GRC Analyst II

Please Note: This is a Utah-based hybrid position which will require some regular in-office days each week. Additionally, employment with BambooHR is contingent on passing both a background and credit check. 

Essential Job Duties

You will:

• Collaborate with internal stakeholder teams (e.g., Engineering, IT, Product, Legal, HR) to document the implementation of security compliance controls across technical, management, and operational requirements.
• Support and perform gap analyses of current policies, procedures, and practices against established guidelines and frameworks, including NIST, FISMA, HIPAA, and other applicable regulatory standards.
• Assist with and conduct risk assessments of technology infrastructure, business processes, and security controls for assigned areas, documenting findings and recommended remediation steps.
• Embrace AI as a core tool to enhance GRC accuracy, efficiency, and proactive risk management, while following internal standards for responsible AI use.
• Use AI-powered platforms, under guidance from senior team members, for continuous controls monitoring, predictive risk analysis, and identification of potential compliance gaps.
• Improve team efficiency in evidence collection, organization, and analysis - leveraging AI and automation where appropriate - so the GRC function can focus more time on higher-value risk and compliance activities. Contribute to the build-out, maintenance, and ongoing refinement of the enterprise controls matrix, ensuring alignment and mapping across multiple compliance frameworks (e.g., SOC 1, SOC 2, PCI DSS, NIST CSF, ISO 27001, ISO 27018, ISO 42001, HITRUST, HIPAA).
• Assist in developing, updating, and maintaining security and compliance documentation, which may include the key documents required by the above standards.
• Support the delivery, tracking, and ongoing improvement of information security training and awareness programs for employees and contractors.
• Perform vendor security and risk assessments for new and existing vendors, document results, and occasionally interface directly with vendor contacts to clarify responses or request additional information.
• Assist with tracking and coordinating activities related to threat and vulnerability management, including monitoring assessment results, following up on remediation efforts, and helping to ensure that vulnerabilities are addressed within defined timeframes.

What You Need to Get the Job Done

• Bachelor's degree in Computer Science, Information Technology, or related field
• Minimum of 2 years of experience in compliance, audit, and/or information security
• CISSP, CISA, CCSA, or equivalent certification preferred
• Familiarity with enterprise-level compliance tools such as Drata, Vanta, ServiceNow, Archer, IBM GRC or other industry equivalent software
• Foundational understanding and eagerness to learn NIST CSF, NIST RMF, ISO 27001, ISO 27018, ISO 42001, SOC 1, SOC 2, HIPAA and HITRUST
• Basic understanding of cloud based environments for production applications, including Amazon Web Services, Google Cloud, or other large-scale cloud deployments
• Experience in the vulnerability assessment lifecycle from the point of identification to remediation
• Interpersonal skills to work as a team member and as a liaison
• Excellent verbal communication, presentation, organizational and planning skills, and great attitude and ability to learn new things quickly
• Bachelor’s degree in Computer Science, Information Systems or related field.

What Will Make Us REALLY Love You 

• Prior information security experience helpful

What You'll Love About Us

• A Great Company Culture that has been recognized by multiple organizations like Inc, and Salt Lake Tribune
• Comprehensive health, life, and disability insurance 
• Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
• 401k plans with up to 6% company match
• $2000 Paid-Paid Vacation bonus
• EAP through Headspace
• Check out all our benefits that benefit you 

About Us

At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective. 

We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office. 

What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you.

BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process.  If you would like to request accommodations, please let your recruiter know.

BambooHR is An Equal Opportunity Employer--M/F/D/V
Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired.

For information on California Privacy Policy, click here.

Our process utilizes AI as an assistant to efficiently process and analyze candidate data. Recruiters and hiring managers maintain full oversight and accountability, ensuring that all final selection and rejection decisions are human-made and based solely on objective job qualifications. Please see our General Privacy Notice and California Privacy Notice for more details.

See our AI Guidelines for Candidates for details on how BambooHR uses AI in recruiting, how we expect candidates to use AI, and what is not allowed.