Information Security GRC Analyst

We are seeking a proactive and detail-oriented Governance, Risk, and Compliance (GRC) Analyst to join our growing Information Security team. In this role, you will support the development, implementation, and maintenance of the company’s GRC framework, ensuring compliance with healthcare regulations, privacy standards, and risk management principles. You will assist in activities related to HIPAA, HITRUST, and third-party risk assessments while collaborating closely with cross-functional teams to safeguard sensitive health data, including Protected Health Information (PHI). This role will report to the GRC Team Lead.
This position can be hybrid but must be local to the Des Moines, IA or surrounding area to work onsite as needed (multiple days during training, then 1-2 times/month) and when others from the team are onsite.

Position Responsibilities may include, but not limited to

• Governance & Risk Management: Contribute to the ongoing development and maintenance of the GRC framework, policies, and procedures, ensuring alignment with regulatory requirements, privacy standards, and business objectives, particularly regarding PHI protection
• HITRUST Certification: Assist with the HITRUST certification process by gathering necessary documentation, participating in assessments, and ensuring that audits are up to date and complete
• Third-Party Risk Assessments: Aid in conducting third-party risk assessments, ensuring that vendors comply with required security and privacy regulations.
• Collaboration with Cross-Functional Teams: Collaborate with internal teams (e.g., Compliance, Legal, IT) to align risk management practices across the organization and support the overall governance strategy
• Risk Reporting & Analysis: Contribute to the identification and assessment of key risks, helping to produce reports that provide actionable insights
• Continuous Improvement: Stay up to date with industry trends, regulatory changes, and emerging risks to ensure that the company’s GRC practices remain effective and relevant
• Training & Awareness: Promote risk awareness within the organization and provide training and guidance on key regulations
• Oversee tools that highlight data classification inside of the enterprise
• Assist in monitoring security logs and daily activities for suspicious behavior and escalate incidents as necessary
• Assist with the drafting, reviewing, and updating of information security policies to ensure alignment with regulatory requirements and best practices for healthcare organizations
• Actively support the organization's incident response efforts, including assisting in the investigation, containment, and remediation of security incidents
• Be part of the on-call rotation for incident response, providing critical support during after-hours or emergency security incidents

Required Skills and Experience

• Proven experience (3+ years) in GRC or risk management, with a strong focus on governance and risk
• Hands-on experience supporting the management of HITRUST certification
• Strong understanding of risk management principles, frameworks, and methodologies (e.g., NIST, ISO 27001)
• Knowledge of regulatory compliance such as HIPAA, HITRUST, GDPR, CCPA, and PCI DSS
• Experience working with cross-functional teams to drive security and risk initiatives
• Experience in conducting or supporting third-party risk assessments, especially in relation to healthcare data security and privacy
• Excellent communication skills with the ability to explain complex risk and governance concepts to both technical and non-technical stakeholders
• Strong analytical and problem-solving skills
• Ability to work independently and manage multiple priorities in a fast-paced environment
• Strong organizational and time management skills
• Continuous drive to learn and grow professionally in the fields of GRC and information security

Preferred Skills and Experience

• Relevant certifications (e.g., Security+, CRISC, CISM, CISSP) 

Physical Requirements

• Repetitive motions that include the wrists, hands and/or fingers
• Sedentary work that primarily involves sitting, remaining in a stationary position for prolonged periods
• Visual perception to perform job including peripheral vision, depth perception, and the ability to adjust focus