Who You Are:
The Senior Analyst, Governance, Risk, and Compliance (GRC) is a key member of the Information Security team responsible for managing, monitoring, and advancing Formstack’s compliance with various security and privacy regulations and frameworks. This individual will play a pivotal role in ensuring that Formstack’s operations, products, and services are compliant with industry standards while helping to mitigate risks and support governance initiatives.
What You Will Do:
- Lead and manage Formstack’s compliance initiatives related to regulations such as HIPAA, SOC 2, GDPR, ISO 27001, PCI-DSS, CCPA, and others.
- Collaborate with internal teams (product, legal, IT, and engineering) to develop, implement, and maintain Formstack’s security policies, controls, and procedures.
- Perform risk assessments and conduct security audits across departments to ensure compliance with regulatory and industry standards.
- Assist in the preparation and facilitation of external audits and certifications (e.g., SOC 2 audits, ISO 27001 certification processes).
- Maintain and enhance Formstack's risk management framework, including the identification, assessment, and mitigation of operational, legal, and regulatory risks.
- Monitor security compliance trends, changes in regulatory requirements, and new compliance frameworks relevant to Formstack’s operations.
- Develop, maintain, and update internal documentation, including security policies, standards, and guidelines, to ensure they reflect current regulatory requirements and best practices.
- Manage the vendor risk management program, including the review and monitoring of vendor compliance with Formstack’s security standards.
- Support security awareness training programs across the organization to ensure that all employees are knowledgeable about GRC policies.
- Provide guidance on governance initiatives and best practices to help improve organizational alignment with compliance and risk management standards.
- Ensure incident response plans and business continuity plans are up to date and regularly tested through internal tabletops.
- Collaborate on data privacy initiatives and ensure that Formstack’s practices align with privacy regulations like GDPR and CCPA.
- Act as a liaison between external regulatory bodies, auditors, and internal teams.
What We Are Looking For:
- 5+ years of experience in Governance, Risk, and Compliance (GRC) or a related field, ideally within a SaaS, technology, or healthcare-related environment.
- Strong knowledge of industry standards and frameworks, including NIST, SOC 2, or ISO 27001.
- Demonstrated experience conducting risk assessments, security audits, and managing compliance projects.
- Hands-on experience with cloud security and compliance in environments like AWS.- Strong understanding of cybersecurity principles.
- Experience with third-party vendor risk management and compliance monitoring.
- Excellent written and verbal communication skills, with the ability to translate complex regulatory requirements into actionable guidance.
- Ability to work cross-functionally with legal, IT, and engineering teams.
- Strong organizational skills, attention to detail, and the ability to manage multiple projects in a fast-paced environment.
Bonus Points:
- Bachelor’s degree in a relevant field (e.g., Information Security, IT, Business, Law, Engineering).
- Certifications such as CISSP, CISA, CISM, or CRISC.
- Familiarity with frameworks such as COBIT or ISO 31000.
- Experience in the technology or SaaS industry, with a focus on product compliance.
- Knowledge of secure software development practices and DevSecOps.
- Experience working in an agile or DevOps environment.
- Strong knowledge of industry standards and frameworks, including HIPAA, GDPR, PCI-DSS and CCPA.