Governance, Risk, Compliance; GRC Program Specialist

Position Description

The Information Security Team is responsible for managing the security of UNOS' information systems and environments. This includes assessing third parties who access our environments and who operate within the Organ Procurement Transplantation Network (OPTN) Authority to Operate (ATO) boundary.

The GRC Program Specialist is a detail-oriented analyst who communicates information security requirements to internal and external stakeholders. They support UNOS' third‑party risk management activities and assist the Assistant Director of Security GRC in maintaining components of UNOS' Business Continuity program.

• Support Third‑Party Risk Management activities, including gathering documentation, performing initial security reviews of current and potential SaaS partners, and preparing materials for leadership review.
• Assist in developing Risk Assessment documentation on third parties in alignment with NIST SP 800‑30.
• Participate in evaluating security solutions to help determine whether they meet OPTN member and UNOS requirements for processing Controlled Unclassified Information (CUI).
• Support the coordination of UNOS' Business Continuity Program by maintaining documentation, assisting department plan owners, and helping track testing activities.
• Conduct Business Impact Analysis (BIA) data collection and prepare summaries for review by senior GRC staff.
• Assist in planning and facilitating annual Business Continuity tabletop exercises by coordinating logistics and preparing materials.
• Draft portions of After‑Action Reports (AARs) and help track lessons learned and action items to closure.
• Assist in the development, documentation, and maintenance of information systems security policies, standards, and procedures.
• Support the creation and maintenance of Assessment and Authorization (A&A) documentation in accordance with NIST policies.
• Assist in reviewing changes to UNOS systems and documenting the initial security impacts for further evaluation by senior staff.

• 5+ years of demonstrated experience in policy development/management, technology risk management, compliance, or audit.

• Understanding of OPTN and UNOS information security policy requirements and awareness of their impact on OPTN Members and UNOS staff and clients.
• Strong written and verbal communication across all levels of the organization.
• Excellent analytical and problem‑solving skills.
• Demonstrated ability to support programs, processes, and prepare reporting on assigned tasks.
• Experience contributing to the development, testing, and improvement of operational procedures supporting business recovery activities.

• Preferred
  
  Certifications:
  • Security+
  • CISM
  • CISA
  • CRM
• Experience in healthcare or digital health data or systems preferred.
• Strong Microsoft product skills (e.g., Word, Excel, PowerPoint, SharePoint, Teams) and the aptitude to learn governance, risk and compliance tools.
• Strong time management and organizational skills.

• 4‑year degree in Information Security, Information Technology or Systems, Policy, or a related field.

• General office demands
  • Prolonged periods of sitting at a desk and working on a computer.
  • Frequent reaching, handling, and fine manipulation for using office equipment, filing, and managing paperwork.
  • Manual dexterity sufficient to operate a keyboard, mouse, and other office tools.
  • Occasional standing, walking, and bending.
  • Ability to lift up to 10‑20 pounds occasionally.
  • Vision abilities required include close vision for computer work and reading documents.
  • Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.