Security Risk and Compliance Analyst

Role Overview As a Security Risk and Compliance Analyst you will play a hands‑on role in maturing and operating Asana’s compliance and certification programme—specifically across controls maturity, policy governance, and audit execution. This role sits at the intersection of traditional GRC work and compliance engineering: you will help maintain our control frameworks and run our audit cycles, while also contributing to the automation initiatives that make our compliance programme scalable and repeatable. This is an excellent opportunity for someone with early‑career GRC experience who is excited to grow their technical skills and help shape how a high‑growth SaaS company approaches compliance automation. You will partner closely with Security Engineering, Legal, Privacy, and R&D to ensure our controls are effective, our evidence pipelines are reliable, and our certifications—SOC 2, ISO 27001, and FedRAMP—are maintained with rigour. This role is based in our San Francisco office with an office‑centric hybrid schedule. The standard in‑office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. If you’re interviewing for this role, your recruiter will share more about the in‑office requirements. What You’ll Achieve Controls Maturity & Certifications Support the maintenance and continuous improvement of Asana’s control framework, tracking control effectiveness across SOC 2, ISO 27001, FedRAMP Moderate, and other applicable standards. Proactively engage with a wide range of teams—including Engineering, IT, and People—to work through controls maturity activities, close existing gaps, and drive remediation efforts to completion with clear documentation of progress. Build strong working relationships across the business so that control owners feel supported and accountability is shared, not siloed within the compliance team. Contribute to controls maturity scoring and reporting, providing ongoing visibility into programme health for senior leadership. Support external compliance audits end‑to‑end: coordinating evidence requests, liaising with auditors, and tracking findings through to closure. FedRAMP Continuous Monitoring Own the monthly FedRAMP ConMon package submission, ensuring it is accurate, complete, and delivered on time every month. Track and drive completion of all timebound FedRAMP requirements by working closely with Engineering, People, and other responsible teams. Maintain a clear calendar of FedRAMP deliverables and proactively flag risks to timelines, escalating where needed to ensure nothing slips. Serve as a day‑to‑day point of contact for FedRAMP‑related queries from internal teams, helping them understand their obligations and what good looks like. Evidence Collection & Automation Own evidence collection workflows within our GRC platform, ensuring controls are reliably mapped, evidence is current, and audit artefacts are ready year‑round. Where possible, identify opportunities to automate repetitive evidence‑gathering tasks—this is a nice‑to‑have rather than a core requirement, but curiosity and initiative here will be valued. Document evidence collection procedures so that processes are transparent, auditable, and maintainable by the broader team. About You 3+ years of experience in Governance, Risk, and Compliance (GRC), information security, or a closely related field—internships and co‑ops count. Foundational knowledge of security compliance frameworks such as SOC 2, ISO 27001, NIST CSF, or FedRAMP; you don’t need to be an expert in all of them. Comfortable engaging with a wide variety of teams—Engineering, People, IT, Legal—to explain compliance requirements, gather evidence, and build the relationships needed to close control gaps. Organised and deadline‑driven: you can manage multiple workstreams, track time‑sensitive obligations (like monthly FedRAMP submissions), and keep audit artefacts tidy without being reminded. A clear communicator who can translate compliance requirements into plain language for both technical and non‑technical stakeholders. Exposure to compliance automation or evidence collection tooling (GRC platforms, scripting, API integrations) is a plus, but not essential—curiosity and a willingness to grow technically matter more. Curious about how modern SaaS engineering works—comfortable asking questions and learning the technical context behind a control. What We’ll Offer Our comprehensive compensation package plays a big part in how we recognize you for the impact you have on our path to achieving our mission. We believe that compensation should be reflective of the value you create relative to the market value of your role. To ensure pay is fair and not impacted by biases, we’re committed to looking at market value, which is why we check ourselves and conduct a yearly pay equity audit. For this role, the estimated base salary range is between $130,000–$160,000. The actual base salary will vary based on various factors, including market and individual qualifications objectively assessed during the interview process. In addition to base salary, your compensation package may include equity and benefits. Speak with your Talent Acquisition Partner to learn more. Mental health, wellness & fitness benefits Career coaching & support Inclusive family building benefits Long‑term savings or retirement plans In‑office culinary options to cater to your dietary preferences Equal Employment Opportunity We provide equal employment opportunities to all applicants without regard to race, colour, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by law. We also comply with the San Francisco Fair Chance Ordinance and similar laws in other locations. #J-18808-Ljbffr Decisive Point