Core Responsibilities
- Validate that client environments meet MGRC baselines and support ongoing security policy alignment to:
- Microsoft Cloud Security Benchmark (MCSB)
- NIST frameworks (NIST SP 800-171, NIST SP 800-53, etc.)
- HIPAA (where applicable)
- FedRAMP
- CMMC 3.0
- ISO 27001-2022
- GDPR
- Assist with governance documentation updates and maintenance
- Support compliance tracking and evidence organization
- Provide consultative guidance on compliance and security-related questions by coordinating access to Atmosera cybersecurity experts
- Monitor security posture through Defender for Cloud and Azure Policy compliance recommendations
- Track misconfigurations, policy drifts, and high impact findings for remediation.
- Assist with basic security questionnaires using Atmosera’s standard response library
- Provide standardized responses through coordination with the Account Management or Client Success team
- Support optional full Security Questionnaire Management services when contracted, including:
- Intake and tracking
- Drafting and coordination of responses
- Supporting documentation preparation
- Participate directly in client audits (SOC 2, HIPAA, PCI where applicable)
- Support ongoing audit readiness and management activities when included in scope, including:
- Evidence gathering and organization
- Audit request tracking
- Coordination with internal teams and external auditors
- Ensure ongoing audit readiness for clients enrolled in MGRC that is consistent with MGRC service definitions in shared documentation
- Maintain audit readiness documentation throughout the year
- Maintain audit request trackers and coordinate responses with internal SMEs.
- Support project management activities related to compliance audits (e.g., SOC 2)
- Ensure proper documentation to support compliance with client governance requirements and client specific requirements
- Take ownership of monthly and quarterly MGRC reporting
- Assist with the development and maintenance of custom response playbooks for:
- Azure Sentinel SOAR (Security Orchestration, Automation, and Response)
- Support governance oversight of:
- CyberSOC reporting with enhanced security insights
- Actionable threat intelligence reporting
- Proactive threat hunting outputs
- Ensure governance artifacts align with managed detection and response activities
- Coordinate and support:
- Monthly phishing simulation preparedness activities
- Yearly tabletop exercise planning and execution support
- Bi-annual penetration testing preparedness and coordination
- Track outcomes, findings, and remediation activities for readiness exercises
- Support Attack Surface Management activities, including:
- Continuous discovery and monitoring of exposed assets
- Documentation of digital attack surface insights
- Assist with security posture tracking and compliance reporting for:
- Executives
- Auditors
- Internal stakeholders
- Monthly Server vulnerability Scanning
- Design and implement workflows that improve the service
- Track findings, prepare client-facing reports, and coordinate remediation with security engineers
- Penetration Test Coordination
- Serve as the primary coordinator for client penetration testing engagements
- Manage scheduling, scope alignment, retesting cycles, evidence handoff and management of the relationship with penetration testing teams.
- Maintain communication and set expectations with organizations being tested
- Support Azure Policy implementation and monitoring using advanced governance features
- Assist with ensuring Azure resources and configurations remain compliant with defined security baselines
- Track and report service misconfigurations, compliance drift and remediation status
- Monitor security posture through Defender for Cloud and Azure Policy compliance results
- Validate that client environments meet MGRC baselines. Microsoft Cloud Security Benchmarks, and any additional client-specific compliance requirements supported by Azure
Collaboration & Service Delivery
- Client Success Managers
- Security Analysts and Engineers
- CyberSOC teams
- Account Management representatives
- Escalate issues, risks, or scope concerns to appropriate senior resources
- Operate within defined MGRC service boundaries and SLAs
Purview Compliance Manager Administration
- Own and manage Purview Compliance Manager for all subscribed MGRC clients.
- Track regulatory control posture, improvement actions, and evidence assignments.
- Guide clients through remediation and maintain year-round compliance readiness.
- Partner with engineering teams on policy and control mappings (Azure Policy, Defender for Cloud) that support compliance scoring as discussed in internal service map documentation.
Required Skills & Experience
- 2+ years of experience in GRC, IT risk, compliance, or security operations support
- Hands-on experience with Microsoft Purview Compliance Manager, including control mapping, evidence tasks, and regulatory templates
- Familiarity with Defender for Cloud, including secure score, recommendations, and compliance dashboards
- Working experience with Azure Policy concepts including assignments, compliance scanning and configuring and remediation tasks
- NIST frameworks
- SOC 2 concepts
- CIS Controls
- HIPAA compliance
- Experience supporting audits, questionnaires, or compliance programs
- Strong documentation, evidence collection, and organizational skills
- Ability to manage multiple client workstreams simultaneously
- Strong public speaking and presentation skills using Microsoft PowerPoint
- SC-900 Microsoft Certified: Security, Compliance, and Identity Fundamentals – within 90 days of hire
Preferred Skills & Experience
- Prior experience in managed services or MSSP environment
- Experience coordinating penetration tests or annual security testing cycles
- Ability to translate technical findings into clear business-oriented summaries
- Familiarity with Entra ID, Azure RBAC, Conditional Access, and cloud governance fundamentals
- Comfort working with security engineering teams and client facing roles
- Certifications (any of the following)
- SC-100 (Microsoft Certified: Cybersecurity Architect Expert)
- ISC2 CISSP (Certified Information Systems Security Professional)
- ISC2 CGRC – (Certified Governance, Risk and Compliance)
- GRCP (GRC Professional)
- CRISC (Certified in Risk and Information Systems Control)
- CISA (Certified Information Systems Auditor)
- CISM (Certified Information Security Manager)
Success Indicators
- Maintain predictable, well organized evidence pipelines for client audits
- Keep Purview Compliance Manager workstreams accurate and up to date across all MGRC clients
- Deliver clear and reliable monthly vulnerability and governance reports
- Maintain consistent alignment to MGRC service definitions as structured by Jorge and reflected in the MGRC Analyst role materials
- Reduce client audit friction and improve audit pass rates