Sr. Governance, Risk and Compliance Analyst

Sr. Governance, Risk and Compliance Analyst OpenGov is the leader in AI and ERP solutions for local and state governments in the U.S. More than 2,000 cities, counties, state agencies, school districts, and special districts rely on the OpenGov Public Service Platform to operate efficiently, adapt to change, and strengthen the public trust. Category-leading products include enterprise asset management, procurement and contract management, accounting and budgeting, billing and revenue management, permitting and licensing, and transparency and open data. These solutions come together in the OpenGov ERP, allowing public sector organizations to focus on priorities and deliver maximum ROI with every dollar and decision in sync. Learn about OpenGov’s mission to power more effective and accountable government and the vision of high-performance government for every community at OpenGov.com http://OpenGov.com. JOB SUMMARY: Own and mature OpenGov’s core GRC programs across audit/compliance, risk, vendor security, and security awareness. Lead end-to-end SOC 2 audit cycles, drive multi-framework control mapping (SOC 2, NIST 800-53/CSF, ISO 27001; StateRAMP/TX-RAMP/FedRAMP exposure strongly preferred), and partner with Security Operations, IT, Engineering, Legal, and Customer teams to reduce risk and maintain certifications. Mentor junior analysts and raise the bar on control quality, evidence automation, and measurable outcomes. RESPONSIBILITIES: - Lead planning, scoping, walkthroughs, sampling, and issue closure for SOC 2; coordinate external auditors and internal control owners; drive on-time, predictable delivery. - Design/upgrade controls for SaaS/cloud environments; define test plans, perform operating effectiveness tests, and implement continuous control monitoring; close gaps with accountable owners. - Multi-Framework Mapping: Maintain crosswalks (SOC 2 ↔ NIST 800-53/CSF ↔ ISO 27001; align where applicable with GovRAMP/TX-RAMP/FedRAMP). - Run risk assessments (inherent/residual scoring, KRIs), keep the risk register current, and drive mitigation plans with deadlines and measurable impact. - Own third-party risk, including: vendor tiering, questionnaires/attestations, evidence reviews, findings tracking, and contractual security addenda in partnership with Legal & Procurement. - Enable customer trust by authoring authoritative, reusable security responses; support customer calls and security reviews for strategic deals and renewals. - Shape regular security awareness plan, metrics, and content (including phishing/targeted training with SecOps/IT); measure and improve behavior change, not just completion. - Own the GRC platform tooling and evidence workflows; integrate with ticketing/doc systems (e.g., Jira/Confluence categories) to reduce manual effort and improve traceability. - Ensure incidents and vuln findings translate into tracked corrective actions with evidence (post-incident reviews, pen-test/scan follow-through). - Publish clear metrics and reporting, including KPIs/KRIs (control health, audit readiness, vendor status, risk posture) for leadership; call issues early and escalate when needed. - Coach junior analysts; tighten templates, SOPs, and documentation so the program scales. REQUIREMENTS AND PREFERRED EXPERIENCE: - Experience: 5–8+ years in GRC, IT audit, or security compliance with hands-on SOC 2 Type II ownership; ISO 27001 audit/implementation experience preferred; public-sector programs (StateRAMP/TX-RAMP/FedRAMP) highly valued. - Strong grasp of identity/SSO/MFA, endpoint/EDR, logging/SIEM, vulnerability mgmt, CI/CD & SDLC controls, network and data protection; able to translate tech stacks into defensible controls and evidence. - Proven ability to run multi-team programs to deadlines, manage auditors and exec stakeholders, and close gaps decisively. - Demonstrated ownership of end-to-end third-party risk workflows (tiering, due diligence, findings/SLAs, contract language inputs). - Comfortab ... (truncated, view full listing at source)