GRC Analyst (Governance, Risk & Compliance)

OneRail•Orlando, FL

About The Position

The GRC Analyst is responsible for the operational execution of OneRail's governance, risk, and compliance program. This role owns the day-to-day work that keeps OneRail's ISO 27001:2022 ISMS, SOC 2 Type II attestation, and regulatory compliance programs running — including risk register maintenance, vendor security assessments, policy management, evidence collection, corrective action tracking, and security awareness delivery. The GRC Analyst works closely with the CISO and across every team in the organization to collect evidence, manage findings, and ensure that compliance obligations are met continuously — not just during audit windows. This is a highly cross-functional role that requires both strong process discipline and the ability to build trusted relationships with stakeholders in Engineering, HR, Legal, Finance, and Operations.

Requirements

3+ years of experience in GRC, information security compliance, or audit roles.
Working knowledge of ISO 27001, SOC 2 Trust Service Criteria, GDPR, HIPAA, and CCPA.
Experience collecting and managing compliance evidence and coordinating with external auditors.
Strong organizational skills — ability to manage multiple concurrent workstreams with defined deadlines.
Excellent written communication — able to draft clear policies, risk memos, and compliance reports.
Comfortable working cross-functionally with Engineering, HR, Legal, and Finance stakeholders.

Nice To Haves

CGRC, CISA, CRISC, or equivalent GRC/compliance certification.
CIPT, CIPP/E, or CIPP/US for privacy compliance responsibilities.
Experience with GRC platforms (Drata, Vanta, Tugboat Logic) or policy management tools (GitBook, Confluence).
Familiarity with NIST RMF, NIST CSF, and SIG Lite vendor questionnaire framework.
Experience in a SaaS technology company or logistics/supply chain sector.

Responsibilities

Maintain the enterprise security risk register — score risks using NIST likelihood/impact methodology, assign owners, track mitigation status, and report monthly to the CISO.
Maintain dedicated AI Risk Log and Shadow IT Risk Log — identify, score, and document risks from unsanctioned AI tools and unapproved SaaS applications.
Support the CISO in drafting risk acceptance memos for policy exceptions or residual risks above threshold.
Assist in preparing the monthly SRC (Security & Risk Committee) security dashboard.
Coordinate ISO 27001:2022 internal audit evidence collection across all Annex A control domains. Prepare documentation packages for CISO review and external auditor submission.
Own SOC 2 Type II evidence collection and management across all five Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
Monitor regulatory compliance obligations under GDPR, HIPAA, and CCPA — track data processing activities, update ROPA, and flag new data flows for assessment.
Manage the Corrective Action Plan (CAP) tracker — track all open audit findings and nonconformities from identification to closure, validating remediation evidence before closure.
Coordinate the annual information security policy review cycle — draft updates, route for stakeholder review, obtain CISO sign-off, and publish to the policy portal.
Manage the policy exception log — track all active exceptions with expiration dates, initiate renewal or closure reviews.
Administer the annual policy attestation program — ensure all employees read and attest to key policies (AUP, Data Classification, Password, Remote Work). Escalate non-completions to HR and department managers.
Conduct pre-procurement vendor security assessments using the SIG Lite questionnaire. Score vendor posture, collect SOC 2 or ISO 27001 evidence, and document results.
Manage the annual vendor re-assessment cycle for Tier 1 and Tier 2 vendors.
Maintain the DPA (Data Processing Agreement) inventory — track execution status, review terms for GDPR/HIPAA/CCPA alignment, and flag expirations for renewal.
Maintain the vendor risk register and provide status reporting to the CISO.
Perform initial security assessment for new SaaS application requests — review SSO/SAML support, data residency, encryption practices, and SOC 2 attestation. Escalate to the Security Engineering Lead for complex assessments.
Maintain and publish the approved SaaS application catalog. Flag and document unapproved tools identified through browser telemetry, expense reports, or employee tickets.
Update the Shadow IT Risk Log with findings from shadow IT detection activities.
Own the annual security awareness training program — manage the training platform, track completion, send escalating reminders, and report completion rates to the CISO.
Coordinate quarterly phishing simulation campaigns with the Associate Security Analyst — analyze results, auto-enroll failures in targeted remediation, and present trends to the SRC.
Deliver new hire security onboarding briefings on or before Day 1, covering AUP, data classification, incident reporting, phishing awareness, password/MFA policy, and BYOD requirements.