Caris Life Sciences logo

GRC Analyst – Enterprise & Third Party Risk

Caris Life Sciences
4 months ago
Remote friendly (Irving, TX)
United States
Corporate Functions
Position Summary
Working as part of the Information Security Team, the GRC Analyst – Enterprise & Third Party Risk will support and lead internal risk assessments, exception reviews, and third-party risk management activities.

Responsibilities
- Conduct internal risk assessments across business units, systems, applications, and processes.
- Develop and maintain the internal risk register; facilitate periodic risk reviews.
- Create dashboards, reports, and metrics for risk status, trends, and program effectiveness.
- Evaluate risk exception requests; perform risk-based analysis; ensure documentation, approval, and tracking.
- Lead/support third-party risk management: vendor due diligence, risk assessments, contract reviews, and ongoing monitoring.
- Partner with procurement, legal, and business stakeholders to embed security/risk requirements into vendor lifecycle processes.
- Define and maintain IT/organizational security, risk, and compliance policies/standards/procedures.
- Support internal/external audits (e.g., HIPAA, SOX, GDPR) and address findings.
- Assess internal controls with IT/business teams and drive remediation.
- Perform periodic gap assessments to support ongoing compliance.
- Stay current on regulatory requirements and industry best practices for risk and cybersecurity.
- Assist with security awareness training related to risk, vendor management, and compliance.
- Support business continuity, disaster recovery, and incident response processes from a risk perspective.

Required Qualifications
- Bachelor’s degree in Information Security, Risk Management, or related field (or equivalent experience).
- Minimum 4 years in Information Security Risk Management, Third-Party Risk, or GRC.
- Strong understanding of control assessments, exception management, and third-party/vendor risk practices.
- Familiarity with compliance standards such as HIPAA, SOX, and GDPR.
- Knowledge of NIST CSF, ISO 27001, and CIS Controls.
- Excellent communication; translate technical risks into business impacts.
- Strong analytical/problem-solving skills; interpret risk data to support decisions.
- Ability to manage multiple assessments/projects in a fast-paced environment.
- Experience writing policies/standards/procedures/risk documentation.
- Working knowledge of data protection (data classification, encryption, access management, secure handling).
- Proficiency in Microsoft Excel, PowerPoint, and risk reporting tools.
- Ability to work independently with minimal supervision and high attention to detail.

Preferred Qualifications
- CISA, CRISC, CISSP certifications.
- Experience with GRC/IRM platforms (e.g., Compyl, AuditBoard, RSA Archer, LogicGate).
- Experience with SOC 2, PCI-DSS, HITRUST, or other frameworks.
- Healthcare/life sciences industry experience (plus).
- Cloud security experience/assessing AWS, Azure, or GCP providers.
- BIA and business continuity/disaster recovery experience.
- Incident response involvement and post-incident risk evaluation.
- Understanding of security/privacy/liability/service-level contract language.
- Familiarity with quantitative risk analysis (e.g., FAIR).
- Experience during rapid growth/security transformation/compliance maturity improvements.

Other
- Periodic travel and availability during evenings, weekends, or holidays as needed.

Conditions of Employment
- Pre-employment process including criminal background check, drug screening, credit check (for certain positions), and reference verification.