GRC Analyst

Job Summary

The GRC Analyst – Third Party Risk Management will focus on facilitating the review of third-party suppliers to ensure that third parties can adequately protect NetApp’s data and meet required disaster recovery expectations to guide the organization towards continuous compliance with ISO27001, DFARS/NIST 800-171, GDPR, and DORA framework guidelines. The analyst will work with the overall Security GRC team and internal business units to identify risks in third party relationships both at time of onboarding and throughout the relationship to support organizational objectives. The analyst will be responsible for all aspects of the third-party lifecycle, including internal risk assessments, evidence review, reporting, continuous monitoring, and incident response.

Duties and Responsibilities 

• Ensures third parties are tracked and reviewed according to security standards within expected timelines 

• Performs security reviews and identify security gaps resulting in remediations for the organization

• Engages with technical and business process owners to understand third party relationships and the services they will be providing to  

• Reviews Master Service Agreements, End User Licensing Agreements and other contractual documents for appropriate security language as necessary 

• Identifies security and continuity risks with third party relationships and escalates as appropriate to business and risk stakeholders 

• Develops process documentation for completing third party reviews and assessments

• Defines and delivers appropriate GRC metrics, analytics, and scorecards; create monthly metric report

• Identifies opportunities for process automation through the use of analytics

• Interacts in both oral and written communications with all levels of technical and executive staff in matters related to third party security and continuity 

• Works with Internal Audit and outside consultants as appropriate on required assessments and audits 

Minimum Qualifications

• Bachelor's degree in business, accounting, finance, computer science, information systems, engineering, or a related field strongly preferred; equivalent combination of education and experience may be substituted in lieu of degree. 

• At least two (2) years of GRC (governance, risk, compliance) experience with methodologies, activities, tools, and enablers in a technology related industry and five (5) – seven (7) years of experience in business process analysis, project methodology, or systems development life cycle through education or on-the-job experience, required. 

• Ability to demonstrate a strong understanding of various compliance and regulatory areas (e. g. DORA, GDPR, DFARS/NIST 800-171, ISO27001) or the risk register, risk exposure, risk reporting and handling of risk events. 

• Excellent written and verbal communication skills. 

• Strong analytical and problem-solving skills. 

• Project management skills to plan, execute, and monitor initiatives.

• The ability to work well with people from many different disciplines with varying degrees of technical experience. 

• Ability to stay current with emerging threats and industry trends to improve organization’s third party risk management posture

Preferred Qualifications

• Information security related training or certifications such as CISA, CISSP, or CRISC  

• Experience performing information security audits or risk assessments

• Familiarity with Third Party Risk management processes