GRC Analyst

The Governance, Risk, and Compliance (GRC) Analyst is responsible for internal controls as well as the Route One Comprehensive Information Security Program. This program is designed to protect company information, data and facilities; maintain the security of assets; and to ensure the efficacy of, and compliance with internal controls. The overall goal is to design, develop, implement, and maintain compliance to a comprehensive information security program that is appropriate to the sensitivity of the information and data that is scoped adequately for the size, complexity, nature, and risk of Route One’s business activities.

The ideal candidate will have the skill to communicate the details of this program, in writing and speaking, to management, external auditors and customers, regardless of their technical or non-technical backgrounds.

• Execute and manage internal audits.
• Collect and maintain audit evidence for annual SOC (Service Organizations Controls) and GLBA audits derived from results of internal audits, including documentation of deviations.
• Participate in audits of Route One’s vendors and perform subsequent remediation tracking to closure.
• Respond to audits from finance sources and other customers including participating and leading in-person or virtual audit sessions, answering detailed questionnaires, and gathering and providing evidence as well as managing remediation of findings from these audits.
• Respond to due diligence requests from finance sources and other customers, providing documentation such as SOC reports, security reports, and other evidence.
• Design new controls and subsequent documentation updates to policies and procedures to close audit findings. Review reports generated from various monitoring and scanning tools and escalations to the Cybersecurity Team appropriately.
• Collect data, produce reports, and analyze metrics from audits conducted to evaluate compliance, and collaborate with internal IT Teams to improve existing cybersecurity measures.
• Contribute to certain functions within the information security framework that ensure confidentiality, integrity, and availability of information assets by protecting against unauthorized use, disclosure, modification, or loss.
• Assist with informing and educating staff about information security, compliance, risks, and governance including assisting in phishing prevention campaigns and monitoring employee training compliance.
• Assist in monitoring, administering, and enforcing security policies/procedures.
• Review existing documentation of IT controls, business processes, policies, procedures, and management reports for compliance, effectiveness, and sustainability.
• Manage remediation plans/corrective actions for any vulnerabilities or compliance failures reported in audits.
• Perform gap analysis to assess compliance with evolving regulatory requirements and duties such as NIST, PCI-DSS, GLBA, CSA, FCRA, Privacy Laws, and other frameworks as needed.
• Maintain safety, security, and privacy standards throughout all areas of responsibility.
• Assist in annual Risk Assessments and Business Impact Analysis reviews with management.
• Assist in annual Business Continuity Exercises and Security Incident Response tabletop exercises
• Participate in Scope Lock meetings for compliance and risk evaluation for proposed code and feature changes to application.
• Provide input to other teams for current audit, compliance, governance, and risk mitigation requirements of proposed actions and/or purchases.

• Experience reviewing and/or drafting policies and procedures across the enterprise.
• Experience in Audit, Compliance, Governance, Risk, or equivalent Information Security area with technically complex and diverse audits/projects.
• Demonstrated experience applying knowledge of internal control standards, objectives, and techniques unique to computer processing in a multiple platform environment.
• Solid knowledge of current industry information security, compliance and governance principles, controls and practices.
• Knowledge of various compliance frameworks and industry best practices (e.g., PCI, GDPR, ISO 27001).
• Understanding of security protocols…