JOB TITLE: Sr Security Analyst – GRC (Compliance & Training) LOCATION: Santiago - Remote   GENERAL DESCRIPTION OR PURPOSE OF JOB:   The Senior Security Analyst – GRC (Compliance & Training) is primarily responsible for helping ensure our organization adheres to Jostens Information Security Program. Key activities will include helping develop and document Processes and Controls that meet our Information Security Policies and Standards, Payment Card Industry Data Security Standard (PCI DSS), Jostens SOX ITGCs, and other control requirements. This individual will also maintain Jostens Security Awareness Training program. The ideal candidate is a detail-oriented professional with a strong background in IT compliance, risk management, and internal controls.   This role will collaborate across teams to collect and assess evidence to satisfy security requirements. The individual must be a motivated team player with a positive attitude, solid interpersonal skills and someone who can quickly take ownership within their area. The individual must be hands-on, work under minimal supervision and can work in a fast-paced environment.   RESPONSIBILITIES / ESSENTIAL FUNCTIONS:    Compliance Operations: Jostens Information Security Program: Help develop, review, and update information security policies and standards. Audit/Assessments: Facilitate audits and assessments of IT programs and individual components to determine compliance with Jostens policy and standards and published frameworks (e.g., SOX, ISO27000, PCI, etc.). Communicate and coordinate with internal and external stakeholders. Use Jostens GRC platform (ZenGRC) to automate GRC processes, collect evidence, manage risks, track compliance, and generate reports. Manage the GRC platform Security Awareness Training: Develop and deliver Jostens Security Awareness Training program to employees at all levels to foster a strong compliance and risk-aware culture. Create communications to effectively disseminate security information. Evaluate training on a yearly basis to adjust for current trends. Assist other units (e.g., Human Resources with providing other required training across the enterprise. Manage the training platform (KnowBe4). While the primary role is Compliance and Training, the candidate will be asked to cross train and back up other GRC activities.   Additional Duties and Responsibilities: Risk Assessment: Assess risk, and coordinate, document, and validate evidence to meet Jostens cybersecurity and risk requirements. Ensure appropriate treatment of risk. Audit/Assessments: Facilitate audits and assessments of IT programs and individual components to determine compliance with published standards (e.g., AICPA SOC2, etc.). Vendor Management: Assist in Third-Party Risk Management as needed Metrics: Regularly report security metrics, proposing improvement as needed. Privacy: Coordinate with legal and IT teams on privacy requests. Incident response: ensure proper documentation and post-incident analysis.  Required:   Education:   Bachelor’s degree in Business or Accounting, Information Security, Information Management Systems, Cybersecurity or other applicable area, or related work experience.   Experience: Minimum 5 years in IT, Information Security, IT Audit or related role Hands on experience in a compliance role Experience with GRC/ third party management tools (e.g., Archer, OneTrust, ZenGRC, Etc.) Strong understanding and working knowledge of compliance frameworks, including SOC 2 Trust Service Criteria. Understanding of training methodology and requirements   Professional Skills: Excellent analytical and problem-solving skills Strong written and verbal communication skills Ability to collaborate with cross-functional teams and external partners. Attention to detail with experience prioritizing and managing multiple projects with competing priorities.  Strong influencing, problem solving and decision-making skills.    Certifications (Preferred but Not Required) Certification applicable to a role in Information Security Governance, Risk and Compliance (e.g., CISSP, CISA, CISM, CRISC, CRMA) is preferred.