Cybersecurity GRC Analyst II

Overview:

Position:  IT GRC Analyst II

Location:  Santa Ana, California - On-site 4 days a week

Compensation:  100-130K/yr DOE

*Actual compensation may vary from posting based on geographic location, work experience, education, and/or skill level.

Position Summary:  The Cybersecurity GRC Analyst II will be a key member of our fast-paced, growing Cybersecurity Services team. This role is intensely focused on Governance, Risk, and Compliance (GRC) and serves as a primary point of contact for responding to external audits. The Analyst will be responsible for day-to-day IT compliance, data governance, and IT risk management functions. This role is critical in defining, creating, and managing IT policies and standards to meet legal and regulatory requirements.

Responsibilities:

• External Audit Management: Lead the coordination and response to all external IT audits and regulatory examinations. Act as the primary liaison for external auditors, managing evidence collection, interviews, and formal responses to findings.
• Compliance & Controls Testing: Design, lead, and perform comprehensive IT control reviews and compliance testing aligned with regulatory and industry frameworks (e.g., SOC 2, NIST, NY DFS, CCPA/CPRA). Identify control weaknesses and recommend remediation strategies.
• Audit Strategy & Execution: Collaborate with senior IT leadership and Governance teams to develop audit plans and testing strategies based on enterprise risk assessments. Lead high-impact audits across infrastructure, cloud, applications, and cybersecurity domains.
• Controls & Risk Evaluation: Independently evaluate the design and operating effectiveness of IT controls, including access management, change management, data protection, network security, business continuity, and disaster recovery.
• Technology & Evidence Review: Assess automated evidence gathered by NAF’s Next Gen GRC/IRM platform. Partner with control owners to validate effectiveness and drive continuous improvement in evidence quality and timeliness for both internal and external audits.
• Reporting & Recommendations: Prepare executive-level audit reports that clearly articulate testing performed, risk exposure, control gaps, and actionable recommendations. Present findings to leadership, governance bodies, and external auditors.
• Remediation Oversight: Guide and monitor the implementation of remediation plans for audit findings, ensuring timely and effective resolution of identified issues. Conduct follow-up reviews to validate remediation efforts.
• Risk Management: Support ongoing IT risk assessment efforts to identify areas of heightened risk. Recommend enhancements to control coverage and risk mitigation practices based on audit results and industry trends.
• Stakeholder Engagement: Serve as a trusted advisor between IT, business units, and external auditors. Ensure strong collaboration and alignment of controls testing and audit evidence across the organization.
• Regulatory & Industry Expertise: Stay informed on emerging regulatory requirements, auditing standards, and technology trends. Interpret and apply requirements to improve NAF’s IT risk and compliance posture.

Qualifications:

• Deep understanding of IT governance, compliance, and risk management principles.
• Proven experience managing and responding to external IT audits.
• Strong knowledge of frameworks and standards such as SOC 2, NIST CSF/800-53, CIS Controls, NY DFS, and CCPA/CPRA.
• Experience with IT GRC/IRM platforms (e.g., Archer, ServiceNow, OneTrust, or similar).
• Familiarity with cloud environments (Azure, AWS, GCP) and modern IT infrastructures.
• Proven ability to adapt to rapidly changing technology landscapes and compliance requirements.
• Excellent analytical, problem-solving, and critical thinking skills.
• Strong interpersonal, written, and verbal communication abilities, with experience presenting to senior leadership and cross-functional teams.

Education, Experience & Certification:

• Education: Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field.
• Experience: Minimum 5-7 years of progressive experience in IT audit, IT risk management, cybersecurity, or compliance in a complex enterprise environment.
• Certifications: Professional certifications are highly preferred: CISA, CISSP, CRISC, CISM, CGRC (formerly CAP), CDPSE, CGEIT, CIA.

Work Authorization:

Must be able to verify identity and employment eligibility to work in the U.S. This position does not offer visa sponsorship.

Other Duties:

This job profile is not intended to be an all-inclusive list of job duties and responsibilities, as one may perform additional related duties as assigned in order to meet the needs of the organization.

Physical Demands:

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodation may be made to enable individuals with disabilities to perform the essential functions. Must be able to lift up to ten pounds. Primary functions require sufficient physical ability and mobility to work in an office setting; to stand or sit for prolonged periods of time; to occasionally stoop, bend, kneel, crouch, reach, and twist; to lift, carry, push, and/or pull light to moderate amounts of weight; to operate office equipment requiring repetitive hand movement and fine coordination including use of a keyboard; and to verbally communicate to exchange information. VISION: See in the normal visual range with or without correction. HEARING: Hear in the normal audio range with or without correction.

Pay Transparency Disclosure: If based in New American Funding’s offices, this role has the annual base salary range stated below.

Job level and actual compensation will be decided based on factors including, but not limited to, individual qualifications objectively assessed during the interview process (including skills and prior relevant experience, potential impact, and scope of role), market demands, and specific work location. The listed range is a guideline, and the range for this role may be modified. For roles that are available to be filled remotely, the pay range is localized according to employee work location by a factor of between 80% and 100% of range. Please discuss your specific work location with your recruiter for more information.

 

New American Funding offers competitive package of additional benefits, including health, dental & vision, retirement with company contribution, parental leave , mental health & wellness benefits, and generous PTO. New American Funding also offers sales incentive pay for most sales roles and an annual bonus plan for eligible non-sales roles. New American Funding’s compensation and benefits are subject to change and may be modified in the future.

[EOE/M/F/D/V. Drug-free workplace.]

 

#LI-JS3

Provides residential mortgage lending and loan refinancing services.