Sr GRC Analyst

Direct Client Req

Sr GRC Analyst

Hybrid Weekly 3 Days InOffice work Santa Clara CA

(No Remote work option)

Duties:

Develop and maintain a deep understanding of Palo Alto Networks' internal Best Practice Assessment (BPA) policies, standards, and security controls.

Analyze and map internal BPA policies to a wide array of external regulatory and compliance frameworks, including but not limited to ISO 27001, SOC 2, NIST CSF, GDPR, CCPA, and PCI DSS.

Conduct detailed gap analyses to identify discrepancies between internal policies and external requirements. Collaborate with control owners and stakeholders to recommend and track remediation efforts.

Serve as a subject matter expert (SME) on policy to mapping, providing guidance to internal teams and supporting responses to customer security questionnaires and formal audits.

Continuously monitor the evolving regulatory landscape and updates to internal policies to ensure all mapping documentation remains accurate, current, and effective.

Partner with InfoSec, Engineering, and Product teams to translate complex regulatory requirements into actionable internal controls and policy enhancements.

Skills:

Excellent understanding and practical application of industry security frameworks including SANS Critical Security Controls, CIS Controls, ISO 27001, NIST SP 800-53, PCI DSS, and SOC2.

Great understanding of IT control frameworks (COBIT) and IT general controls.

Strong knowledge of information security concepts, risk and controls concepts.

Strong knowledge of standards such as ISO 27001/2, NIST CSF, NIST 800-53, TSC 2017 (SOC2), PCI DSS, etc.

Strong knowledge of security control domains such as Asset Management, Configuration Management, SDLC, Logging and Monitoring, Data Security, Network Security, Security Governance, Identity Access Management, Vulnerability Management, etc.

Proficiency in a wide spectrum of technical security controls encompassing logical access control, encryption, data loss prevention, secure coding practices, security architecture, vulnerability management, and network security technologies.

Expert in conducting Vendor risk assessments and understand risk exposure of technology deficiencies and translating them to business impact.

Strong domain experience in security risk assessments.

Working knowledge of risk treatment and exception processes.

Strong knowledge of Security architecture design and review including key security controls related to authorization, authentication, and encryption of data in transit/at rest.

One or more certifications such as CISSP, CISA, CISM, CEH, ISO 27001 Lead Auditor and Lead Implementer.

Open to learning and working on new domains and technology.

Good written and spoken communications skills to explain and articulate technical concepts effectively to stakeholders including system engineers and auditors.

Strong attention to detail and diligence.

Education:

Bachelor s Degree in Technology or Risk Management

CISA/ CISM/CISSP certification, ISO 27001 (Lead Auditor) preferred

Certifications & Licenses

CISA, CISM, CISSP, Cissp Certification

Proficiency in a wide spectrum of technical security controls encompassing logical access control