GRC Risk Management Specialist

Job Description

SUMMARY:  The GRC Risk Management Specialist will work closely with the Information Security team, business units, and partner organizations to conduct risk assessments, compliance checks, and control gap analyses in alignment with information security policies and risk management standards. This role involves creating, organizing, and clearly articulating summarized risk findings that are actionable for business stakeholders. The Specialist will help prioritize and drive remediation efforts across the organization to mitigate risks and will contribute to the risk management, treatment, and reporting processes to safeguard data assets. Additionally, the Specialist will assist in preparing for and facilitating assessments and examinations conducted by qualified security assessors.

Essential Functions:   Reasonable accommodations may be made to enable individuals with disabilities to perform essential duties.

• Conduct risk assessments and ensure compliance with major regulatory initiatives.
• Implement and manage cybersecurity and information security programs based on industry-standard frameworks like NIST CSF and ISO/IEC 27000.
• Maintain comprehensive knowledge and understanding of information security risk management and IT controls frameworks and methodologies such as ISO/IEC 27005, COBIT, and OCTAVE.
• Provide subject matter expertise in Risk Management Principles (risk avoidance, transfer, mitigation, acceptance) and risk assessment process.
• Provide support for security governance activities, including managing communication about security policies, standards, and control frameworks.
• Identify, assess, track, and report on security risks across the enterprise. Track risk decisions and remediation plans and communicate risks to both technical and non-technical audiences.
• Develop reporting for management by analyzing IT security controls and risk exposure.
• Identify IT security risks to the business, work with the security team on client security reviews, and drive the development of remediation plans for both when appropriate.
• Facilitate internal and third-party information security risk assessments and work closely with functional groups or departments to prioritize and remediate findings.
• Drive effective collaboration across all lines of business and provide relevant awareness training to control owners.
• Drive continuous quality improvement.

Supervisory Responsibilities:  This position has no formal supervisory responsibilities.

Minimum Required Qualifications:   

• Bachelor’s degree in Computer Science, Information Systems, Information Security & Assurance, Information Technology, Information Security Risk Management or related field required AND
• Seven (5) years of experience in IT Security, IT Governance, Risk, & Compliance
• Equivalent combination of education and experience, including prior relevant military service experience.

Certificates and Licenses: None required.

OTHER REQUIRED QUALIFICATIONS: 

• Demonstrable understanding of security controls and risk assessment tools.
• Demonstrable understanding of information security and the relationship between threat, vulnerability, and information value in the context of risk management.
• Demonstrable understanding of risk-based decision-making.
• Demonstrable understanding of leading-edge governance-enabling technologies.
• Demonstrate experience with risk assessments and compliance with major regulatory initiatives (e.g.  SOX, PCI-DSS, HIPAA, FedRAMP).
• Demonstrate experience with cyber security and information security program management and frameworks (e.g., NIST CSF, ISO/IEC 27000, etc.).
• Ability to develop relationships across functions and inspire trust and confidence through effective communication and interpersonal skills.
• Experience managing cybersecurity controls based on a thorough understanding of industry standards and regulations to protect the company from external and internal threats.
• Excellent communication and presentation skills (verbal and written).
• Project management planning and organization skills.
• Ability to identify, document, and communicate information security issues to business and information owners.
• Ability to maintain the confidentiality of sensitive information.
• Microsoft Office (Outlook, Word, Excel, PowerPoint, Project, Visio, etc.); Web proficiency.
• Ability to clear required background checks.

Desired Qualifications: 

• CRISC, CISM, SANS, or other relevant information security certifications
• Knowledge of relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST  800, and applicable laws related to regulatory compliance, information security, and privacy (e.g., SOX, HIPAA, GDPR, PCI-DSS)
• Experience with developing and maintaining information security policies and standards-aligned to regulatory or other control frameworks such as NIST, SOX, HIPAA, FERPA, etc.
• Prior experience in the Education industry is a plus.
• Knowledge and understanding of information technology and networking concepts.

Work Environment:  The work environment characteristics described here represent those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions.

• This is an office- or home-based position.  The noise level in the office is usually moderate (computers, printers, light foot traffic).  

Compensation & Benefits: Stride, Inc. considers a person’s education, experience, and qualifications, as well as the position’s work location, expected quality and quantity of work, required travel (if any), external market and internal value when determining a new employee’s salary level.  Salaries will differ based on these factors, the position’s level and expected contribution, and the employee’s benefits elections.  Offers will typically be in the bottom half of the range.

• We anticipate the salary range to be $66,379.50- $170,037.60. The upper end of this range is not likely to be offered, as an individual’s compensation can vary based on several factors. These factors include, but are not limited to, geographic location, experience, training, education, and local market conditions. Eligible employees may receive a bonus. Stride offers a robust benefits package for eligible employees that can include health benefits, retirement contributions, and paid time off.

The above job is not intended to be an all-inclusive list of duties and standards of the position. Incumbents will follow any other instructions and perform any related duties as assigned by their supervisor.  All employment is “at-will” governed by the state law where the employee works.  It is further understood that the “at-will” nature of employment is one aspect that cannot be changed except in writing and signed by an authorized officer. 

Job Type

The above job is not intended to be an all-inclusive list of duties and standards of the position. Incumbents will follow any other instructions, and perform any other related duties, as assigned by their supervisor. All employment is “at-will” as governed by the law of the state where the employee works.  It is further understood that the “at-will” nature of employment is one aspect of employment that cannot be changed except in writing and signed by an authorized officer.

Stride, Inc. is a Federal Contractor, an Equal Opportunity/Affirmative Action Employer and a Drug-Free Workplace. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected Veteran status age, or genetics, or any other characteristic protected by law.

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)