Security Compliance Analyst - GRC

Sunnyvale, California, United States

Do you like solving new problems? Have you worked on security compliance, cyber security standards and streamlined the processes using GRC technology?  We are looking for a GRC Analyst to leverage their experience and skills in our growing security & privacy compliance team. This is a unique opportunity to work in a collaborative environment and develop your career in the growing information security & privacy field.

Who we are
Since 2006, 23andMe’s mission has been to help people access, understand, and benefit from the human genome.  We are a group of passionate individuals pushing the boundaries of what’s possible to help turn genetic insight into better health and personal understanding.

What you’ll do

  • Manage the Governance, Risk and Compliance (GRC) framework, tools, and related processes
  • Maintain demonstrable compliance with industry-based information security & control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2 (SSAE18), PCI DSS, SANS Top 20, etc.)
  • Own and perform Security risk assessments to determine if 23andMe's information assets are protected from internal and external threats; help ensure that our security controls are aligned with regulatory requirements
  • Conduct internal security audits to identify gaps; provide technical and business recommendations to process owners for remediating findings
  • Work cross-functionally with various 23andMe teams to design, implement, and test various security processes / controls
  • Work with the Security and Privacy team to identify technical security gaps as reported by internal and external customers.
  • Track the remediation of all security and privacy compliance issues
  • Respond to security questions from external audits, and from our partners/vendors

What you’ll bring

  • Bachelors or Masters degree in computer science OR information security OR information systems OR enterprise risk management or related field or commensurate experience
  • 2+ years of experience in Information Security and Risk Management
  • 2+ years of hands on experience designing and configuring the GRC suite of products such as ZenGRC, SureCloud, RSA Archer, MetricStream or similar technology
  • 2+ years of work experience in defining business and functional requirements and working with technology teams to support these requirements through automation using GRC software such as Archer, MetricStream or other GRC software
  • 2+ years of experience with industry-based information security & control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2 (SSAE18), PCI DSS, SANS Top 20, etc.)
  • Ability to successfully plan, organize and prioritize projects, work on multiple tasks simultaneously
  • Demonstrated success working independently in a fast paced environment with changing priorities
  • Professional certification in Information Security or Risk Management (such as CISSP, CISM, CISA, CRISC, etc.) is a plus
  • Professional security assurance experience (Public accounting/ consulting background) is a plus

About Us
23andMe, Inc. is the leading consumer genetics and research company. Our mission is to help people access, understand and benefit from the human genome. The company was named by MIT Technology Review to its “50 Smartest Companies, 2017” list, and named one of Fast Company’s “25 Brands That Matter Now, 2017”. 23andMe has over 5 million customers worldwide, with ~85 percent of customers consented to participate in research. 23andMe is located in Sunnyvale, CA. More information is available at

At 23andMe, we value a diverse, inclusive workforce and we provide equal employment opportunity for all applicants and employees. All qualified applicants for employment will be considered without regard to an individual’s race, color, sex, gender identity, gender expression, religion, age, national origin or ancestry, citizenship, physical or mental disability, medical condition, family care status, marital status, domestic partner status, sexual orientation, genetic information, military or veteran status, or any other basis protected by federal, state or local laws.  If you are unable to submit your application because of incompatible assistive technology or a disability, please contact us at 23andMe will reasonably accommodate qualified individuals with disabilities to the extent required by applicable law.

Please note: 23andMe does not accept agency resumes and we are not responsible for any fees related to unsolicited resumes. Thank you.