: Governance Risk and Compliance (GRC) Analyst

THE ROLE

The Information Security Governance, Risk, and Compliance (GRC) Analyst coordinates and performs Nordics security assessment functions and control testing reporting and activities in accordance with Nordics Internal compliance, regulatory and departmental policy and procedures.  The GRC analyst maintains control metrics and provides recommendations for management’s consideration.  This position ensures compliance with Nordic’s internal controls, regulatory and information security policies and procedures.  The GRC analyst works with internal audit, external audits firms, and regulatory agencies to provide supportive documentation as applicable.  The GRC analyst plays a supporting role in ensuring the security of all protected information collected, used, maintained, or released by Nordic. 

RESPONSIBILITIES

The GRC analyst responsibilities will include, but are not limited to: 

• Implements security controls, risk assessment framework, and program that align to regulatory requirements, ensuring documented and sustainable compliance that aligns and advances Nordic’s business objectives. 

• Evaluates risks and develops security standards, procedures, and controls to manage risks. Improves Nordic’s security positioning through process improvement, policy, automation, and the continuous evolution of capabilities. 

• Implements processes, such as GRC (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts. 

• Defines and documents business process responsibilities and ownership of the controls in the GRC tool. 

• Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations, protecting Personally Identifying Information (PII) data and Protected Health Information (PHI). 

• Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks. 

• Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities. 

• Assists other staff in the management and oversight of security program functions. 

• Remains current on best practices and technological advancements and acts as Nordic’s technical resource for security assessment and regulatory compliance. 

• Performs other related duties as assigned. 

EXPERIENCE

• Proficient in AuditBoard strongly preferred. 

• Applicable information security management, governance, and compliance principles, practices, laws, rules and regulations (HITRUST, ISO, NIST, SOC2, HIPAA, GDPR) 

• Information technology systems and processes, network infrastructure, data architecture, data processes, and protocols; 

• Cyber and cloud security standard frameworks, architecture, design, operations, controls, technology, solutions, and service orchestration; 

• Information systems auditing, monitoring, controlling, and assessment process; 

• Incident response management; 

• Risk assessment and management methodology. 

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field required. 

• 8+ years of experience in Governance, Risk, and Compliance roles. 

• Certified in CISSP, CISM, or CGRC strongly preferred. 

• Proven experience securing on one or more major cloud platforms (e.g., AWS, Azure, GCP). 

• Working knowledge of scripting languages (e.g., Python, PowerShell) for automating tasks. 

• Strong understanding of security principles and best practices (e.g., zero trust, least privilege). 

• Excellent analytical and problem-solving skills. 

• Meticulous attention to detail and accuracy. 

• Effective communication and interpersonal skills. 

• Ability to work independently and collaboratively within a team environment. 

ADDITIONAL DETAILS

• Position is remote   

• Ability to travel up to 10% of the time