- Maintain the operational effectiveness of the GRC program which is inclusive of policy management, training and competence management, contract compliance management, third party risk management, and privacy operations management- Cultivate customer trust by demonstrating a dedication to data privacy and security by maintaining our Privacy Security & Compliance Hubs (Third Party Risk, Privacy Ops, Trust Center Platform) - Work within the agile framework to consistently plan and complete multi-quarter projects to deliver against team objectives and key results- Support and maintain the Risk Management Program by identifying and assessing risks, implementing mitigation strategies and reporting to Security leadership on the current state of risk at Expel- Provide support for our vendor third-party risk objectives which includes sending out vendor security assessments and supporting the completion of privacy impact assessments- Collaborate with teams across the business to enable audit readiness for annual audits and other assessments that may occur throughout the year

- Work with the executive management team to understand the company's long term direction, createand manage a roadmap to support our key initiatives- Mentor the GRC team, provide coaching and direction as needed- Build out a program that helps train our people on best practices as they relate to security, privacy andcompliance- Track Expel’s compliance with individual requirements from multiple security compliance frameworks- Manage Information Security initiatives and related documentation, as needed- Manage, maintain, and annually update policies, exceptions, and other governance documents, asnecessary- Monitor published changes in frameworks to ensure Expel is prepared for new or updatedrequirements- Evaluate new or additional security compliance frameworks that may be beneficial to Expel ourcustomers, or our prospects- Understand business processes, regulations, and controls and develop meaningful tests to ensurecontrols are operating effectively- Identify requirements not currently being met, and work to develop a path towards full compliance- Manage formal audit / assessment processes for SOC2, ISO 27k, NIST CSF and PF, GDPR, andother regimes

- Discovered how to make compliance easy by thinking creatively and helping sustain sensible policiesand procedures- Supported transformation efforts that mature Governance, Risk, and Compliance business processes,functions, and systems.- Provided insights on managing and sustaining objectives and key results via compliance metrics- Assisted in management of the IT risk management program (helping lead IT/Security riskassessments, monitoring the completion of risk treatment plans, remediation statuses, etc.)- Provided support with and built out the vendor third-party risk process.- Collaborated with teams across the business to enable audit readiness for annual audits and otherassessments that occur throughout the year (ISO 27001, 27701, SOC2, GDPR, NIST 800-171, NISTCSF)- Provided the team with support with controls management and the execution of internal control testinstances- Identified areas that need increased efficiency and worked toward automation

- Ensured adherence to key compliance and regulatory frameworks (PCI DSS, HIPAA, HITRUST, ISO 27001, AICPA SOC2) and assorted privacy regulations (e.g. GDPR, CCPA, etc).- Worked with key personnel to determine compliance with regulatory and compliance requirements.- Monitored, reported, and routinely audited compliance to all information security procedures and policies to ensure consistency of internal controls across departments.- Conducted research to keep abreast of latest security issues, advances, and changes, communicating trends and advancements to the GRC|P team to drive down risk and identify efficiencies.- Identified and assessed compliance and privacy risk areas.- Collected, organized, and analyzed compliance and quality improvement data (i.e. dashboards).- Tracked and reported corrective action for identified deficiencies, executed follow-up validation of remediated controls, and performed walkthroughs of key IT and security control processes.- Promoted a strong security culture through the organization.- Supported teams in areas of risk and compliance.- Stayed current on latest IT process and risk management methodologies.- Recommended operational and process efficiencies for the team.- Created and assigned IT and GRC related training content to meet compliance obligations.

• Ensured A-LIGN remained in compliance with the requirements of Accreditation Bodies such as ANAB (ISO 27001, ISO 22301, ISO 27701), A2LA (FedRAMP), AICPA (SOC 1, SOC 2), HITRUST, PCI DSS, and CMMC through compliance control monitoring.• Conducted internal audits to confirm A-LIGN was working within the requirements set forth by the Accreditation Bodies.• Worked with the Legal Department to ensure company compliance with local, state and federal laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).• Drafted, reviewed and updated internal policies and procedures as required.