SIPR Governance, Risk, and Compliance (GRC) & Security Specialist Job Listing at SPA in Arlington, VA (Job ID 22437)

Description

Overview

Intrepid, an SPA Company, brings more than 20 years of experience supporting the Department of Defense and U.S. Government, consistently setting the standard for excellence in the federal marketplace. Committed to advancing the mission of the U.S. Warfighter, Intrepid leverages technological superiority to deliver innovative solutions across air, space, land, and sea domains. We are proud to foster a collaborative, dynamic work environment, offering competitive compensation and an industry-leading 401k contribution. Our team is built through merit and achievement, and we're always looking for the best and brightest to join us in our growth. We treat our people like family, we are mission-focused, and we give back! Join us today.

Our Financial Management & Business Analysis Portfolio supports the U.S. Army Financial Management Command (USAFMCOM), Systems Support Operations (SSO) Division. We provide effective functional systems support, user technical support, training support, and governance support of the Army's modernized and deployed FM domain ERP systems (GFEBS / GFEBS-SA / GCSS-A (Finance)), ensuring technological capabilities maturation and evolution aligns with Army and FM domain goals and objectives.  

SPA has an immediate need for SIPR Governance, Risk, and Compliance (GRC) & Security Analyst within the U.S. Army's General Fund Enterprise Business System – Sensitive Activities (GFEBS-SA). This role requires onsite work 5 days a week in customer's SIPR location. 

Managing GRC system and its related processes:

• Manage the full lifecycle of GRC tickets to support user access provisioning. 

• Conduct Segregation of Duties (SOD) Analysis simulations to identify and mitigate potential conflicts before assigning roles. This includes creating mock requests to troubleshoot user-reported issues. 

• Deliver User Support & GRC  training to groups of end-users, such as Supervisors and Role Approvers. 

• Guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates, Developing job aids and process documentation. 

Working on SAP ECC/BI Security concepts and administration:

• Execute SAP Transactions.

• Conducging SAP Role Design & Objects.

• Gathering functional requirements from business users and translating them into clear, actionable specifications for the SAP Security team. 

Navigating Audit & Compliance

• Participating in multiple cycles of internal and external audits. 

• Facilitating SOC-1 and SOC-2 audits. 

• Conducting Control Examination related to security, availability, processing integrity, and privacy. 

Responsible for User Access Reviews & Systems

• Conducting Critical Access Monitoring (CAM) and engaging directly with end-users. 

• Executing User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts. 

• Managing and resolving incidents in ServiceNow.

As a part of FSO duties, conducting Physical Security in SCIF: 

• Either opening SIPR office space at 0700EST daily or close SIPR 1700EST M-F. 

• Creating Visitor Access Requests (VARS) and verifying background clearances.   

• Maintain sign-in and sign-out roster for visitors; Monitor and assist during on-site classified meetings. 

Required Qualifications: 

• Active TS clearance
• 10+ years of position related experience in GRC systems, SAP ECC/BI Security, Audit & Compliance, Critical Access Monitoring. 
• MA/MS degree

The candidate must demonstrate mastery of the GRC system and its related processes: 

• Ticket & Workflow Management: Experience managing the full lifecycle of GRC tickets to support user access provisioning. Must be able to articulate the purpose of each stage in the GRC workflow. 
• Segregation of Duties (SOD) Analysis: Experience conducting SOD simulations to identify and mitigate potential conflicts before assigning roles. 
• User Support & Training: Experience delivering GRC training to groups of end-users.
• Process Documentation: Experience guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates. Ability to develop job aids and process documentation (e.g., how to request a FireFighter ID). 
• Issue Resolution: Understand the utilization of GRC "escape paths" to resolve complex access issues. 

The candidate must have a strong technical foundation in SAP ECC/BI Security concepts and administration. 

• SAP Transactions: Proficiency in executing and understanding the purpose of key SAP transactions, including: SE16n, SU01D, SUIM, SU53, WE02, FMZ3, and SM37. 
• Role Design & Objects: Experience & knowledge of SAP role design (single vs. composite) and a thorough understanding of core authorization objects (e.g., S_TABU_DIS, S_PROGRAM, S_USR_* tables). 
• Requirements Translation: Proven ability to gather functional requirements from business users and translate them into clear, actionable specifications for the SAP Security team. 

The candidate must be experienced in Audit & Compliance, navigating the demands of both internal and external audits. 

• Audit Participation: Direct experience participating in multiple cycles of internal and external audits, including responding to Provided by Client (PBC) requests. 
• SOC Audits: Direct experience facilitating SOC-1 and SOC-2 audits in a federal environment. Must be able to articulate their specific role, contributions, and challenges faced. 
• Auditor Communication: Adept at discussing Segregation of Duties (SOD) controls and policies with internal and external auditors. 
• Control Examination: Ability to examine controls related to security, availability, processing integrity, and privacy, and provide concrete examples of evidence supplied for audit reviews such as responding to NFRs (notice of findings and recommendations), describing significance of a POAM (plan of action & milestones), and responding to PBCs (provided by client). 

