GRC Analyst

GRC Analyst at Vaco by Highspring

Vaco by Highspring is seeking a dedicated GRC Analyst for a 6-month contract-to-hire opportunity, offering 100% remote work. This pivotal role focuses on strengthening the organization's security posture through the design, implementation, and management of control and risk workflows within AuditBoard. You will be instrumental in ensuring compliance with industry standards and regulations, identifying and mitigating risks, and supporting the broader security governance framework.

Key Responsibilities

• Control / Risk Workflow Management: Design, configure, and maintain control frameworks and risk workflows specifically within AuditBoard. Align organizational objectives with compliance requirements and develop detailed control procedures mapped to internal policies and frameworks such as HIPAA, HITRUST, and PCI. Monitor and update risk registers in AuditBoard for accurate tracking and prioritization, and automate workflows for streamlined control testing, evidence collection, and remediation processes.
• Compliance / Audit Support: Facilitate audits and assessments using AuditBoard for efficient evidence management and reporting. Prepare and present comprehensive reports on control effectiveness, risk status, and compliance gaps to leadership.
• Risk Assessment / Mitigation: Conduct thorough risk assessments to identify vulnerabilities, documenting findings within AuditBoard. Develop and implement effective risk mitigation strategies, tracking their progress within the GRC platform. Monitor and report on Key Risk Indicators (KRIs) to proactively address emerging risks.
• Policy / Procedure Development: Create and update security policies, procedures, and standards to support robust compliance and risk management. Ensure all policies are integrated into AuditBoard for tracking and enforcement.
• Training / Awareness: Support the development and delivery of security awareness training programs, fostering a strong culture of security and compliance across the organization.
• Vendor / 3rd Party Risk Management: Evaluate third-party vendors for security and compliance risks. Track vendor assessments and collaborate with business owners on remediation action plans and activities.
• Continuous Improvement: Identify and recommend opportunities to enhance GRC processes and workflows within AuditBoard, improving efficiency and effectiveness of the overall security program.
• Independent / Team Collaboration: Work effectively as a standalone GRC resource while collaborating cross-functionally within a fast-paced, small business environment.
• Organization / Time Management: Apply strong organizational skills to manage multiple priorities, audit deadlines, and control testing cycles simultaneously.

About the Project

This newly created GRC Analyst position is a high-impact role within the IT Security Team, sitting in a small but growing Risk & Compliance Team. The core focus is on hands-on AuditBoard implementation and optimization, including designing control frameworks, mapping controls to standards, integrating evidence, developing procedures, automating workflows, managing risk registers, tracking exceptions, and handling reporting.

Beyond AuditBoard, you will lead policy and procedure refresh projects, advance third-party risk management, conduct application and risk assessments, support internal/external audits, monitor KRIs, contribute to the 2027 GRC roadmap, and assist with broader security documentation and reporting.

This proactive role emphasizes continuous improvement and process optimization over repetitive tasks, aiming to build a scalable GRC ecosystem.

Job Requirements

• GRC Tool Administration: Proven proficiency in configuring, customizing, and managing workflows in AuditBoard and other GRC platforms. This includes expertise with risk registers, control libraries, issue tracking, evidence collection, and audit management modules.
• Framework Expertise: Strong understanding of compliance frameworks such as NIST 800-53, SOC 2, HIPAA, and HITRUST, including control mapping, gap assessments, and ongoing monitoring requirements.
• Risk Management: Solid understanding of risk management principles and methodologies, including inherent vs. residual risk, risk scoring models, control effectiveness evaluations, and risk treatment planning.
• Technical Foundation: Basic knowledge of IT systems, networking, cloud, and security technologies like firewalls, IAM, encryption, logging, and vulnerability management concepts.
• Analytical / Problem-Solving: Excellent analytical and problem-solving skills with meticulous attention to detail for reviewing evidence, identifying control gaps, and validating remediation activities.
• Communication Skills: Strong written and verbal communication skills, capable of translating technical findings into business risk language for both technical and non-technical stakeholders.

Preferred Qualifications

• Certifications such as CISA, CRISC, CISM, Security+, or ISO 27001 Lead Auditor are a plus.

Key skills/competency

• GRC Analyst
• AuditBoard
• Risk Management
• Compliance
• Control Frameworks
• NIST 800-53
• HIPAA
• HITRUST
• SOC 2
• Security Governance