GRC Specialist (governance, risk and compliance)

Description

Summary: We are seeking a proactive, detail-oriented, and collaborative GRC (Governance, Risk, and Compliance) Specialist to join our cybersecurity team. This role plays a critical part in ensuring that our organization maintains strong compliance with evolving federal and state regulations while continuously improving our internal security policies, risk posture, and audit readiness.

Key Responsibilities:

Governance, Risk, and Compliance

• Monitor, interpret, and track cybersecurity regulations at both the federal and state levels to assess impact on business operations.
• Develop, update, and maintain cybersecurity policies and procedures that align with industry standards (e.g., NIST CSF, ISO 27001, CIS Controls, CMMC).
• Collaborate across departments to ensure policies are implemented and understood throughout the organization.
• Conduct internal audits and control assessments to evaluate effectiveness and adherence to policies.
• Create and maintain a risk register, help identify and assess risks, assign ownership, and track mitigation efforts.
• Support business impact assessments and assist in maintaining business continuity strategies.

Training & Awareness

• Assist in designing and delivering cybersecurity training and awareness programs.
• Track training metrics and ensure organization-wide compliance with awareness initiatives.

Frameworks & Certifications

• Provide support in preparing for security certifications (e.g., SOC 2, ISO 27001, CMMC).
• Coordinate with external auditors or assessors, gather evidence, and support audit processes.

Incident Response Compliance

• Ensure incident response policies align with regulatory requirements.
• Support post-incident reviews with a focus on documentation and lessons learned.

Third-Party & Vendor Risk

• Coordinate third-party risk assessments to ensure vendors meet security and data protection standards.
• Track compliance of vendors and service providers against contractual and regulatory obligations.

Metrics & Reporting

• Develop and maintain dashboards or reports that measure compliance status, audit results, and risk posture.
• Present findings and trends to the cybersecurity supervisor/director on a regular basis.

Requirements

Requirements:

• Bachelor's degree in information technology, cybersecurity, or a related field, or equivalent relevant experience
• 3+ years of experience in cybersecurity GRC, compliance, or related fields
• Working knowledge of major security standards (NIST, ISO 27001, CIS, etc.)
• Strong understanding of U.S. federal and state cybersecurity laws and data protection regulations
• Experience writing and managing cybersecurity policies and procedures
• Ability to conduct risk assessments, audits, and support certification efforts
• Familiarity with GRC tools and platforms (e.g., OneTrust, Archer, ServiceNow GRC)
• Excellent verbal and written communication skills; able to communicate with technical and non-technical stakeholders
• Strong organizational, time management, and project coordination skills

Preferred Qualifications (Nice to Have):

• Relevant certifications: Security+, CGRC, CISA, CRISC, or similar
• Experience supporting SOC 2, ISO 27001, FedRAMP, ITAR or CMMC certification processes
• Background in security awareness training or program development