Governance Risk & Compliance Analyst II

Job Summary
Maintains and contributes to the design of the Companys cybersecurity Governance, Risk, and Compliance program (GRC). The GRC Analyst II plays a key role in assessing technology-related risks and ensuring compliance with relevant regulations, policies, standards, and controls designed to protect the organizations information assets.

Learned professional who works independently with limited guidance except when dealing with unusual or complex scenarios. Provides guidance to less experienced GRC Analysts and leads process improvement efforts within the Information Security team.

Primary Job Responsibilities

Policies/Standards/Controls:
Develops and maintains cybersecurity policies, standards, and guidelines.
Implements and monitors compliance with cybersecurity control framework.
Ensures policies are up-to-date and align with industry best practices, regulatory requirements, andcyber frameworks.
Communicates policies to relevant stakeholders.

Security Awareness:
Independently develops security awareness training programs and materials.
Plans and executes cybersecurity awareness events and communication campaigns.
Develops, organizes, and delivers training sessions to employees on security policies and bestpractices.
Monitors and reports on the effectiveness of security awareness initiatives.

Cyber Risk Management:
Collects, analyzes, and presents cybersecurity program performance metrics and key risk indicators(KRIs).
Independently conducts regular assessments of cyber risks within applications, platforms, andprocesses.
Identifies risks and develops mitigation strategies and risk management plans
Manages third-party risk by assessing the security posture of external vendors and partners,implementing risk mitigation measures, and fostering secure third-party relationships.

PCI, SOX, and Privacy Compliance:
Ensures appropriate design and operating effectiveness of regulatory and PCI-DSS controls.
Manages privacy-related data subject access requests.
Monitors compliance and reports effectiveness.
Independently performs periodic gap assessments to validate compliance.
Monitors regulatory environment and performs impact assessments.
Partners with auditors and manages action plans in response to audit discoveries.

Required Education/Experience
Minimum Bachelor's Degree in Cybersecurity or related field or a combination of related education andwork experience in an Information Security role to equal 4 years.
Related Functional Experience: Minimum of 5 years of experience in cybersecurity or technical riskanalysis.
Minimum of 3 years of experience in a GRC role.

Required Skills/Knowledge
Depth of knowledge with cybersecurity control frameworks (NIST CSF preferred)
Working knowledge of cybersecurity policy lifecycle, standards, and guidelines.
Experience with PCI-DSS and SOX
Working knowledge of data governance and privacy regulations
Experience with security awareness techniques and processes in an enterprise environment.
Exceptional written and verbal communication skills that can be adjusted to relevant audiences.
Analytic and problem-solving skills.