Senior Analyst, Governance, Risk and Compliance

THE OPPORTUNITY

As the Senior Analyst, Governance, Risk & Compliance, you will collaborate with all departments at Chipotle to ensure compliance with policies and other activities which impact the confidentiality, integrity, and availability of our application, infrastructure, and business processes. The role will require the creation of new policies and procedures while recommending, implementing, and ensuring compliance with appropriate information security frameworks and standards all while keeping in mind the efficiencies that can be gained for those fulfilling the policy and/or procedure.

This position will be based in our Newport Beach, CA office 4 days per week (with work from home on Friday). Remote work is not available for this role.

• Strong candidates are motivated by what they can achieve, growth they could experience and how they will impact the company.
• Participate in the development and implementation of security awareness trainings and phishing campaigns for the whole organization. Collect data for analysis and continuously improve the organization’s security posture.
• Work closely with GRC Leadership to implement global policies, regulatory changes, and risk frameworks across products and systems.
• Stay up to date in industry trends and best practices, including monitoring for changes in PCI-DSS and recommending necessary adjustments to our compliance program. Contribute to the development of audit process improvements.
• Provide guidance and support to internal project teams to ensure new systems, applications, or processes are designed and implemented in accordance with relevant standards.
• Perform risk assessments, audits, and control testing to ensure Chipotle systems and processes remain in compliance with applicable regulations (PCI-DSS, SOX) and internal Information Security policies, ensuring evidence is collected, reviewed, and maintained to meet compliance objectives.
• Support and enhance the Third-Party Risk Management (TPRM) program, including conducting vendor risk assessments, reviewing security documentation, leveraging tools such as Viso Trust, and partnering with stakeholders to manage third-party risk throughout the vendor lifecycle.
• Monitor and track remediation efforts for identified non-compliance issues to ensure timely resolution, including managing policy exceptions and violations.
• Participate in incident response activities as a Scribe and on-call team member, ensuring accurate documentation of events, timelines, decisions, and actions during security incidents, and supporting post-incident reviews and reporting.
• Create written reports and dashboards for monitoring compliance and communicating status with business leaders.
• Assist in coordinating annual on-site audits and preparing compliance reports for submission to external stakeholders.
• Review change management tickets and associated evidence to validate control effectiveness and audit readiness, ensuring completeness, accuracy, and alignment with compliance requirements.
• Assist with other compliance team projects as required to meet evolving regulatory and compliance needs and objectives.
• Assist in architecting and improving a suite of GRC tools to automate controls, risk data collection, monitoring, and governance procedures.
• Develop and maintain policies and standards in support of operational and compliance goals, including creating supporting operational work instructions where it would be most effective.
• Develop, execute, and/or coordinate governance structures to align with industry and compliance frameworks such as PCI, SOX, and NIST CSF.

• Bachelor’s degree in computer science, Information Technology, or related field preferred.
• Strong understanding of cloud technologies, API systems, infrastructure, network, and mobile security regulations, requirements, and best practices.
• Technical depth in Information Technology, Security, Privacy, or Compliance fields.
• Advanced organizational skills with the ability to manage multiple priorities and meet deadlines.
• 5+ years of experience working in risk and compliance management frameworks, risk-based solutions, and control…