GRC Analyst
Momentum · Dallas, TX · 3 wk ago
Business Development$5/hrFull-time
About the role
Momentum is seeking a Security GRC & Risk Analyst to oversee the governance, risk, and compliance execution layer across a holding company and portfolio of businesses. This role is build-oriented with a defined scope, focusing on SOC 2 Type II audit, NIST CSF remediation, security policy library, vendor risk program, and client-facing security questionnaires.
Responsibilities
- SOC 2 & NIST CSF Program
- Own the internal SOC 2 Type II evidence collection process, manage audit timeline, liaison with external auditor, and remediation finding closure between cycles.
- Own the NIST CSF remediation roadmap: maintain gap register, report progress to VP and vCISO, and coordinate with portfolio company IT teams to assess and close control gaps.
- Build and maintain a unified controls library mapping SOC 2 Trust Services Criteria, NIST CSF subcategories, and applicable regulatory requirements.
- Prepare the organization for bi-annual NIST CSF assessments, ensuring controls are documented and defensible.
- Security Policy & AI Governance
- Operationalize the enterprise-wide information security policy library across the corporate entity and portfolio companies. Inventory gaps against SOC 2, NIST CSF, and applicable regulations; draft, publish, and version-control policies in coordination with the vCISO.
- Bridge with the Data Privacy legal team on overlapping areas: data classification, retention, and incident notification.
- Develop and maintain the AI governance framework: tool intake review, data handling risk assessment, and acceptable use policy. Evaluate AI tools proposed across the corporate entity and portfolio companies against security and compliance standards.
- Own AI-related policy documentation and track emerging regulatory requirements including the EU AI Act and NIST AI RMF.
- Risk Management & Vendor Risk
- Build and maintain a risk register with risk-to-control mapping. Define and document formal risk tolerance and appetite in coordination with the vCISO and leadership.
- Own the third-party risk management program. Define and implement a tiered due diligence model (critical, high, medium, low) and conduct recurring reviews of critical service providers.
- Manage vendor risk assessments for tools under evaluation — SASE, CASB, DLP, AI governance tooling, and security platform consolidation. Coordinate with the Data Privacy legal team on vendors with material data processing obligations.
- Lead operationalization of the GRC platform (OneTrust) for centralized vendor inventory, risk scoring, and lifecycle management.
- Client Questionnaires & Audit Support
- Manage and respond to inbound security questionnaires from portfolio company clients (SIG, CAIQ, and custom formats). Build and maintain a response library to improve turnaround time and accuracy.
- Career development and advancement opportunities within a dynamic and supportive environment. Opportunities to contribute to impactful projects across diverse industries and business models.
- BCP/DR & Security Awareness
- Own BCP/DR formalization: develop a business continuity charter, coordinate Business Impact Analysis across the corporate entity and portfolio companies, define RTO/RPO for critical operations, and ensure crisis management is embedded in the IR framework.
- Manage the KnowBe4 security awareness training program: campaign management, phishing simulations, completion tracking, and leadership reporting.
- Manage the security testing program as the organization transitions from annual to continuous autonomous pentesting. Own vendor relationships, track findings to remediation, and produce executive-ready reporting.
Qualifications
- 5-7 years in GRC, security compliance, risk management, or a closely related security function.
- Hands-on experience owning or supporting a SOC 2 Type II audit: evidence collection, control mapping, and auditor coordination.
- Solid working knowledge of NIST CSF: gap assessments, control mapping, and remediation tracking.
- Demonstrated experience building or formalizing a security policy library, not just updating existing documents.
- Experience managing third-party and vendor risk assessments using a tiered risk model.
- Experience responding to client security questionnaires: SIG, CAIQ, or similar formats.
- Clear understanding of the boundary between GRC and legal/privacy functions. Proven ability to work alongside a legal team without blurring lanes.
- Strong written communication: you can translate technical controls into clear, accurate language for clients, auditors, and executives.
- Disciplined project management: you own timelines, follow up without being asked, and don't let things fall through.
- Active daily use of AI and automation. We operate at 100% internal AI adoption. Non-negotiable.