Principal, IT GRC

Join Our Team!Sunbelt Rentals strives to be the customer's first choice in the equipment rental industry. From pumps to scaffolding to general construction tools, we aim to be the only call needed to outfit a job site with the proper equipment. Not only do we offer a vast fleet that ranks among the best in the industry, we pair it all with a friendly and knowledgeable staff. Our employees are our greatest asset, and although we present a comprehensive equipment offering, our expertise and service are what truly distinguish us from the competition.We pride ourselves on investing in our workforce and offer competitive benefits, as well as extensive on-the-job training for all eligible employees.As a highly successful national company, we are constantly looking for talented individuals to support our growth. If you are interested in pursuing a rewarding career, we invite you to review our opportunities!Job Description SummaryPosition Objective:The Principal, IT Governance, Risk and Compliance (GRC) is an experienced individual contributor responsible for designing, implementing, and advancing the organization's comprehensive IT compliance program and control framework. You will function as a technical authority for control design, compliance assessment, regulatory adherence, and policy operationalization, with particular focus in Sarbanes-Oxley General IT Controls (GITC), PCI-DSS compliance, and CMMC. You will work across IT, business units, Internal Audit, and senior leadership to ensure the organization meets its compliance obligations, maintains effective controls, and operates within legal and regulatory boundaries.Position Responsibilities:Enterprise GRC Strategy and LeadershipDesign and oversee the implementation of a comprehensive, enterprise-scale IT governance and control framework that meets NIST CSF, CMMC (NIST 800-171), PCI-DSS, SOX GITC, and emerging regulatory requirements in data privacy and artificial intelligence.Establish framework alignment and control crosswalks that map NIST CSF, SOX GITC, PCI-DSS, and CMMC/NIST 800-171 controls to optimize testing efficiency and reduce audit redundancy.Provide first-line consulting to business and IT leadership on audit/assessment findings, risk implications, and remediation strategies across SOX internal audits, PCI-DSS QSA assessments, and CMMC assessments.Compliance Policy Maintenance, Review, and AssessmentMaintain and update the organization's comprehensive compliance information security policy framework, ensuring policies remain current with regulatory changes and organizational evolutionConduct regular policy reviews (annual minimum, or upon regulatory change) evaluating:Alignment with current regulatory requirements (SOX GITC, PCI-DSS, CMMC, NIST, etc.)Relevance to current organizational structure and systemsOperational effectiveness and staff understandingGap identification between policy requirements and organizational practicesLead policy update processes translating regulatory changes into operational policy updates.Create policy crosswalks mapping policies to regulatory requirements and control frameworksLead policy exception and risk acceptance documentation and tracking processes.Control Assessment and TestingServe as subject matter expert in designing and executing effective control assessments across NIST CSF, PCI-DSS, CMMC, SOX GITC, and other frameworks.Assess the quality and effectiveness of implemented controls through documentation review, testing procedures, and stakeholder interviews.Identify control gaps, design flaws, and opportunities for enhancement; communicate findings and remediation recommendations.Establish control remediation processes; track remediation progress and verify corrective actions.Create audit-ready control documentation including control descriptions, test procedures, evidence matrices, and compliance mappings.Maintain compliance documentation repositories and evidence management systems.Serve as advisor to IT teams, business units, and operational leaders on control requirements and compliance obligations specific to their functionsRegulatory Compliance ProgramsLead the creation and ongoing maintenance of procedural documentation for control operation for PCI-DSS, SOX, and other applicable regulations, specifying control descriptions, operational procedures and evidence requirements.Develop, implement and maintain compliance operations processes and workflows.Establish compliance metrics and KPIs tracking control effectiveness and maturity progression.Prepare and maintain evidence for assessments and other compliance reviews.Develop and maintain compliance calendars coordinating control operation and assessment activities.Develop and maintain NIST 800-171/CMMC control documentation including control descriptions, implementation narratives, testing procedures, and evidence repositoriesDevelop and maintain CMMC Plan of Actions and Milestones (POA&M) documenting gaps, remediation strategies, and status trackingManage