Information Security GRC Analyst III

About The Position

Requirements

• Bachelor’s degree in Information Security or equivalent experience.
• 3–5+ years of experience in information security GRC, compliance, or audit roles.
• Hands-on experience with SOC 2 Type II audits (as auditee, control owner, or auditor).
• Working knowledge of SOC 2, ISO 27001, NIST CSF, NIST SP 800-53, and CIS Controls.
• Experience maintaining risk registers, conducting risk assessments, and managing remediation tracking.
• Strong written communication skills - ability to produce clear policy documents, audit evidence packages, and executive-level reports.
• Demonstrated ability to manage multiple workstreams with a project-managed approach.
• Experience with GRC platforms.
• Excellent written and verbal communications skills; adaptability and flexibility to changing environment; and comfortable working in a dynamic, high volume, fast-paced environment.
• Ability to understand and ensure compliance with policies, procedures, and laws governing our industry/business and products.
• Must be eligible to work in the USA and able to pass a background check

Nice To Haves

• Experience in financial services, fintech, or consumer lending environments.
• Familiarity with PCI DSS requirements and control environments.
• Certifications: CISA, CRISC, CISSP, ISO 27001 Lead Auditor/Implementer, or equivalent.
• Exposure to privacy frameworks (GLBA, CCPA, state-level financial privacy regulations)
• Ability to work collaboratively with cross-functional teams and influence stakeholders.

Responsibilities

• Maintain and evolve the Company's information security policies, standards, and controls mapped to SOC 2, ISO 27001, NIST, and CIS frameworks; manage the policy exception process with documented justification and approval.
• Conduct risk assessments, maintain the risk register, and support risk acceptance decisions with structured evidence; escalate material risks to leadership with mitigation plans.
• Own end-to-end audit preparation for SOC 2 Type II and ISO 27001 certification, including control testing, evidence collection, gap remediation, and findings tracking. Maintain the Company's ISMS, conduct Statement of Applicability (SoA) reviews, support internal audits and management reviews, and serve as the primary liaison with external certification bodies throughout the certification and surveillance audit lifecycle.
• Partner with IT and SecOps to operationalize controls across access management, encryption, logging, vulnerability management, and backup/DR; define evidence sources and test cadence.
• Leverage GRC platform automated monitoring capabilities to maintain real-time visibility into control health; triage failing controls, coordinating remediation with owners, and ensure evidence remains audit-ready throughout the observation period.
• Maintain a structured evidence repository (e.g., SharePoint, GRC platform) to support SOC 2 Type II and ISO 27001 audit cycles; coordinate evidence requests from external auditors, establish and enforce evidence collection cadences (monthly, quarterly, and annual), and ensure completeness and integrity of the evidence package throughout the audit observation period.
• Manage the third-party risk management program including vendor risk assessments, security questionnaires (SIG/CAIQ), contract review support, and ongoing monitoring of critical vendors to ensure alignment with the Company's security and compliance requirements.
• Manage the full control lifecycle including new control design, change management, deprecation, and exception handling; ensure all control changes are documented, reviewed, and aligned with SOC 2 Type II and ISO 27001 audit requirements.
• Develop and deliver control owner training, security awareness materials, and compliance guidance to drive adoption of security controls across business units; serve as a trusted advisor to cross-functional teams on GRC-related obligations and best practices.
• Produce dashboards and status reports on risk posture, control health, and audit readiness for both technical teams and executive/Board-level stakeholders.
• Support incident response, BCP/DR planning, and privacy obligations; publish practical guidance and job aids to drive control adoption across the organization.

Benefits

• Competitive Wages
• Health/Life Benefits
• Health Savings Account plus Employer Seed
• 401(k) Savings Plan with Company Match
• Paid Parental Leave
• Company Paid Holidays
• Paid Time Off including Volunteer Time
• Tuition Reimbursement
• Business Casual Environment
• Rewards & Recognition Program
• Employee Assistance Program
• Office in downtown Greenville that offers free parking, onsite gym, free snacks/drinks