Information Security GRC Analyst

Information Security GRC Analyst

Requirements

• Proven experience (3+ years) in GRC or risk management, with a strong focus on governance and risk
• Hands-on experience supporting the management of HITRUST certification
• Strong understanding of risk management principles, frameworks, and methodologies (e.g., NIST, ISO 27001)
• Knowledge of regulatory compliance such as HIPAA, HITRUST, GDPR, CCPA, and PCI DSS
• Experience working with cross-functional teams to drive security and risk initiatives
• Experience in conducting or supporting third-party risk assessments, especially in relation to healthcare data security and privacy
• Excellent communication skills with the ability to explain complex risk and governance concepts to both technical and non-technical stakeholders
• Strong analytical and problem-solving skills
• Ability to work independently and manage multiple priorities in a fast-paced environment
• Strong organizational and time management skills
• Continuous drive to learn and grow professionally in the fields of GRC and information security

Responsibilities

• Contribute to the ongoing development and maintenance of the GRC framework, policies, and procedures, ensuring alignment with regulatory requirements, privacy standards, and business objectives, particularly regarding PHI protection
• Assist with the HITRUST certification process by gathering necessary documentation, participating in assessments, and ensuring that audits are up to date and complete
• Aid in conducting third-party risk assessments, ensuring that vendors comply with required security and privacy regulations
• Collaborate with internal teams (e.g., Compliance, Legal, IT) to align risk management practices across the organization and support the overall governance strategy
• Contribute to the identification and assessment of key risks, helping to produce reports that provide actionable insights
• Stay up to date with industry trends, regulatory changes, and emerging risks to ensure that the company’s GRC practices remain effective and relevant
• Promote risk awareness within the organization and provide training and guidance on key regulations
• Oversee tools that highlight data classification inside of the enterprise
• Assist in monitoring security logs and daily activities for suspicious behavior and escalate incidents as necessary
• Assist with the drafting, reviewing, and updating of information security policies to ensure alignment with regulatory requirements and best practices for healthcare organizations
• Actively support the organization’s incident response efforts, including assisting in the investigation, containment, and remediation of security incidents
• Be part of the on-call rotation for incident response, providing critical support during after-hours or emergency security incidents

Preferred Qualifications

• Relevant certifications (e.g., Security+, CRISC, CISM, CISSP)