Principal, Governance, Risk and Compliance

Join Our Team!

Sunbelt Rentals strives to be the customer's first choice in the equipment rental industry. From pumps to scaffolding to general construction tools, we aim to be the only call needed to outfit a job site with the proper equipment. Not only do we offer a vast fleet that ranks among the best in the industry, we pair it all with a friendly and knowledgeable staff. Our employees are our greatest asset, and although we present a comprehensive equipment offering, our expertise and service are what truly distinguish us from the competition.

We pride ourselves on investing in our workforce and offer competitive benefits, as well as extensive on-the-job training for all eligible employees.

As a highly successful national company, we are constantly looking for talented individuals to support our growth. If you are interested in pursuing a rewardingcareer, we invite you to review our opportunities!

Job Description Summary

Position Objective:

The Principal, IT Governance, Risk and Compliance (GRC) is an experienced individual contributor responsible for designing, implementing, and advancing the organization's comprehensive IT compliance program and control framework. You will function as a technical authority for control design, compliance assessment, regulatory adherence, and policy operationalization, with particular focus in Sarbanes-Oxley General IT Controls (GITC), PCI-DSS compliance, and CMMC. You will work across IT, business units, Internal Audit, and senior leadership to ensure the organization meets its compliance obligations, maintains effective controls, and operates within legal and regulatory boundaries.

Position Responsibilities:

Enterprise GRC Strategy and Leadership

• Design and oversee the implementation of a comprehensive, enterprise-scale IT governance and control frameworkthat meets NIST CSF, CMMC (NIST 800-171), PCI-DSS, SOX GITC, and emerging regulatory requirements in data privacy and artificial intelligence.
• Establishframework alignment and control crosswalksthat map NIST CSF, SOX GITC, PCI-DSS, and CMMC/NIST 800-171 controls to optimize testing efficiency and reduce audit redundancy.
• Providefirst-line consulting to business and IT leadership on audit/assessment findings, risk implications, and remediation strategiesacross SOX internal audits, PCI-DSS QSA assessments, and CMMC assessments.

Compliance Policy Maintenance, Review, and Assessment

• Maintain and update the organization's comprehensive compliance information security policy framework, ensuring policies remain current with regulatory changes and organizational evolution
• Conduct regular policy reviews(annual minimum, or upon regulatory change) evaluating:
  • Alignment with current regulatory requirements (SOX GITC, PCI-DSS, CMMC, NIST, etc.)
  • Relevance to current organizational structure and systems
  • Operational effectiveness and staff understanding
  • Gap identification between policy requirements and organizational practices
• Lead policy update processestranslating regulatory changes into operational policy updates.
• Createpolicy crosswalksmapping policies to regulatory requirements and control frameworks
• Lead policy exception and risk acceptance documentation and tracking processes.

Control Assessment and Testing

• Serve as subject matter expert in designing and executing effective control assessmentsacross NIST CSF, PCI-DSS, CMMC, SOX GITC, and other frameworks.
• Assess the quality and effectiveness of implemented controlsthrough documentation review, testing procedures, and stakeholder interviews.
• Identifycontrol gaps, design flaws, and opportunities for enhancement; communicate findings and remediation recommendations.
• Establish control remediation processes; track remediation progress and verify corrective actions.
• Create audit-ready control documentationincluding control descriptions, test procedures, evidence matrices, and compliance mappings.
• Maintain compliance documentation repositories and evidence management systems.
• Serve as advisor to IT teams, business units, and operational leaderson control requirements and compliance obligations specific to their functions

Regulatory Compliance Programs

• Lead the creation and ongoing maintenance of procedural documentation for control operation for PCI-DSS, SOX, and other applicable regulations, specifying control descriptions, operational procedures and evidence requirements.
• Develop, implement and maintain compliance operations processes and workflows.
• Establishcompliance metrics and KPIstracking control effectiveness and maturity progression.

• Prepare and maintain evidencefor assessments and other compliance reviews.
• Develop and maintain compliance calendarscoordinating control operation and assessment activities.

• Developand maintain NIST 800-171/CMMC control documentationincluding control descriptions, implementation narratives, testing procedures, and evidence repositories
• Develop and maintainCMMC Plan of Actions and Milestones (POA&M)documenting gaps, remediation strategies, and status tracking
• ManageCMMC assessment readiness, coordinating with Certified Third-Party Assessment Organizations (C3PAOs)

Requirements:

• Detail oriented and highly accurate in the performance of work tasks.
• Highly proficient in organizing and documenting information
• Strong interpersonal skills to work with varying levels of the organization.
• Excellent oral and written communication skills
• Strong analytical and critical thinking skills with ability to synthesize complex information and make sound judgments under uncertainty
• Intellectual curiosity and commitment to continuous learning in an evolving regulatory and technology landscape
• Proactive and forward-thinking; ability to anticipate emerging risks and opportunities
• Resilience and adaptability; ability to navigate ambiguity and drive progress in complex environments
• Passion for building governance culture, creating organizational resilience, and advancing responsible technology practices
• Strong ability to prioritize work tasks.
• Highly self-motivated
• Strong desire to learn and understand information security principles, trends and actions.
• Strong understanding of major compliance obligations (PCI, GDPR) and frameworks (NIST, ISO)

Education & Experience:

• Bachelor's degree in a related field required (IT, cybersecurity, audit, accounting, information security, law, or related discipline); Master's degree preferred
• Preferred certifications: CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), PCIP (PCI Professional), PCI Internal Security Assessor (PCI ISA) or equivalent
• Minimum 5-7 yearsof related experience in IT governance, risk management, and compliance roles
• Deep expertise in SOX GITC and PCI-DSS frameworks and practices
• CMMC/DFARS/NIST 800-171 compliance experienceincluding control documentation, gap analysis, POA&M management, and C3PAO coordination experience
• Minimum 2-3 yearsof direct experience with ServiceNow Integrated Risk Management (IRM) or equivalent GRC platform
• Expert-level working knowledge of IT general controls, security controls, and control frameworks (NIST 800-53, NIST 800-171, NIST CSF, COBIT, ISO 27001, FedRAMP, SOC 2)
• Framework crosswalk expertise: Ability to map controls across SOX GITC, PCI-DSS, CMMC, ISO 27001 to optimize testing efficiency
• Demonstrated expertise in designing scalable, enterprise-wide policy and control frameworks
• Experience drafting, remediating, and editing IT policies, standards, procedures, and controls
• Audit coordination, preparation, and remediation management at enterprise scale
• Experience working cross-functionally with engineers, product teams, security teams, business leaders, and audit teams
• Strong analytical and problem-solving skills in process review, control design, and issue remediation
• Experience with compliance automation tools and evidence management platforms
• Policy operationalization expertise: Ability to translate strategic policy design into specific, auditable control requirements and assessment procedures

**Qualifications may be substituted with established years for experience.

Physical Demands:

Must be able to bend, squat, crouch and/or reach and lift up to 25 pounds or more, as required by the job. Some Sunbelt jobs may require driving for long periods of time, loading and unloading heavy equipment, performing work in extreme weather conditions including rain, wind or excessive temperatures and/or night and weekend work. All duties must be performed according to Sunbelt's safety policies and guidelines. Reasonable accommodations may be made to comply with ADA/ADAAA.

The above description covers the principal duties and responsibilities of the job. The description shall not, however, be construed as a complete listing of all miscellaneous, incidental or similar duties which may be required from day to day.

Sunbelt Rentals is an Equal Opportunity Employer - Minority/Female/Disabled/Veteran and any other protected ground