Compliance analysts are expected to operate with moderate independence, taking lead and serving as point of contact for specific GRC initiatives with minimal day-to-day supervision. Compliance analysts are expected to consult staff, serving as an adviser that can interpret control activities, policies, and standards for effective implementation.
This role is fully remote from any state except NY, NJ, or CA.
70-100/hr RTH (preferred) or 140-170k salary.
Responsibilities Include:
Risk Management: Leads risk assessments and risk mitigation planning as assigned. This includes, in partnership with technical staff, reviewing submitted exceptions or known risks and offering suggestions to avoid or mitigate risk, either through technical or operational changes. Conducts control tests and internal audits to validate existing risk mitigation measures are taking place.
Policy Development & Governance: Owns the policy lifecycle for assigned policies, which includes annual review that includes input from all relevant stakeholders (IT Support, engineering, or Senior Leadership Team members). Takes assignment to update existing or draft new policies, standards, or procedures as service offerings or audit expectations change.
Audit Management: Serves as a liaison with external auditors or internal audit leads, preparing audit evidence and responses, and driving remediation efforts.
Compliance Maintenance: Leads regular compliance monitoring efforts, including:
Conducting quarterly or administrative access reviews
Participating in change management to ensure compliance with policy
Approving data device disposal requests to ensure compliance with policy
Business Impact Analysis: For assigned identified critical processes, identify the critical systems and vendors that depend on that process, assess reputational, regulatory, and financial risk of that process becoming unavailable, test existing continuity and recovery plans and document gaps.
Business Continuity Planning: Draft or maintain assigned business continuity plans in conjunction with business process owners and executive sponsors in accordance with Business Continuity Policy.
Vendor Risk Management: Leads regular vendor security assessments and due diligence, ensuring vendors meet security requirements according to their risk-based classification, and identifying the need for supplementary or architectural review.
Data Governance & Privacy: As assigned, manage personal data inventories (e.g., mapping where Protected Health Information (PHI) is stored in applications), maintain documentation of data collection, usage, and protection measures, and oversee privacy impact assessments.
Relevant certification and education includes:
Certified Information Systems Auditor (CISA) – for audit and compliance expertise.
Certified in Risk and Information Systems Control (CRISC) – for risk management specialization.
Certified Information Security Manager (CISM) – for management of enterprise information security programs.
ISO 27001 Lead Implementer/Auditor – demonstrating ability to implement and audit against ISO 27001 standards.
Certified Information Privacy Manager (CIPM) or Certified Information Privacy Professional (CIPP) – if the role involves data privacy compliance.
Continued pursuit of (ISC)² CISSP (often achieved at this level if not already) is highly valued for broad security knowledge.
Pattie Tsivouras