Information Security Governance, Risk, Compliance (GRC) Supervisor

Information Security Governance, Risk, Compliance (GRC) Supervisor Job Category: Management Requisition Number: INFOR022545 Posted: May 27, 2026 Full-Time Locations ARUP Main 500 Chipeta Way Salt Lake City, UT 84108 1221, USA Schedule: Monday - Friday (40 hrs/wk) 8:00 AM - 5:00 PM Department: IT General - 210 Primary Purpose The Information Security Governance, Risk, and Compliance (GRC) Supervisor at ARUP provides leadership and direction for the Information Security GRC program, ensuring alignment with ARUP security policies, healthcare regulatory requirements, and the NIST Risk Management Framework. This role serves as a critical bridge between information security, technology teams, and business owners—translating regulatory and technical security requirements into practical, actionable guidance. The Information Security GRC Supervisor is responsible for educating, training, and transitioning ARUP Business Owners and System Owners to operate in compliance with NIST security standards and ARUP security policies. This role leads risk assessments, compliance activities, audits, and governance processes while delivering clear visibility into ARUP’s risk posture through metrics and executive reporting concerning information security. In addition to technical and regulatory oversight, the Information Security GRC Supervisor leads and mentors a team of compliance professionals, drives continuous improvement of governance processes, and partners across the organization to embed risk management and security accountability into daily operations—supporting ARUP’s mission to protect clinical, laboratory, and enterprise systems. Essential Functions Leads the development, implementation, and continual improvement of ARUP’s Information Security Governance, Risk Management, and Compliance (GRC) program, ensuring alignment with ARUP security policies, institutional objectives, and the NIST Risk Management Framework (RMF). Serves as a primary educator and change agent for the organization, responsible for teaching, training, and transitioning ARUP Business Owners, System Owners, and technical teams to operate in compliance with NIST security frameworks and ARUP security policies. Designs and delivers structured training, workshops, and guidance to help business and system owners understand their security responsibilities, risk ownership, control implementation requirements, and ongoing compliance obligations under NIST SP 800-53. Conducts and oversees system-level risk assessments, translating technical and regulatory requirements into clear, actionable guidance for business stakeholders. Leads the development, review, and maintenance of security policies, standards, and procedures, ensuring alignment with ARUP policy, HIPAA, CAP, SOC 2, GDPR, ISO standards, and NIST RMF requirements. Leads internal audits, compliance reviews, and external audit preparation, including coordination with auditors and facilitation of evidence collection, remediation planning, and executive reporting. Delivers compliance and governance services to business and system owners, supporting full lifecycle alignment with NIST SP 800-53 controls, enterprise risk governance frameworks, and ARUP security policy requirements. Collaborates with cross-functional teams (IT, Infrastructure, Applications, and Operations) to integrate risk management and compliance practices into organizational processes, including Configuration Management, Change Management, and Change Approval Board (CAB). Maintains System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), Security Assessment Reports (SARs), Risk Assessment Reports (RARs), and other required cybersecurity documentation. Identifies gaps in security controls, recommends risk-based improvements, and oversees the implementation and tracking of corrective actions to closure. Supports system authorization and accreditation activities, ensuring operational environments meet defined security requirements and governance expectations. Develops and maintains compliance dashboards, risk metrics, and executive-level reporting to communicate risk posture, compliance status, and trends to leadership concerning information security. Builds and sustains strong working relationships with System Owners, Authorizing Officials, System Administrators, and business leaders to promote shared accountability for information security risk management. Leads and mentors a team of information security GRC analysts and cybersecurity professionals, providing clear direction, coaching, and performance oversight. Leads a Vulnerability Management Team responsible for ARUP’s Vulnerability Management Program. Works under moderate supervision, exercising independent judgment in governance, risk, and compliance decision-making, and may mentor junior team members. Supports 24-hour operational requirements as needed, including time-sensitive risk assessments, audits, or incident-related governance activities. Physical and Other Requirements Stooping: Bending body downward and forward by bending spine at the waist. Reaching: Extending hand(s) and arm(s) in any direction. Mobility: The person in this position needs to occasionally move between work sites and inside the office to access file cabinets, office machinery, etc. Communication: The person in this position will work in a highly collaborative environment which requires frequent, clear, and professional communication with others. PPE: Biohazard laboratory environment that requires use of personal protective equipment in accordance with CDC and OSHA regulations and company policies. ARUP Policies and Procedures: To conduct self in compliance with all ARUP Policies and Procedures. Sedentary Work: Exerting up to 10 pounds of force occasionally and/or negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects. Fine Motor Control: Picking, pinching, typing or otherwise working on computer equipment. Vision: Having close, far, and peripheral visual acuity to perform a variety of tasks such as making general observations of depth and distance. Education Required: Bachelor's Degree or better in Computer Science or related field. Experience Required Bachelor's degree in IT, computer science, information security, cybersecurity, or a closely related field. 3-5 years of experience in cybersecurity, risk management, compliance within large-scale, complex IT environments. Demonstrable experience in risk assessment methodologies, familiarity with healthcare and regulatory frameworks (e.g., HIPAA, SOC2, NIST, FISMA, RMF), and practical knowledge of information security principles and best practices. Excellent communication, analytical, and problem-solving skills. Demonstrated management skills including willingness and ability to collaborate across IT and business units; proactively communicate with all levels of the organization; strategic thinking. Preferred Relevant industry certifications (e.g., CISSP, CISM, CRISC) are highly desirable. Project management certification (e.g., PMP) is highly desirable. Preferred Licenses & Certifications Project Management Professional (PMP). Equal Opportunity Employer Protected Veterans/Individuals with Disabilities. This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor. #J-18808-Ljbffr