Information Security Governance Risk and Compliance Analyst

Job Title:

Number of Positions:

Location:

Location Specifics:

Job Summary:

At Delta Dental of Michigan, Ohio, and Indiana we work to improve oral health through benefit plans, advocacy and community support, and we amplify this mission by investing in initiatives that build healthy, smart, vibrant communities. We are one of the largest dental plan administrators in the country, and are part of the Delta Dental Plans Association, which operates two of the largest dental networks in the nation.

At Delta Dental, we celebrate our All In culture. It’s a mindset, feeling and attitude we wrap around all that we do – from taking charge of our careers, to helping colleagues and lending a hand in the community.

Position Description

Facilitates the timely completion of internal and external systems audits and assessments on behalf of Delta Dental of Michigan and its affiliates. This position will also help with the daily GRC operations.

Primary Job Responsibilities:

• Partner across ISS teams, departments, and affiliates to interpret technical requirements and map compliance requirements to control implementation, and maintains an understanding across our products of all current and emerging technologies, open system standards, and management technologies as they relate to the support of our business needs.

• Evaluates vendor architectures, data flows, control evidence (SOC reports, pen tests, SIG), and confirming risk treatment for vendor access to sensitive data to support TPRM.

• Drives the completion of third-party audits and helps enable company compliance with customer technical requirements, industry standards, and regulatory requirements. Examples include SOC, HITRUST, HIPAA, CMMC, FedRAMP, GovRAMP, NIST, and PCI.

• Assist with customer and regulatory risk assessments, audits, attestations, and other security information requests. 

• Partner closely on security operations tasks with cross-functional teammates in IT, DevOps, Engineering, and Test.

• Facilitate technical, operational, and regulatory outcomes across our client portfolio, including continuous monitoring and compliance audits.

• Monitor and analyze security risks and metrics to identify trends, correlations, and variances and recommends improvements as needed.

• Administers the enterprise GRC platform, including control libraries, evidence workflows, and reporting.

• Maintains executive-level reports that provide visibility into key cybersecurity metrics and KPIs.

• Facilitates automation for compliance controls, evidence collection, and compliance artifact generation using Sharepoint and Power Automate.

• Documents gaps in POA&Ms with root cause, technical remediation steps, measurable milestones, and validation criteria; tracks remediation to closure and re-test control effectiveness.

• Analyzes data flow diagrams (DFDs), network diagrams, and solution architectures to confirm trust boundaries, data classifications, encryption paths, and control placement across system components.

Perform other related assigned duties as necessary to complete the Primary Job Responsibilities as described above.

#LI-Hybrid

Minimum Requirements:

Position requires a bachelor’s degree in information technology or related field and three years’ experience in information technology with compliance and security standards and frameworks, including: GDPR, HIPAA, PCI DSS, CIS Benchmarks and NIST frameworks. CCSP, CISSP, CISA, GCSA, GCPN, GPEN, or similar certifications are preferred. Will accept any suitable combination of education, training, and experience.

Position requires demonstrated technical experience implementing and assessing information security and privacy controls aligned with GDPR, HIPAA, PCI DSS, CIS Benchmarks, and NIST frameworks (e.g., NIST SP 800‑53, 800‑171);hands‑on experience in one or more enterprise IT domains, including operating systems, cloud and virtualized platforms, network security, identity and access management, logging and monitoring, or vulnerability management; knowledge of information security principles and practices, GRC solutions, intrusion detection systems, installation, configuration, monitoring and response to security systems, advanced security protocols and standards, software and security architectures, risk management, control techniques and frameworks, planning and project management, regulations, and laws; ability to lead teams; ability to collect and analyze complex data; use data extraction and analysis tools; ability to use active listening skills; and effective verbal and written communication

The company will provide equal employment and advancement opportunity within the context of its unique business environment without regard to race, color, religion, gender, gender identity, gender expression, age, national origin, familial status, citizenship, genetic information, disability, sex, sexual orientation, marital status, pregnancy, height, weight, military status, or any other status protected under federal, state, or local law or ordinance.