OneRail

GRC Analyst (Governance, Risk & Compliance)

Orlando, FL
Full Time
Mid Level

Overview
The GRC Analyst is responsible for the operational execution of OneRail's governance, risk, and compliance program. This role owns the day-to-day work that keeps OneRail's ISO 27001:2022 ISMS, SOC 2 Type II attestation, and regulatory compliance programs running — including risk register maintenance, vendor security assessments, policy management, evidence collection, corrective action tracking, and security awareness delivery.
The GRC Analyst works closely with the CISO and across every team in the organization to collect evidence, manage findings, and ensure that compliance obligations are met continuously — not just during audit windows. This is a highly cross-functional role that requires both strong process discipline and the ability to build trusted relationships with stakeholders in Engineering, HR, Legal, Finance, and Operations.

Responsibilities
RISK MANAGEMENT

  • Maintain the enterprise security risk register — score risks using NIST likelihood/impact methodology, assign owners, track mitigation status, and report monthly to the CISO.
  • Maintain dedicated AI Risk Log and Shadow IT Risk Log — identify, score, and document risks from unsanctioned AI tools and unapproved SaaS applications.
  • Support the CISO in drafting risk acceptance memos for policy exceptions or residual risks above threshold.
  • Assist in preparing the monthly SRC (Security & Risk Committee) security dashboard.

COMPLIANCE & AUDIT
  • Coordinate ISO 27001:2022 internal audit evidence collection across all Annex A control domains. Prepare documentation packages for CISO review and external auditor submission.
  • Own SOC 2 Type II evidence collection and management across all five Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
  • Monitor regulatory compliance obligations under GDPR, HIPAA, and CCPA — track data processing activities, update ROPA, and flag new data flows for assessment.
  • Manage the Corrective Action Plan (CAP) tracker — track all open audit findings and nonconformities from identification to closure, validating remediation evidence before closure.

POLICY MANAGEMENT
  • Coordinate the annual information security policy review cycle — draft updates, route for stakeholder review, obtain CISO sign-off, and publish to the policy portal.
  • Manage the policy exception log — track all active exceptions with expiration dates, initiate renewal or closure reviews.
  • Administer the annual policy attestation program — ensure all employees read and attest to key policies (AUP, Data Classification, Password, Remote Work). Escalate non-completions to HR and department managers.

VENDOR & THIRD-PARTY RISK
  • Conduct pre-procurement vendor security assessments using the SIG Lite questionnaire. Score vendor posture, collect SOC 2 or ISO 27001 evidence, and document results.
  • Manage the annual vendor re-assessment cycle for Tier 1 and Tier 2 vendors.
  • Maintain the DPA (Data Processing Agreement) inventory — track execution status, review terms for GDPR/HIPAA/CCPA alignment, and flag expirations for renewal.
  • Maintain the vendor risk register and provide status reporting to the CISO.

SAAS APPLICATION REVIEW
  • Perform initial security assessment for new SaaS application requests — review SSO/SAML support, data residency, encryption practices, and SOC 2 attestation. Escalate to the Security Engineering Lead for complex assessments.
  • Maintain and publish the approved SaaS application catalog. Flag and document unapproved tools identified through browser telemetry, expense reports, or employee tickets.
  • Update the Shadow IT Risk Log with findings from shadow IT detection activities.

SECURITY AWARENESS
  • Own the annual security awareness training program — manage the training platform, track completion, send escalating reminders, and report completion rates to the CISO.
  • Coordinate quarterly phishing simulation campaigns with the Associate Security Analyst — analyze results, auto-enroll failures in targeted remediation, and present trends to the SRC.
  • Deliver new hire security onboarding briefings on or before Day 1, covering AUP, data classification, incident reporting, phishing awareness, password/MFA policy, and BYOD requirements.

Qualifications
  • 3+ years of experience in GRC, information security compliance, or audit roles.
  • Working knowledge of ISO 27001, SOC 2 Trust Service Criteria, GDPR, HIPAA, and CCPA.
  • Experience collecting and managing compliance evidence and coordinating with external auditors.
  • Strong organizational skills — ability to manage multiple concurrent workstreams with defined deadlines.
  • Excellent written communication — able to draft clear policies, risk memos, and compliance reports.
  • Comfortable working cross-functionally with Engineering, HR, Legal, and Finance stakeholders.

Preferred Qualifications (Optional but helpful for ideal candidate targeting)
  • CGRC, CISA, CRISC, or equivalent GRC/compliance certification.
  • CIPT, CIPP/E, or CIPP/US for privacy compliance responsibilities.
  • Experience with GRC platforms (Drata, Vanta, Tugboat Logic) or policy management tools (GitBook, Confluence).
  • Familiarity with NIST RMF, NIST CSF, and SIG Lite vendor questionnaire framework.
  • Experience in a SaaS technology company or logistics/supply chain sector.


 

About OneRail

OneRail is a leading omnichannel fulfillment solution pairing best-in-class software with logistics as a service to provide dependability and speed to help businesses meet their delivery promise. With a real-time connected network of 12 million drivers, OneRail matches the right vehicle for the right delivery so brands lower expenses and increase capacity to rapidly scale their businesses. This people-plus-platform approach features a 24/7 USA-based exceptions team who maintain a 98% on-time delivery rate. By optimizing fulfillment processes, reducing costs and improving order accuracy with store-shelf-to-doorstep visibility, OneRail is committed to empowering clients and improving the customer experience.

OneRail was named to the Deloitte Technology Fast 500™ two years in a row, was ranked 19th in the 2025 FreightTech 25, named for the fifth year in a row to the FreightTech 100, was honored as one of Inc. magazine’s Best Workplaces 2023, was listed on Forbes’ lists of America’s Best Startup Employers for the last three years, was named to the Inc. 5000 two years in a row and was selected as the Last Mile Company of the Year for the 2024 SupplyTech Breakthrough Awards. To learn more about OneRail, visit OneRail.com.

Share

Apply for this position

Required*
We've received your resume. Click here to update it.
Attach resume or Paste resume
Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or Paste resume

Paste your resume here or Attach resume file

150
To comply with government Equal Employment Opportunity and/or Affirmative Action reporting regulations, we are requesting (but NOT requiring) that you enter this personal data. This information will not be used in connection with any employment decisions, and will be used solely as permitted by state and federal law. Your voluntary cooperation would be appreciated. Learn more.
Invitation for Job Applicants to Self-Identify as a U.S. Veteran
  • A “disabled veteran” is one of the following:
    • a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or
    • a person who was discharged or released from active duty because of a service-connected disability.
  • A “recently separated veteran” means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.
  • An “active duty wartime or campaign badge veteran” means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.
  • An “Armed forces service medal veteran” means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.
Veteran status


Voluntary Self-Identification of Disability
Voluntary Self-Identification of Disability Form CC-305
OMB Control Number 1250-0005
Expires 04/30/2026
Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Please check one of the boxes below:

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

You must enter your name and date
Human Check*