GRC Analyst (Farmington Hills)

The Governance, Risk, and Compliance (GRC) Analyst is responsible for internal controls as well as the RouteOne Comprehensive Information Security Program. This program is designed to protect company information, data and facilities; maintain the security of assets; and to ensure the efficacy of, and compliance with internal controls. The overall goal is to design, develop, implement, and maintain compliance to a comprehensive information security program that is appropriate to the sensitivity of the information and data that is scoped adequately for the size, complexity, nature, and risk of RouteOne’s business activities. The ideal candidate will have the skill to communicate the details of this program, in writing and speaking, to management, external auditors and customers, regardless of their technical or non-technical backgrounds.

Job Requirements Execute and manage internal audits. Collect and maintain audit evidence for annual SOC (Service Organizations Controls) and GLBA audits derived from results of internal audits, including documentation of deviations. Participate in audits of RouteOne’s vendors and perform subsequent remediation tracking to closure. Respond to audits from finance sources and other customers including participating and leading in-person or virtual audit sessions, answering detailed questionnaires, and gathering and providing evidence as well as managing remediation of findings from these audits. Respond to due diligence requests from finance sources and other customers, providing documentation such as SOC reports, security reports, and other evidence. Design new controls and subsequent documentation updates to policies and procedures to close audit findings. Review reports generated from various monitoring and scanning tools and escalate to the Cybersecurity Team appropriately. Collect data, produce reports, and analyze metrics from audits conducted to evaluate compliance, and collaborate with internal IT Teams to improve existing cybersecurity measures. Contribute to certain functions within the information security framework that ensure confidentiality, integrity, and availability of information assets by protecting against unauthorized use, disclosure, modification, or loss. Assist with informing and educating staff about information security, compliance, risks, and governance including assisting in phishing prevention campaigns and monitoring employee training compliance. Assist in monitoring, administering, and enforcing security policies/procedures. Review existing documentation of IT controls, business processes, policies, procedures, and management reports for compliance, effectiveness, and sustainability. Manage remediation plans/corrective actions for any vulnerabilities or compliance failures reported in audits. Perform gap analysis to assess compliance with evolving regulatory requirements and duties such as NIST, PCI-DSS, GLBA, CSA, FCRA, Privacy Laws, and other frameworks as needed. Maintain safety, security, and privacy standards throughout all areas of responsibility. Assist in annual Risk Assessments and Business Impact Analysis reviews with management. Assist in annual Business Continuity Exercises and Security Incident Response tabletop exercises Participate in Scope Lock meetings for compliance and risk evaluation for proposed code and feature changes to application. Provide input to other teams for current audit, compliance, governance, and risk mitigation requirements of proposed actions and/or purchases.

Knowledge Experience reviewing and/or drafting policies and procedures across the enterprise. Experience in Audit, Compliance, Governance, Risk, or equivalent Information Security area with technically complex and diverse audits/projects. Demonstrated experience applying knowledge of internal control standards, objectives, and techniques unique to computer processing in a multiple platform environment. Solid knowledge of current industry information security, compliance and governance principles, controls and practices. Knowledge of various compliance frameworks and industry best practices (e.g., PCI, GDPR, ISO 27001). Understanding of security protocols and standards. (NIST, SOC, GLBA, OWASP Top 10). Experience in reporting analysis of potential cybersecurity threats, emerging practices, and technologies to both technical and non-technical audiences. Understanding of auto finance industry is a plus. Knowledge of cloud, SaaS (Software as a Service), AI, and shared security model responsibilities. Demonstrated experience of successful customer and vendor relationship management, including conflict resolution, preferred.

Skills Proficient in Microsoft Office products, including, but not limited to, Word, PowerPoint, SharePoint, Excel, Outlook, Teams, and Visio. Experience with Microsoft Defender is a plus. Experience with Atlassian products such as Confluence and Jira, or ticketing systems such as Salesforce or ServiceNow. Knowledge of security intrusion prevention tools used to record, track, and examine intrusions to find ways to prevent future incidents. Experience working within various compliance programs (e.g., SOC, GLBA, NIST, ISO, etc.).

Abilities Ability to work both independently and in a team environment to establish priorities and execute subsequent plans successfully. Ability to use relevant information and individual judgment to determine whether events or processes comply with laws, regulations, or standards. The ability to communicate information and ideas, both verbally and in writing, so others will understand risks and proposed solutions. Ability to thrive in dynamic, fast-paced software development environment. Knowledge of Agile Development is a plus. Strong analytical, problem-solving, communication, and technical skills. Proactive, detail-oriented professional eager to grow in responsibility. Flexibility to adjust to changing priorities and simultaneously work on high visibility projects to assure completion. Adaptability to respond to security issues arising from new cybersecurity threats and emerging tools and technologies. Ability to take a practical business-focused approach to security, compliance, risk, audit, and governance protocols. Proven organizational and time management ability. Willingness to be a continual learner in the governance best practices within the cybersecurity landscape.

Other Essential Requirements 2+ years of professional experience. Bachelor's degree from an accredited university. Cybersecurity, compliance, risk, governance, and auditing experience. Ability to travel up to 25% of the time. Certifications through ISACA, CompTIA, SANS, GIAC or other professional certifying bodies a plus.