Wait, What Do You Do?

Please Note: This is a Utah-based hybrid position which will require some regular in-office days each week. Additionally, employment with BambooHR is contingent on passing both a background and credit check.  Essential Job Duties <div class="p" data-block="true" data-editor="6tjur" data-offset-key="9q32c-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="9q32c-0-0">The GRC Analyst II is an important contributor on BambooHR’s Governance, Risk, and Compliance (GRC) team, helping to execute and support day-to-day compliance activities across information security, policy management, risk management, data classification, vendor risk, privacy, audit, and security awareness. This role partners closely with more senior GRC and security team members to implement and maintain information security policies and documentation; assess adherence to existing policies and standards; and help respond to and support security-related requirements from customers. The GRC Analyst II assists with performing and documenting security and vendor risk assessments, monitoring and tracking compliance status, and supporting the development and continuous improvement of GRC processes, procedures, standards, and guidance. The role also helps evaluate risks and controls that support BambooHR’s NIST CSF, ISO 27001, ISO 27018, ISO 42001, SOC 1, SOC 2, HITRUST, FedRAMP, and other regulatory and compliance initiatives. This position is ideal for someone with approximately two years of GRC or information security experience who has a solid understanding of security and compliance fundamentals, is comfortable learning and applying security control frameworks, and brings strong organization, attention to detail, communication, and writing skills.</div> </div> You will: <ul class="public-DraftStyleDefault-ul" data-offset-key="b5vsb-0-0"> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-reset public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="b5vsb-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="b5vsb-0-0">Collaborate with internal stakeholder teams (e.g., Engineering, IT, Product, Legal, HR) to document the implementation of security compliance controls across technical, management, and operational requirements.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="6ld9h-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="6ld9h-0-0">Support and perform gap analyses of current policies, procedures, and practices against established guidelines and frameworks, including NIST, FISMA, HIPAA, and other applicable regulatory standards.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="ea6qk-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="ea6qk-0-0">Assist with and conduct risk assessments of technology infrastructure, business processes, and security controls for assigned areas, documenting findings and recommended remediation steps.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="7tqgf-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="7tqgf-0-0">Embrace AI as a core tool to enhance GRC accuracy, efficiency, and proactive risk management, while following internal standards for responsible AI use.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="5nqp7-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="5nqp7-0-0">Use AI-powered platforms, under guidance from senior team members, for continuous controls monitoring, predictive risk analysis, and identification of potential compliance gaps.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="ca29v-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="ca29v-0-0">Improve team efficiency in evidence collection, organization, and analysis - leveraging AI and automation where appropriate - so the GRC function can focus more time on higher-value risk and compliance activities. Contribute to the build-out, maintenance, and ongoing refinement of the enterprise controls matrix, ensuring alignment and mapping across multiple compliance frameworks (e.g., SOC 1, SOC 2, PCI DSS, NIST CSF, ISO 27001, ISO 27018, ISO 42001, HITRUST, HIPAA).</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="8t0u4-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="8t0u4-0-0">Assist in developing, updating, and maintaining security and compliance documentation, which may include the key documents required by the above standards.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="c6cfh-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="c6cfh-0-0">Support the delivery, tracking, and ongoing improvement of information security training and awareness programs for employees and contractors.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="aash7-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="aash7-0-0">Perform vendor security and risk assessments for new and existing vendors, document results, and occasionally interface directly with vendor contacts to clarify responses or request additional information.</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="l3pu-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="l3pu-0-0">Assist with tracking and coordinating activities related to threat and vulnerability management, including monitoring assessment results, following up on remediation efforts, and helping to ensure that vulnerabilities are addressed within defined timeframes.