GRC (Governance, Risk, and Compliance) Analyst

Job Details

Position: GRC Analyst Start Date: Preferably July 21st
Location: Remote must reside in one of the following states: IL, IN, IA, KS, MO, MT, NM, NC, OK, PA, TN, TX or WI.
Duration: 6 months (with potential for extension and temp-to-perm conversion)

Interview:

• 2 3 rounds total (each ~30 minutes)
• 1^st Virtual interview with hiring manager
• 2^nd Virtual interviews with 1 2 existing GRC team members

Client Culture Note:
Lean, collaborative GRC team. Fast-paced environment with compressed audit timelines. Team members wear multiple hats and support multiple pillars of GRC. Culture values independence, adaptability, and cross-functional coordination. Fully remote but requires excellent communication and organization skills.

Team Structure:
The Governance, Risk, and Compliance (GRC) team typically consists of four analysts. Two team members recently departed one retired approximately 1.5 months ago, and another left about a month ago. The team currently operates with four people, including the hiring manager, Rebecca.

The GRC team operates across four primary pillars:

1. Audit & Assessment
2. IT and General Controls (Control Management)
3. Risk Management, Policy, and Standards -
4. Third-Party Risk Management

**They need someone for Audit + Assessment and then someone for IT and General Controls

Current Focus Areas:

• Leading and supporting SOC 2 Type II audits and HITRUST certification efforts.
• The team typically conducts three assessments per year; currently, two remain for the year.
• Primary responsibilities include evidence gathering in compressed timeframes using external auditor portals.
• Strong familiarity with Microsoft Planner and Microsoft Office tools is essential.

Required Qualifications:

• Experience with SOC 2 Type II audits (must-have).
• Familiarity with healthcare compliance, particularly HIPAA and ePHI.
• Understanding of IT General Controls (ITGC) and ability to work cross-functionally with IT teams.
• Strong documentation and organizational skills for audit readiness and evidence management.
• Comfortable gathering technical evidence without being the IT subject matter expert.
• Ability to wear multiple hats in a lean team environment.

Job Description:

• Responsible for the daily execution, facilitation, and coordination of activities for Luminare Health Benefits Information Security Program. Participates in risk management by evaluating current conditions, systems, and practices within IT and across the company to inform the Information Security dashboard and, as appropriate, develop and maintain effective practices to identify, document, isolate, deter, defend against threats, and orchestrate remediation efforts. Works with IT business partners to drive the design, implementation, operation, and remediation activities of industry-accepted control frameworks (NIST CSF, COBIT, HITRUST, etc.) in support of established policies, standards, and regulatory requirements.
• Provides subject matter expertise, guidance, and internal consultancy to business partners, including Information Technology (IT). Works closely with Information Security leadership to help ensure the organization is applying the appropriate security controls as determined by the information security strategy. Responsible for serving as the primary information security link between the business and the Information Security Office. Supports the business with security-related issues from both the technology perspective as well as policy and standards implementation. Will address issues such as coordinating and facilitating internal and external audits and assessments, HITRUST certification and re-certification activities, third-party vendor management, and responding to external third-party requests.
• Performs highly complex information technology compliance work. Serves as the primary escalation point of contact for compliance requirements, audit tracking, and remediation activities, and also the intake recipient of risk management processes.
• Assesses, evaluates, and makes recommendations regarding the adequacy of infrastructure controls with respect to security, confidentiality, integrity, and availability.
• Coordinates with external and internal auditors and system-wide stakeholders, providing points of contact and facilitating the creation and delivery of data call items and other forms of evidence for efforts that carry substantial consequences of success or failure. Ensures critical applications and supporting infrastructure adhere to security policies and standards by executing compliance checks and periodic reviews. Includes maintaining compliance documentation, internal reporting, creation of technical compliance controls, and gap assessment.
• Provides oversight of the policy process, including reviewing and offering suggestions for improvements to help better align with requirements and Luminare Health Benefits' integrated control framework.
• Provides oversight and thought leadership for Luminare Health Benefits' Third Party Risk Management processes. Actively engages with experts from other areas of IT and the business to understand critical risks and business needs, and works with them to ensure third-party engagements provide maximum benefit while minimizing risk to the organization.
• Drives the risk management process by evaluating current conditions, systems, and practices within IT and across Luminare Health Benefits to inform the Information Security Dashboard. Develops and maintains effective practices to identify, document, isolate, deter, defend against threats, and orchestrate remediation efforts.
• Leads consultation to IT and technology service owners with gold-standard technical baselining, including but not limited to the NIST CSF security framework.
• Owns the planning, preparation, and delivery of the Information Security Awareness Program, which includes required virtual security training for staff, affiliates, and those with elevated access.
• Collaborates across IT departments to identify, administer, analyze, and solve critical security problems, and operationalize lessons learned into existing or new technological controls, solutions, processes, procedures, and knowledge articles.
• Owns the coordination of regulatory efforts, administers systems owned by Information Security, serves as a business analyst, and provides project coordination for the Information Security Program.