Cybersecurity GRC Analyst (Dayshift - Hybrid in MOA)

The Cybersecurity GRC Analyst supports the development and execution of governance, risk, and compliance (GRC) activities to protect sensitive health, payment, and personal data of children, families, and staff. This role ensures adherence to industry security standards (PCI DSS, NIST Cybersecurity Framework (CSF), and ISO 27001) while maintaining a practical, risk-based approach suitable for the childcare sector’s unique operational and regulatory landscape.

Key Responsibilities

• Governance & Policy Management
• o Develop, review, and maintain cybersecurity policies, standards, and procedures.
• o Ensure alignment with industry frameworks (e.g., NIST CSF 2.0, ISO 27001, CIS Controls, etc.).
• Risk Management
• o Conduct risk assessments and control evaluations across systems, applications, and processes.
• o Maintain and update the risk register, track mitigation plans, and report on risk posture.
• o Track and report security exceptions, findings, and remediation activities.
• Compliance & Audit
• o Support internal and external audits, including evidence collection and remediation tracking.
• o Monitor compliance with regulatory requirements (e.g., PCI-DSS, Privacy Act, etc.).
• o Assist in third-party risk assessments and vendor due diligence.
• Security Awareness & Training
• o Contribute to the development and delivery of cybersecurity awareness programs.
• o Promote a culture of security and compliance across the organisation.
• Reporting & Metrics
• o Prepare regular reports and dashboards on GRC activities, risk trends, and compliance status.
• o Monitor and report on cybersecurity metrics, control effectiveness, and regulatory compliance.
• Incident Response
• o Assist in incident response and post-incident reviews from a compliance and governance perspective.
  

Qualifications & Experience

• Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
• 2-5 years of experience in cybersecurity governance, risk management, or compliance.
• Familiarity with GRC tools (e.g., OneTrust, Vanta, Drata, etc.).
• Understanding of regulatory and industry standards (e.g., ISO 27001, NIST CSF, SOC 2).
• Strong analytical, communication, and documentation skills.
• Certifications such as CISA, CRISC, or ISO 27001 Lead Implementer/Lead Auditor are a plus.
  
  

Technical Skills

• Strong working knowledge of Cybersecurity/Information Security Frameworks such as NIST CSF, ISO27001, etc.
• Understanding of risk assessment methodologies and cybersecurity principles.
• Familiarity with SIEM, DLP, IAM, vulnerability management tools, and endpoint protection platforms.
• Competence in using Excel, Power BI, or similar tools to analyse data and generate dashboards and reports.
• Familiarity with using ticketing systems such as JIRA.
• Ability to support internal and external audits, perform control testing, and monitor compliance metrics.
• Understanding of Privacy Frameworks such as the (Australian) Privacy Act 1988, (Victorian) Privacy and Data Protection Act 2014, GDPR, etc. is desirable.