GRC Analyst

Aqueduct Technologies is seeking a GRC Analyst to join our Governance, Risk, and Compliance (GRC) team. Reporting directly to the Director of GRC, this role plays a pivotal part in designing, executing, and maturing our clients’ security and compliance programs.

• Support and progressively lead client compliance engagements
• Contribute to the development of Aqueduct’s GRC service offerings
• Assist with internal compliance initiatives and audit readiness activities

• Compliance Readiness and Assessments:
• Support and conduct readiness assessments aligned to frameworks such as NIST CSF, ISO 27001, SOC 2, HIPAA, PCI DSS, and CMMC
• Identify control gaps and provide practical, risk based remediation recommendations
• Assist clients in preparing for external audits and certification efforts

• Perform organizational risk assessments and document risk findings
• Evaluate control effectiveness and recommend mitigation strategies aligned with business objectives
• Maintain risk registers and support risk reporting processes

• Conduct vendor risk assessments and due diligence reviews
• Support the development and maintenance of third party risk programs
• Assist with ongoing monitoring activities and documentation

• Prepare clear, structured reports summarizing findings, risks, and recommended actions
• Present results to client stakeholders with guidance from senior team members
• Translate technical findings into business relevant insights

• Work closely with security operations, engineering, and account teams to align GRC initiatives
• Support internal compliance initiatives including SOC 2 readiness and audit activities
• Contribute to documentation development, templates, and process improvement efforts

• Stay current on evolving cybersecurity risks, regulatory requirements, and industry standards
• Expand expertise across multiple frameworks and advisory domains

• Core Competencies:
• Strong written and verbal communication skills
• Analytical thinking and attention to detail
• Ability to manage multiple client work streams in a consulting environment
• Professional presence in client facing situations

• Experience supporting or conducting assessments across one or more major frameworks such as NIST CSF, ISO 27001, SOC 2, HIPAA, PCI DSS, or CMMC
• Working knowledge of risk assessment methodologies
• Familiarity with third party risk management concepts and processes
• Foundational understanding of Zero Trust principles and modern security architecture concepts

• 3 or more years of experience in information security with exposure to GRC functions
• Experience in consulting, advisory, or managed services environments preferred
• Experience with GRC platforms such as Service Now GRC, Archer, Drata, Vanta, or similar tools is a plus

• One or more of the following certifications is preferred but not required:
• CISA
• CISM
• CRISC
• CISSP
• CCSP

• Ability to work in a hybrid model in the Canton, MA area
• Willingness to travel locally for client engagements as needed

• This role offers a clear path toward Senior GRC Consultant responsibilities. Analysts who demonstrate strong client delivery, technical depth, and engagement ownership will have opportunities to lead larger assessments, mentor junior team members, and expand into broader advisory engagements.

Aqueduct Technologies is committed to developing a diverse and talented team. We celebrate and support diversity and are committed to making an inclusive environment for all employees and applicants including women, minorities, individuals with disabilities, members of the LGBTQIA community, veterans, and any other legally protected group. We are an Equal Opportunity Employer and do not discriminate against any employee or applicant on the basis of any status protected by federal, state, or local laws.