GRC Analyst

About the Job:

Cyderes is looking for an GRC Analyst. The GRC Analyst will be responsible for daily activities in implementing the information security and compliance programme. You will help maintain audit and compliance projects to ensure policies, standards, procedures, and audit activities are according to business, IT, and regulatory requirements. You will also participate in and support multiple department activities. These activities may include quarterly user access reviews, the development of information security policies, procedures, and standards. Additionally, they may involve training and awareness activities. You will also review and respond to security requirements and inquiries regarding existing or proposed solutions. You will perform internal and external security compliance monitoring activities, manage client audits, IT control audits, and security risk assessments.

To be successful in this role, you must be comfortable with evaluating, documenting, and creating remediation plans. These plans must meet compliance requirements in a specific area. The effectiveness of the implementation and operation of the information security and compliance directives will measure success. You will be reporting to Senior Manager GRC and Security.

Responsibilities:

• Coordinate IT security governance, risk and compliance activities across the enterprise
• Oversee information security compliance activities, including daily, weekly, quarterly and annual security risk assessments – both performing internal assessments and responding to external assessments
• Respond to request for information on Cyderes' security compliance from customers and partners, review and negotiate relevant agreements
• Support efforts for compliance with SOC2, ISO 27001, and other security standards and regulatory frameworks
• Conduct audit readiness assessments and coordinate with internal and external functions and audit resources
• Support the implementation and administration of the Governance, Risk, and Compliance system (GRC)
• Collaborate with other departments to direct security compliance issues to appropriate channels for investigation and resolutions
• Revise and maintain security and controls procedures following applicable regulations
• Ensure Continuous Compliance through Continuous testing of security and privacy control
• Provide recommendations for technology, licencing, and process updates to improve Cyderes overall security posture
• Develop and provide reports to keep management informed of the operation and progress of compliance efforts

Requirements

• Minimum 3 years in a GRC role with at least 1 full year of hands-on administration of a GRC automation tool (Vanta, Drata, or Sprinto). We prefer Vanta.
• Experience in design and implementation of information security policies and controls
• Experience participating in external security audits; SOC2 Type II
• Experience conducting needs assessments and identifying/implementing appropriate solutions
• Knowledge of security technologies and architecture, including encryption, cloud network security design, security group configuration, intrusion detection, data loss prevention and application security
• CISSP, CISM, CISA certifications
• Analyst A (The Internal Builder): Focuses on Vanta, SOC2/ISO mapping, and internal engineering/DevOps agreement.)
• Evidence Collection: Experience translating abstract SOC2 criteria into technical screenshots, logs, or API outputs.
• Experience translating abstract SOC2 Common Criteria or ISO 27001 clauses into applicable technical controls.
• Analyst B (The External/Risk Specialist): Focuses on Third-Party Risk, Customer Questionnaires/Trust Centre, and Privacy (GDPR/CCPA).
• high proficiency in interpreting SOC2/ISO reports and Data Processing Agreements (DPAs)
• Advanced Third-Party Risk (TPRM) Analysis requires minimum 3 years of hands-on experience. This experience is in evaluating SaaS vendors, with the ability to dissect SOC2 Type II, ISO 27001, and Reach Test reports.
• Vanta Trust Centre & Questionnaire Automation: Proficiency in managing Vanta's Trust Centre and Vendor Risk modules.
• Privacy & Data Protection Liaison: Practical experience navigating Data Processing Agreements (DPAs) and mapping vendor risks to privacy frameworks like GDPR, CCPA, or HIPAA.