</div> </li> </ul> What You Need to Get the Job Done <ul class="public-DraftStyleDefault-ul" data-offset-key="3f768-0-0"> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-reset public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="3f768-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="3f768-0-0">Bachelor's degree in Computer Science, Information Technology, or related field</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="b9pab-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="b9pab-0-0">Minimum of 2 years of experience in compliance, audit, and/or information security</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="6e9fr-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="6e9fr-0-0">CISSP, CISA, CCSA, or equivalent certification preferred</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="av1tu-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="av1tu-0-0">Familiarity with enterprise-level compliance tools such as Drata, Vanta, ServiceNow, Archer, IBM GRC or other industry equivalent software</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="bjl4q-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="bjl4q-0-0">Foundational understanding and eagerness to learn NIST CSF, NIST RMF, ISO 27001, ISO 27018, ISO 42001, SOC 1, SOC 2, HIPAA and HITRUST</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="a6cp7-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="a6cp7-0-0">Basic understanding of cloud based environments for production applications, including Amazon Web Services, Google Cloud, or other large-scale cloud deployments</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="8qmij-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="8qmij-0-0">Experience in the vulnerability assessment lifecycle from the point of identification to remediation</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="3nb2m-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="3nb2m-0-0">Interpersonal skills to work as a team member and as a liaison</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="8hbiu-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="8hbiu-0-0">Excellent verbal communication, presentation, organizational and planning skills, and great attitude and ability to learn new things quickly</div> </li> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="8hbiu-0-0"> <div class="p" data-block="true" data-editor="6tjur" data-offset-key="20qno-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="20qno-0-0">Bachelor’s degree in Computer Science, Information Systems or related field.</div> </div> </li> </ul> What Will Make Us REALLY Love You  <ul> <li class="public-DraftStyleDefault-unorderedListItem public-DraftStyleDefault-reset public-DraftStyleDefault-depth0 public-DraftStyleDefault-listLTR" data-block="true" data-editor="6tjur" data-offset-key="bhrqi-0-0"> <div class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr" data-offset-key="bhrqi-0-0">Prior information security experience helpful</div> </li> </ul> What You'll Love About Us <ul> <li>A<a href="https://www.greatplacetowork.com/certified-company/5003334"> Great Company Culture</a> that has been recognized by multiple organizations like<a href="https://www.inc.com/profile/bamboohr"> Inc</a>, and<a href="https://topworkplaces.com/company/bamboohr-llc/saltlake/"> Salt Lake Tribune</a></li> <li>Comprehensive health, life, and disability insurance </li> <li>Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life</li> <li>401k plans with up to 6% company match</li> <li>$2000 Paid-Paid Vacation bonus</li> <li>EAP through Headspace</li> <li>Check out all our<a href="https://www.bamboohr.com/careers/benefits"> benefits that benefit you </a></li> </ul><div class="content-conclusion">  About Us At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective.  We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office.  What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you. <a href="http://www.greatplacetowork.com/certified-company/5003334" target="_blank"><img style="display: block; margin-left: auto; margin-right: auto; max-width: 100%;" src="https://www.greatplacetowork.com/images/profiles/5003334/companyBadge.png" alt="Review" width="169"></a> BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process.  If you would like to request accommodations, please let your recruiter know. BambooHR is An Equal Opportunity Employer--M/F/D/V Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired. For information on California Privacy Policy, <a href="https://www.bamboohr.com/legal/california-privacy-notice" target="_blank">click here</a>. Our process utilizes AI as an assistant to efficiently process and analyze candidate data. Recruiters and hiring managers maintain full oversight and accountability, ensuring that all final selection and rejection decisions are human-made and based solely on objective job qualifications. Please see our <a href="https://www.bamboohr.com/legal/privacy-policy" target="_blank">General Privacy Notice</a> and <a href="https://www.bamboohr.com/legal/california-privacy-notice" target="_blank">California Privacy Notice</a> for more details. See our <a href="https://www.bamboohr.com/about-bamboohr/careers/ai-guidelines-for-candidates" target="_blank">AI Guidelines for Candidates</a> for details on how BambooHR uses AI in recruiting, how we expect candidates to use AI, and what is not allowed. </div>