Jobs · Business Development · Texas

GRC Analyst

Momentum · Dallas, TX · 3 wk ago
Business Development$5/hrFull-time

About the role

Momentum is seeking a Security GRC & Risk Analyst to oversee the governance, risk, and compliance execution layer across a holding company and portfolio of businesses. This role is build-oriented with a defined scope, focusing on SOC 2 Type II audit, NIST CSF remediation, security policy library, vendor risk program, and client-facing security questionnaires.

Responsibilities

  • SOC 2 & NIST CSF Program
    • Own the internal SOC 2 Type II evidence collection process, manage audit timeline, liaison with external auditor, and remediation finding closure between cycles.
    • Own the NIST CSF remediation roadmap: maintain gap register, report progress to VP and vCISO, and coordinate with portfolio company IT teams to assess and close control gaps.
    • Build and maintain a unified controls library mapping SOC 2 Trust Services Criteria, NIST CSF subcategories, and applicable regulatory requirements.
    • Prepare the organization for bi-annual NIST CSF assessments, ensuring controls are documented and defensible.
  • Security Policy & AI Governance
    • Operationalize the enterprise-wide information security policy library across the corporate entity and portfolio companies. Inventory gaps against SOC 2, NIST CSF, and applicable regulations; draft, publish, and version-control policies in coordination with the vCISO.
    • Bridge with the Data Privacy legal team on overlapping areas: data classification, retention, and incident notification.
    • Develop and maintain the AI governance framework: tool intake review, data handling risk assessment, and acceptable use policy. Evaluate AI tools proposed across the corporate entity and portfolio companies against security and compliance standards.
    • Own AI-related policy documentation and track emerging regulatory requirements including the EU AI Act and NIST AI RMF.
  • Risk Management & Vendor Risk
    • Build and maintain a risk register with risk-to-control mapping. Define and document formal risk tolerance and appetite in coordination with the vCISO and leadership.
    • Own the third-party risk management program. Define and implement a tiered due diligence model (critical, high, medium, low) and conduct recurring reviews of critical service providers.
    • Manage vendor risk assessments for tools under evaluation — SASE, CASB, DLP, AI governance tooling, and security platform consolidation. Coordinate with the Data Privacy legal team on vendors with material data processing obligations.
    • Lead operationalization of the GRC platform (OneTrust) for centralized vendor inventory, risk scoring, and lifecycle management.
  • Client Questionnaires & Audit Support
    • Manage and respond to inbound security questionnaires from portfolio company clients (SIG, CAIQ, and custom formats). Build and maintain a response library to improve turnaround time and accuracy.
    • Career development and advancement opportunities within a dynamic and supportive environment. Opportunities to contribute to impactful projects across diverse industries and business models.
  • BCP/DR & Security Awareness
    • Own BCP/DR formalization: develop a business continuity charter, coordinate Business Impact Analysis across the corporate entity and portfolio companies, define RTO/RPO for critical operations, and ensure crisis management is embedded in the IR framework.
    • Manage the KnowBe4 security awareness training program: campaign management, phishing simulations, completion tracking, and leadership reporting.
    • Manage the security testing program as the organization transitions from annual to continuous autonomous pentesting. Own vendor relationships, track findings to remediation, and produce executive-ready reporting.

Qualifications

  • 5-7 years in GRC, security compliance, risk management, or a closely related security function.
  • Hands-on experience owning or supporting a SOC 2 Type II audit: evidence collection, control mapping, and auditor coordination.
  • Solid working knowledge of NIST CSF: gap assessments, control mapping, and remediation tracking.
  • Demonstrated experience building or formalizing a security policy library, not just updating existing documents.
  • Experience managing third-party and vendor risk assessments using a tiered risk model.
  • Experience responding to client security questionnaires: SIG, CAIQ, or similar formats.
  • Clear understanding of the boundary between GRC and legal/privacy functions. Proven ability to work alongside a legal team without blurring lanes.
  • Strong written communication: you can translate technical controls into clear, accurate language for clients, auditors, and executives.
  • Disciplined project management: you own timelines, follow up without being asked, and don't let things fall through.
  • Active daily use of AI and automation. We operate at 100% internal AI adoption. Non-negotiable.

Similar jobs

GRC Analyst

Hayward Holdings, Inc.Clemmons, NC· 2 wk ago
Business Developmentapply on hayward.wd1.myworkdayjobs.com

GRC Analyst

Ease.ioIrvine, CA· 3 wk ago
Education$110k–$135k/yrapply on app.jazz.co

GRC Analyst

RogoNew York, NY· 1 wk ago
Business Developmentapply on jobs.ashbyhq.com

GRC Analyst

Stage 2 CapitalSan Francisco, CA· 4 days ago
Business Developmentapply on careers.stage2.capital

GRC Analyst

SpireDenver, CO· 6 days ago
Business Developmentapply on grnh.se

GRC Analyst

SpireTexas City, TX· 5 days ago
Business Developmentapply on grnh.se