CMMC assessment readiness, coordinating with Certified Third-Party Assessment Organizations (C3PAOs)Requirements:Detail oriented and highly accurate in the performance of work tasks.Highly proficient in organizing and documenting informationStrong interpersonal skills to work with varying levels of the organization.Excellent oral and written communication skillsStrong analytical and critical thinking skills with ability to synthesize complex information and make sound judgments under uncertaintyIntellectual curiosity and commitment to continuous learning in an evolving regulatory and technology landscapeProactive and forward-thinking; ability to anticipate emerging risks and opportunitiesResilience and adaptability; ability to navigate ambiguity and drive progress in complex environmentsPassion for building governance culture, creating organizational resilience, and advancing responsible technology practicesStrong ability to prioritize work tasks.Highly self-motivatedStrong desire to learn and understand information security principles, trends and actions.Strong understanding of major compliance obligations (PCI, GDPR) and frameworks (NIST, ISO)Education & Experience:Bachelor's degree in a related field required (IT, cybersecurity, audit, accounting, information security, law, or related discipline); Master's degree preferredPreferred certifications: CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), PCIP (PCI Professional), PCI Internal Security Assessor (PCI ISA) or equivalentMinimum 5-7 years of related experience in IT governance, risk management, and compliance rolesDeep expertise in SOX GITC and PCI-DSS frameworks and practicesCMMC/DFARS/NIST 800-171 compliance experience including control documentation, gap analysis, POA&M management, and C3PAO coordination experienceMinimum 2-3 years of direct experience with ServiceNow Integrated Risk Management (IRM) or equivalent GRC platformExpert-level working knowledge of IT general controls, security controls, and control frameworks (NIST 800-53, NIST 800-171, NIST CSF, COBIT, ISO 27001, FedRAMP, SOC 2)Framework crosswalk expertise: Ability to map controls across SOX GITC, PCI-DSS, CMMC, ISO 27001 to optimize testing efficiencyDemonstrated expertise in designing scalable, enterprise-wide policy and control frameworksExperience drafting, remediating, and editing IT policies, standards, procedures, and controlsAudit coordination, preparation, and remediation management at enterprise scaleExperience working cross-functionally with engineers, product teams, security teams, business leaders, and audit teamsStrong analytical and problem-solving skills in process review, control design, and issue remediationExperience with compliance automation tools and evidence management platformsPolicy operationalization expertise: Ability to translate strategic policy design into specific, auditable control requirements and assessment proceduresQualifications may be substituted with established years for experience.Physical Demands:Must be able to bend, squat, crouch and/or reach and lift up to 25 pounds or more, as required by the job. Some Sunbelt jobs may require driving for long periods of time, loading and unloading heavy equipment, performing work in extreme weather conditions including rain, wind or excessive temperatures and/or night and weekend work. All duties must be performed according to Sunbelt’s safety policies and guidelines. Reasonable accommodations may be made to comply with ADA/ADAAA.The above description covers the principal duties and responsibilities of the job. The description shall not, however, be construed as a complete listing of all miscellaneous, incidental or similar duties which may be required from day to day.Sunbelt Rentals is an Equal Opportunity Employer — Minority/Female/Disabled/Veteran and any other protected groundBase Pay Range: $98,573.00 - 135,537.60Starting rate of pay may vary based on factors including, but not limited to, position offered, location, education, training, and/or experience. Please visit https://www.sunbeltrentals.com/careers/ for more information on our benefits and to join our Talent Network.Sunbelt also provides a comprehensive benefits package to its full-time employees. This package includes:Health, Dental and Vision plans401(k) MatchVolunteer time offShort-term and long-term disabilityAccident, Life and Travel insurance, as well as flexible spendingTuition Reimbursement OptionsEmployee Assistance Program (EAP)Length of Service AwardsYou will become eligible for benefits on the first of the month following 30 days from your start date. Sunbelt offers team members the following paid time off from work, subject to Sunbelt’s policies (unless specified in a collective bargaining agreement):12-25 vacation days depending on years of service5 sick days6 holidays2 half day holidays2 floating holidays1 inclusion day1 volunteer dayGear up for an exciting career!Sunbelt Rentals supports service members. Veterans encouraged to apply.