GRC Analyst (Remote - LATAM)

Core Responsibilities

Cloud Governance & Compliance Operations
• Validate that client environments meet MGRC baselines and support ongoing security policy alignment to:
• Microsoft Cloud Security Benchmark (MCSB)
• NIST frameworks (NIST SP 800-171, NIST SP 800-53, etc.)
• HIPAA (where applicable)
• FedRAMP
• CMMC 3.0
• ISO 27001-2022
• GDPR
• Assist with governance documentation updates and maintenance
• Support compliance tracking and evidence organization
• Provide consultative guidance on compliance and security-related questions by coordinating access to Atmosera cybersecurity experts
• Monitor security posture through Defender for Cloud and Azure Policy compliance recommendations
• Track misconfigurations, policy drifts, and high impact findings for remediation. 
Security Questionnaires
• Assist with basic security questionnaires using Atmosera’s standard response library
• Provide standardized responses through coordination with the Account Management or Client Success team
• Support optional full Security Questionnaire Management services when contracted, including:
• Intake and tracking
• Drafting and coordination of responses
• Supporting documentation preparation
Audit & Assurance Support 
• Participate directly in client audits (SOC 2, HIPAA, PCI where applicable)
• Support ongoing audit readiness and management activities when included in scope, including:
• Evidence gathering and organization
• Audit request tracking
• Coordination with internal teams and external auditors
• Ensure ongoing audit readiness for clients enrolled in MGRC that is consistent with MGRC service definitions in shared documentation
• Maintain audit readiness documentation throughout the year
• Maintain audit request trackers and coordinate responses with internal SMEs.
• Support project management activities related to compliance audits (e.g., SOC 2)
Security Operations Governance Support
• Ensure proper documentation to support compliance with client governance requirements and client specific requirements
• Take ownership of monthly and quarterly MGRC reporting
• Assist with the development and maintenance of custom response playbooks for:
• Azure Sentinel SOAR (Security Orchestration, Automation, and Response)
• Support governance oversight of:
• CyberSOC reporting with enhanced security insights
• Actionable threat intelligence reporting
• Proactive threat hunting outputs
• Ensure governance artifacts align with managed detection and response activities
Security Readiness & Preparedness Activities
• Coordinate and support:
• Monthly phishing simulation preparedness activities
• Yearly tabletop exercise planning and execution support
• Bi-annual penetration testing preparedness and coordination
• Track outcomes, findings, and remediation activities for readiness exercises
Attack Surface & Security Posture Management
• Support Attack Surface Management activities, including:
• Continuous discovery and monitoring of exposed assets
• Documentation of digital attack surface insights
• Assist with security posture tracking and compliance reporting for:
• Executives
• Auditors
• Internal stakeholders
• Monthly Server vulnerability Scanning
• Design and implement workflows that improve the service
• Track findings, prepare client-facing reports, and coordinate remediation with security engineers
• Penetration Test Coordination
• Serve as the primary coordinator for client penetration testing engagements
• Manage scheduling, scope alignment, retesting cycles, evidence handoff and management of the relationship with penetration testing teams.
• Maintain communication and set expectations with organizations being tested
Cloud Governance Support
• Support Azure Policy implementation and monitoring using advanced governance features
• Assist with ensuring Azure resources and configurations remain compliant with defined security baselines
• Track and report service misconfigurations, compliance drift and remediation status
• Monitor security posture through Defender for Cloud and Azure Policy compliance results
• Validate that client environments meet MGRC baselines. Microsoft Cloud Security Benchmarks, and any additional client-specific compliance requirements supported by Azure

Collaboration & Service Delivery

Work closely with:
• Client Success Managers
• Security Analysts and Engineers
• CyberSOC teams
• Account Management representatives
• Escalate issues, risks, or scope concerns to appropriate senior resources
• Operate within defined MGRC service boundaries and SLAs

Purview Compliance Manager Administration

• Own and manage Purview Compliance Manager for all subscribed MGRC clients.
• Track regulatory control posture, improvement actions, and evidence assignments.
• Guide clients through remediation and maintain year-round compliance readiness.
• Partner with engineering teams on policy and control mappings (Azure Policy, Defender for Cloud) that support compliance scoring as discussed in internal service map documentation.

Required Skills & Experience

• 2+ years of experience in GRC, IT risk, compliance, or security operations support
• Hands-on experience with Microsoft Purview Compliance Manager, including control mapping, evidence tasks, and regulatory templates
• Familiarity with Defender for Cloud, including secure score, recommendations, and compliance dashboards
• Working experience with Azure Policy concepts including assignments, compliance scanning and configuring and remediation tasks
Familiarity with:
• NIST frameworks
• SOC 2 concepts
• CIS Controls
• HIPAA compliance
• Experience supporting audits, questionnaires, or compliance programs
• Strong documentation, evidence collection, and organizational skills
• Ability to manage multiple client workstreams simultaneously
• Strong public speaking and presentation skills using Microsoft PowerPoint
• SC-900 Microsoft Certified: Security, Compliance, and Identity Fundamentals – within 90 days of hire

Preferred Skills & Experience

• Prior experience in managed services or MSSP environment
• Experience coordinating penetration tests or annual security testing cycles
• Ability to translate technical findings into clear business-oriented summaries
• Familiarity with Entra ID, Azure RBAC, Conditional Access, and cloud governance fundamentals
• Comfort working with security engineering teams and client facing roles
• Certifications (any of the following)
• SC-100 (Microsoft Certified: Cybersecurity Architect Expert)
• ISC2 CISSP  (Certified Information Systems Security Professional)
• ISC2 CGRC – (Certified Governance, Risk and Compliance)
• GRCP (GRC Professional)
• CRISC (Certified in Risk and Information Systems Control)
• CISA (Certified Information Systems Auditor)
• CISM (Certified Information Security Manager)

Success Indicators

The analyst will be successful when they:
• Maintain predictable, well organized evidence pipelines for client audits
• Keep Purview Compliance Manager workstreams accurate and up to date across all MGRC clients
• Deliver clear and reliable monthly vulnerability and governance reports
• Maintain consistent alignment to MGRC service definitions as structured by Jorge and reflected in the MGRC Analyst role materials
• Reduce client audit friction and improve audit pass rates