Senior Associate, GRC (Governance, Risk, & Compliance)

About The Position

Requirements

• Bachelor's degree or equivalent in Computer Science, Information Systems Management, Information Technology or other related discipline preferred.
• 5+ years of progressive experience in Information Security, IT Audit, or GRC within a heavily regulated industry.
• Deep, demonstrable expertise in financial services and/or mortgage servicing regulations (e.g., FFIEC, GLBA, CFPB, HUD, SOX ITGC).
• Experience managing a successful SOC 2 Type II audit from preparation through final report issuance.
• Proven experience in designing and implementing an enterprise-level risk management framework (e.g., NIST RMF, ISO 27005).

Nice To Haves

• CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), or CISSP (Certified Information Systems Security Professional)

Responsibilities

• Design, implement, mature, and manage the end-to-end Information Security GRC program, ensuring alignment with the overall business strategy and risk tolerance.
• Serve as the primary owner and internal champion for the annual SOC 2 Type II audit, coordinating all evidence collection, internal readiness reviews, auditor interactions, and managing the Statement on Controls (SOC) response process.
• Ensure and document continuous compliance with relevant financial services and mortgage industry regulations (e.g., GLBA, Sarbanes-Oxley (SOX) IT General Controls (ITGC), FFIEC, etc.).
• Develop, maintain, and enforce comprehensive information security policies, standards, and guidelines that address regulatory requirements and industry best practices (e.g., NIST, ISO 27001).
• Act as the primary liaison for all internal and external security audits and regulatory examinations, ensuring timely, accurate, and professional responses.
• Develop and manage a robust process for tracking, validating, and reporting on the remediation of audit findings and control deficiencies.
• Monitor the regulatory landscape (e.g., CFPB, HUD, state regulations, SEC, etc.) for changes impacting the organization, translating those changes into actionable GRC program requirements.
• Oversee the Information Security Risk Management lifecycle, including risk identification, analysis, assessment, treatment, monitoring, and communication.
• Define and manage the security components of the Third-Party Risk Management program, including due diligence, contract reviews, and continuous monitoring of critical vendors.
• Manage internal and external security risk assessments (e.g., Penetration Tests, Vulnerability Assessments) and track remediation efforts to closure.
• Prepare and present GRC program status, key risk indicators (KRIs), and compliance metrics to the CISO and other Executive Leadership.

Benefits

• Medical / Dental / Vision Insurance
• Life / Disability Insurance
• 401(k) with company matching
• Generous Vacation / Paid Time Off (accrual based)
• Targeted Compensation: $130,000-$170,000