Senior GRC Analyst - IT Governance, Risk & Compliance
Listed on 2026-06-30
-
IT/Tech
Cybersecurity, Information Security
GDOT is building a Governance, Risk, and Compliance (GRC) function within the Office of Information Technology to establish formal risk management, regulatory framework alignment, and audit readiness practices. This senior-level role is responsible for designing the GRC program structure, implementing and operating core GRC processes, and influencing risk-based decision-making across the department. This is a foundational, high-ownership role for an experienced GRC professional who can operate independently, establish processes from the ground up, and build a function that scales.
location:Atlanta, Georgia
job type:
Contract
salary: $55 - 65 per hour
work hours: 8am to 5pm
education:
Bachelors
responsibilities:
Risk Register Stewardship
- Establish and maintain the Enterprise IT Risk Register, including risk identification, categorization, likelihood/impact scoring, and ownership assignment.
- Provide leadership with regular risk reporting and a clear view of GDOT's IT risk environment.
- Track remediation of identified risks to closure and escalate high/critical risks appropriately.
Framework Implementation & Gap Analysis
- Lead the mapping of GDOT's IT controls against applicable state-mandated and industry frameworks (e.g., NIST 800-53, NIST CSF).
- Perform gap analyses, document findings, and develop remediation roadmaps in partnership with control owners.
- Track control maturity over time and report progress to leadership.
Policy & SOP Governance
- Draft, maintain, and periodically audit GDOT IT policies and standard operating procedures.
- Manage the policy lifecycle - drafting, technical review, approval routing, publication, and periodic re-certification.
- Verify SOPs are being followed by IT teams through documented evidence rather than self-attestation.
Third-Party Risk Management (TPRM)
- Own the vendor and cloud service provider risk review process, including intake, contract review, and risk documentation.
- Evaluate vendor security posture (e.g., SOC 2 reports, architecture review findings) in coordination with technical subject matter experts.
- Maintain the vendor risk register and manage risk acceptance documentation when vendor posture does not fully meet GDOT requirements.
Evidence Collection & Audit Readiness
- Serve as a primary liaison for state and external auditors.
- Build and maintain a centralized Library of Evidence, ensuring change control logs, access reviews, and other compliance artifacts are organized and audit-ready at all times.
- Coordinate evidence requests across IT teams and track completion against defined timelines.
Access Governance
- Define and maintain the schedule and standards for periodic access reviews of mission-critical systems.
- Validate completed access reviews against the principle of least privilege and document findings.
- Track remediation of excessive or inappropriate access identified during reviews.
Program Leadership Scope
This role carries direct responsibility for the following program-level functions:
- Designing the overall GRC program structure, including process design, tooling strategy, and prioritization roadmap.
- Establishing GRC policy and methodology standards that scale as the function grows.
- Mentoring and providing technical direction to additional GRC team members as the function expands.
Representing GRC in cross-functional governance discussions and advising leadership on risk-based prioritization.
What Success Looks Like in the First 12 Months
90 days
Risk register
established and populated. Initial framework gap analysis underway. Evidence
library structure in place.
6 months
Framework gap
analysis complete with a documented remediation roadmap. Vendor risk review
process operating for new vendor engagements. First formal policy review
cycle completed.
12 months
Functioning
evidence collection cadence across IT teams. Access review program operating
on a defined schedule. GDOT positioned with organized, audit-ready
documentation ahead of the next external review cycle.
qualifications:- 5+ years of experience in GRC, IT audit, information security compliance, or a closely related field, including experience building or significantly maturing a GRC function from an early stage.
- Direct hands-on experience with at least one major framework - NIST 800-53, NIST CSF, ISO 27001, or equivalent - including control mapping and gap analysis.
- Experience conducting or supporting third-party/vendor risk assessments, including review of SOC 2 reports and contract risk language.
- Experience supporting or leading evidence collection and audit response for an external audit (state, federal, or industry).
- Strong written communication skills - demonstrated ability to draft clear policy and procedure documentation.
- Ability to operate independently in an environment where processes and tooling are still maturing, and to design new processes where none currently exist.
- Demonstrated experience designing program structure, methodology, or process strategy for a GRC or compliance…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).