Information Security GRC Analyst

We are seeking a proactive and detail-oriented Governance, Risk, and Compliance (GRC) Analyst to join our growing Information Security team.

In this role, you will support the development, implementation, and maintenance of the company’s GRC framework, ensuring compliance with healthcare regulations, privacy standards, and risk management principles.

You will assist in activities related to HIPAA, HITRUST, and third-party risk assessments while collaborating closely with cross-functional teams to safeguard sensitive health data, including Protected Health Information (PHI). This role will report to the GRC Team Lead.

This position can be hybrid but must be local to the Des Moines, IA or surrounding area to work onsite as needed (multiple days during training, then 1-2 times/month) and when others from the team are onsite.

Position Responsibilities may include, but not limited to

Governance & Risk Management: Contribute to the ongoing development and maintenance of the GRC framework, policies, and procedures, ensuring alignment with regulatory requirements, privacy standards, and business objectives, particularly regarding PHI protection

HITRUST Certification: Assist with the HITRUST certification process by gathering necessary documentation, participating in assessments, and ensuring that audits are up to date and complete

Third-Party Risk Assessments: Aid in conducting third-party risk assessments, ensuring that vendors comply with required security and privacy regulations.

Collaboration with Cross-Functional Teams: Collaborate with internal teams (e.g., Compliance, Legal, IT) to align risk management practices across the organization and support the overall governance strategy

Risk Reporting & Analysis: Contribute to the identification and assessment of key risks, helping to produce reports that provide actionable insights

Continuous Improvement: Stay up to date with industry trends, regulatory changes, and emerging risks to ensure that the company’s GRC practices remain effective and relevant

Training & Awareness: Promote risk awareness within the organization and provide training and guidance on key regulations

Oversee tools that highlight data classification inside of the enterprise

Assist in monitoring security logs and daily activities for suspicious behavior and escalate incidents as necessary

Assist with the drafting, reviewing, and updating of information security policies to ensure alignment with regulatory requirements and best practices for healthcare organizations

Actively support the organization's incident response efforts, including assisting in the investigation, containment, and remediation of security incidents

Be part of the on-call rotation for incident response, providing critical support during after-hours or emergency security incidents

Required Skills and Experience

Proven experience (3+ years) in GRC or risk management, with a strong focus on governance and risk

Hands-on experience supporting the management of HITRUST certification

Strong understanding of risk management principles, frameworks, and methodologies (e.g., NIST, ISO 27001)

Knowledge of regulatory compliance such as HIPAA, HITRUST, GDPR, CCPA, and PCI DSS

Experience working with cross-functional teams to drive security and risk initiatives

Experience in conducting or supporting third-party risk assessments, especially in relation to healthcare data security and privacy

Excellent communication skills with the ability to explain complex risk and governance concepts to both technical and non-technical stakeholders

Strong analytical and problem-solving skills

Ability to work independently and manage multiple priorities in a fast-paced environment

Strong organizational and time management skills

Continuous drive to learn and grow professionally in the fields of GRC and information security

Preferred Skills and Experience

Relevant certifications (e.g., Security+, CRISC, CISM, CISSP)

Physical Requirements

Repetitive motions that include the wrists, hands and/or fingers

Sedentary work that primarily involves sitting, remaining in a stationary position for prolonged periods

Visual perception to perform job including peripheral vision, depth perception, and the ability to adjust focus

Full-Time, Hybrid