Governance, Risk and Compliance Analyst, Kandji

• 3-5 years of relevant experience in Information Security Governance, Risk and Compliance (GRC) or relevant security compliance roles in the tech industry. Big 4 consulting experience is a plus
• Two (2) years of experience in leading SOC2, ISO 27001 audits
• Experience in performing risk-based testing for control compliance, including the identification, assessment, and mitigation of compliance issues: understanding how to balance the company's risk appetite to compliance needs/requirements
• Detailed knowledge and experience with technology controls across a variety of industry frameworks and how to assess controls supporting compliance for SOC2, CMMC, ISO 27001, ISO 27701, ISO 42001, CSA Star and global privacy regulations
• Experience in information security compliance in a role that required cross-departmental collaboration including leading day to day activities, improving processes and owning outcomes
• Detailed knowledge of information security, technology compliance management industry frameworks and standards: NIST, OWASP, SANS, ISO-27001/2
• Experience developing dynamic approaches to the implementation of a technology compliance program utilizing a variety of testing methods, both manual and automated, to provide qualitative and quantitative results where applicable
• Strong analytical and problem-solving skills
• Excellent project management, written and verbal communication skills
• Ability to manage multiple priorities and deadlines
• Proven track record as a strong cross-teams collaborator and team player, dealing with complex programs and influencing cross-functional audiences
• Required to work on-site 5 days a week

Desirable

• Kandji is looking for a Governance Risk and Compliance (GRC) Analyst to add to our growing Security, IT and Trust teams
• The GRC team is part of the Kandji Security and Trust organization and manages key pillars of Kandji’s Risk Management framework
• The GRC team is responsible for Customer Assurance, Security Compliance, Policy Governance, Information Security Risk Assessment, Third Party Risk Management, Security Compliance training and awareness, and Privacy
• This opportunity provides the ability to work with various teams to evaluate controls, perform control testing to improve the design and operational effectiveness of the various GRC programs
• This includes facilitating the development and maintenance of standards, processes, and tooling in order to promote scalability, repeatability and growth of the function
• You will also facilitate risk assessments and control reviews to accommodate new business areas as well as changes in processes
• This includes management of information security risk assessment process, defining and creating risk methodology, developing new or expanding product risk analysis
• The GRC Analyst will report to the Team Lead, GRC and work collaboratively with other departments across Kandji
• In support of multiple frameworks (e.g. ISO 27XXX, SOC2) plan, design and execute controls testing, controls assessment and risk management practices
• Perform gap assessments on framework scope expansion exercises
• Collaborate with cross-functional teams to develop and implement information security/privacy policies, procedures, and controls to mitigate information security and data privacy risks
• Perform information security risk assessments on 3rd Party vendors
• Collaborate with the go-to-market team on customer security due diligence, including security questionnaires and working on to ensure Kandji’s trust center is up to date
• Conduct and initiate user access reviews over critical applications for all employees and contractors
• Conduct impact assessments (PIAs, BIAs, AIIAs) and assist in developing strategies to address identified risks
• Conduct data classification assessments to identify and categorize sensitive information based on its level of confidentiality, criticality, and regulatory implications
• Assist with planning and execution of internal and external audits
• Assist with the preparation of reports and presentations for management and regulatory agencies
• Support in the development and implementation of compliance training and awareness programs
• Participate or lead special ad-hoc projects or initiatives as assigned