks, test scripts, and user guides; run enablement sessions for control owners and assessors to drive adoption.
  
  What you’ll deliver in the first 6–12 months:
• A fully modeled NIST-aligned control catalog in one Trust IRM and TPRM, complete with owners, testing procedures, evidence, and mapped obligations.
• 3–5 data integrations operational (for instance, CMDB, Archer, Posture Management) enabling automated evidence and asset-to-control mapping.
• Departmental scorecards along with an executive dashboard (showing trendlines, heatmaps, top risks, overdue actions, and risk reduction by department).
• Enhanced assessment throughput with a reduced cycle time (targeting a 30–40% improvement from baseline).
• Improved on-time completion of POA&M (targeting an increase of 20–30%) with a decrease in repeat findings through structured root-cause identification.
• Published and operational governance framework artifacts (including a governance calendar, defined roles, training materials, and standard operating procedures).

Requirements

• 5+ years hands‑on experience implementing/administering GRC platforms (one Trust preferred; Archer/ServiceNow GRC acceptable with commitment to one Trust ramp‑up).

• Working knowledge of NIST CSF and NIST 80053 and how to translate obligations into measurable controls and tests.

• Experience configuring questionnaires, workflows, object models, APIs, and building role‑based dashboards.

• Data skills in Power BI, SQL, or Python for data prep/transformations that feed analytics.

• Ability to tell the risk story—translate technical signal into business‑relevant insights for department leaders.

• Bachelor’s degree or equivalent practical experience.

Bonus if you have

• one Trust GRC/IRM certifications; CRISC, CISA, or CISSP.

• Prior integrations with ServiceNow, Jira, SailPoint/IDP, Qualys/Tenable, or cloud platforms (AWS/Azure).

• Experience setting up control attestation/evidence automation and KRI/KPI scorecards across business units.

• Background in financial services or familiarity with FFIEC/GLBA/SOX supervisory expectations.