 Must be experienced in User Access Reviews & System Proficiency,  in cyclical user access reviews and must be proficient in using a help desk system. 

• Critical Access Monitoring (CAM): Experience with the CAM process, including its purpose, risks, and benefits, as well as engaging directly with end-users. 
• User Reaffirmation: Proven ability to execute User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts. 
• ServiceNow: Proficiency in using ServiceNow as a help desk ticketing system to manage and resolve incidents. 

• Role requires availability to either open SIPR office space at 0700EST daily or close SIPR 1700EST M-F.  
• Experience using DISS: creating Visitor Access Requests (VARS) and verifying background clearances.   

Required Qualifications: 

• Active TS clearance
• 10+ years of position related experience in GRC systems, SAP ECC/BI Security, Audit & Compliance, Critical Access Monitoring. 
• MA/MS degree

The candidate must demonstrate mastery of the GRC system and its related processes: 

• Ticket & Workflow Management: Experience managing the full lifecycle of GRC tickets to support user access provisioning. Must be able to articulate the purpose of each stage in the GRC workflow. 
• Segregation of Duties (SOD) Analysis: Experience conducting SOD simulations to identify and mitigate potential conflicts before assigning roles. 
• User Support & Training: Experience delivering GRC training to groups of end-users.
• Process Documentation: Experience guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates. Ability to develop job aids and process documentation (e.g., how to request a FireFighter ID). 
• Issue Resolution: Understand the utilization of GRC "escape paths" to resolve complex access issues. 

The candidate must have a strong technical foundation in SAP ECC/BI Security concepts and administration. 

• SAP Transactions: Proficiency in executing and understanding the purpose of key SAP transactions, including: SE16n, SU01D, SUIM, SU53, WE02, FMZ3, and SM37. 
• Role Design & Objects: Experience & knowledge of SAP role design (single vs. composite) and a thorough understanding of core authorization objects (e.g., S_TABU_DIS, S_PROGRAM, S_USR_* tables). 
• Requirements Translation: Proven ability to gather functional requirements from business users and translate them into clear, actionable specifications for the SAP Security team. 

The candidate must be experienced in Audit & Compliance, navigating the demands of both internal and external audits. 

• Audit Participation: Direct experience participating in multiple cycles of internal and external audits, including responding to Provided by Client (PBC) requests. 
• SOC Audits: Direct experience facilitating SOC-1 and SOC-2 audits in a federal environment. Must be able to articulate their specific role, contributions, and challenges faced. 
• Auditor Communication: Adept at discussing Segregation of Duties (SOD) controls and policies with internal and external auditors. 
• Control Examination: Ability to examine controls related to security, availability, processing integrity, and privacy, and provide concrete examples of evidence supplied for audit reviews such as responding to NFRs (notice of findings and recommendations), describing significance of a POAM (plan of action & milestones), and responding to PBCs (provided by client). 

 Must be experienced in User Access Reviews & System Proficiency,  in cyclical user access reviews and must be proficient in using a help desk system. 

• Critical Access Monitoring (CAM): Experience with the CAM process, including its purpose, risks, and benefits, as well as engaging directly with end-users. 
• User Reaffirmation: Proven ability to execute User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts. 
• ServiceNow: Proficiency in using ServiceNow as a help desk ticketing system to manage and resolve incidents. 

• Role requires availability to either open SIPR office space at 0700EST daily or close SIPR 1700EST M-F.  
• Experience using DISS: creating Visitor Access Requests (VARS) and verifying background clearances.   

Managing GRC system and its related processes:

• Manage the full lifecycle of GRC tickets to support user access provisioning. 

• Conduct Segregation of Duties (SOD) Analysis simulations to identify and mitigate potential conflicts before assigning roles. This includes creating mock requests to troubleshoot user-reported issues. 

• Deliver User Support & GRC  training to groups of end-users, such as Supervisors and Role Approvers. 

• Guide users in completing 4th Tier Hierarchy worksheets to facilitate security role updates, Developing job aids and process documentation. 

Working on SAP ECC/BI Security concepts and administration:

• Execute SAP Transactions.

• Conducging SAP Role Design & Objects.

• Gathering functional requirements from business users and translating them into clear, actionable specifications for the SAP Security team. 

Navigating Audit & Compliance

• Participating in multiple cycles of internal and external audits. 

• Facilitating SOC-1 and SOC-2 audits. 

• Conducting Control Examination related to security, availability, processing integrity, and privacy. 

Responsible for User Access Reviews & Systems

• Conducting Critical Access Monitoring (CAM) and engaging directly with end-users. 

• Executing User Reaffirmation cycles, guiding users on removing unnecessary roles and resolving identified SOD conflicts. 

• Managing and resolving incidents in ServiceNow.

As a part of FSO duties, conducting Physical Security in SCIF: 

• Either opening SIPR office space at 0700EST daily or close SIPR 1700EST M-F. 

• Creating Visitor Access Requests (VARS) and verifying background clearances.   

• Maintain sign-in and sign-out roster for visitors; Monitor and assist during on-site classified meetings.