Principal, Governance, Risk and Compliance

About The Position

Requirements

• Detail oriented and highly accurate in the performance of work tasks.
• Highly proficient in organizing and documenting information
• Strong interpersonal skills to work with varying levels of the organization.
• Excellent oral and written communication skills
• Strong analytical and critical thinking skills with ability to synthesize complex information and make sound judgments under uncertainty
• Intellectual curiosity and commitment to continuous learning in an evolving regulatory and technology landscape
• Proactive and forward-thinking; ability to anticipate emerging risks and opportunities
• Resilience and adaptability; ability to navigate ambiguity and drive progress in complex environments
• Passion for building governance culture, creating organizational resilience, and advancing responsible technology practices
• Strong ability to prioritize work tasks.
• Highly self-motivated
• Strong desire to learn and understand information security principles, trends and actions.
• Strong understanding of major compliance obligations (PCI, GDPR) and frameworks (NIST, ISO)
• Bachelor's degree in a related field required (IT, cybersecurity, audit, accounting, information security, law, or related discipline); Master's degree preferred
• Minimum 5-7 years of related experience in IT governance, risk management, and compliance roles
• Deep expertise in SOX GITC and PCI-DSS frameworks and practices
• CMMC/DFARS/NIST 800-171 compliance experience including control documentation, gap analysis, POA&M management, and C3PAO coordination experience
• Minimum 2-3 years of direct experience with ServiceNow Integrated Risk Management (IRM) or equivalent GRC platform
• Expert-level working knowledge of IT general controls, security controls, and control frameworks (NIST 800-53, NIST 800-171, NIST CSF, COBIT, ISO 27001, FedRAMP, SOC 2)
• Framework crosswalk expertise: Ability to map controls across SOX GITC, PCI-DSS, CMMC, ISO 27001 to optimize testing efficiency
• Demonstrated expertise in designing scalable, enterprise-wide policy and control frameworks
• Experience drafting, remediating, and editing IT policies, standards, procedures, and controls
• Audit coordination, preparation, and remediation management at enterprise scale
• Experience working cross-functionally with engineers, product teams, security teams, business leaders, and audit teams
• Strong analytical and problem-solving skills in process review, control design, and issue remediation
• Experience with compliance automation tools and evidence management platforms
• Policy operationalization expertise: Ability to translate strategic policy design into specific, auditable control requirements and assessment procedures

Nice To Haves

• Preferred certifications: CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), PCIP (PCI Professional), PCI Internal Security Assessor (PCI ISA) or equivalent

Responsibilities

• Enterprise GRC Strategy and Leadership Design and oversee the implementation of a comprehensive, enterprise-scale IT governance and control framework that meets NIST CSF, CMMC (NIST 800-171), PCI-DSS, SOX GITC, and emerging regulatory requirements in data privacy and artificial intelligence.
• Establish framework alignment and control crosswalks that map NIST CSF, SOX GITC, PCI-DSS, and CMMC/NIST 800-171 controls to optimize testing efficiency and reduce audit redundancy.
• Provide first-line consulting to business and IT leadership on audit/assessment findings, risk implications, and remediation strategies across SOX internal audits, PCI-DSS QSA assessments, and CMMC assessments.
• Compliance Policy Maintenance, Review, and Assessment Maintain and update the organization's comprehensive compliance information security policy framework, ensuring policies remain current with regulatory changes and organizational evolution
• Conduct regular policy reviews (annual minimum, or upon regulatory change) evaluating: Alignment with current regulatory requirements (SOX GITC, PCI-DSS, CMMC, NIST, etc.) Relevance to current organizational structure and systems Operational effectiveness and staff understanding Gap identification between policy requirements and organizational practices
• Lead policy update processes translating regulatory changes into operational policy updates.
• Create policy crosswalks mapping policies to regulatory requirements and control frameworks
• Lead policy exception and risk acceptance documentation and tracking processes.
• Control Assessment and Testing Serve as subject matter expert in designing and executing effective control assessments across NIST CSF, PCI-DSS, CMMC, SOX GITC, and other frameworks.
• Assess the quality and effectiveness of implemented controls through documentation review, testing procedures, and stakeholder interviews.
• Identify control gaps, design flaws, and opportunities for enhancement; communicate findings and remediation recommendations.
• Establish control remediation processes; track remediation progress and verify corrective actions.
• Create audit-ready control documentation including control descriptions, test procedures, evidence matrices, and compliance mappings.
• Maintain compliance documentation repositories and evidence management systems.
• Serve as advisor to IT teams, business units, and operational leaders on control requirements and compliance obligations specific to their functions
• Regulatory Compliance Programs Lead the creation and ongoing maintenance of procedural documentation for control operation for PCI-DSS, SOX, and other applicable regulations, specifying control descriptions, operational procedures and evidence requirements.
• Develop, implement and maintain compliance operations processes and workflows.
• Establish compliance metrics and KPIs tracking control effectiveness and maturity progression.
• Prepare and maintain evidence for assessments and other compliance reviews.
• Develop and maintain compliance calendars coordinating control operation and assessment activities.
• Develop and maintain NIST 800-171/CMMC control documentation including control descriptions, implementation narratives, testing procedures, and evidence repositories
• Develop and maintain CMMC Plan of Actions and Milestones (POA&M) documenting gaps, remediation strategies, and status tracking
• Manage CMMC assessment readiness, coordinating with Certified Third-Party Assessment Organizations (C3PAOs)

Benefits

• Health, Dental and Vision plans
• 401(k) Match
• Volunteer time off
• Short-term and long-term disability
• Accident, Life and Travel insurance, as well as flexible spending
• Tuition Reimbursement Options
• Employee Assistance Program (EAP)
• Length of Service Awards
• Medical/Dental/Vision Insurance
• 401(k) Retirement Plan - US
• RRS Plan – CAN
• Paid Parental Leave
• Paid Holidays and Paid Time Off