Information Security Engineer - GRC

ABOUT THE ROLE

As an Information Security Engineer focused on Governance, Risk, and Compliance (GRC) at Clutch, you will own and mature our trust foundation. You will operationalize our security controls, drive evidence collection and continuous monitoring, and partner with product, engineering, and business teams to reduce risk while enabling speed.

ABOUT THE TEAM

You will join a small, high‑impact Security team that partners closely with Infrastructure, Product Engineering, Legal, and GTM. We value outcome‑oriented builders, clear documentation, and automation over manual audits. We work in the open, do frequent retros, and iterate quickly to support a rapidly scaling fintech SaaS platform serving credit unions and their members.

What You’ll Do

Within 3 months, you will:

- Baseline our control library mapped to SOC 2, PCI DSS, and key fintech obligations. Stand up gaps and remediation owners in our ticketing system.

- Implement lightweight evidence collection pipelines for top controls such as access reviews, backup tests, vulnerability management, and CI/CD change management.

- Complete a security risk register refresh with likelihood and impact ratings, and publish a quarterly risk report.

Within 6 months, you will:

- Lead our next SOC 2 Type II audit cycle end‑to‑end, including auditor coordination, population requests, and walkthroughs.

- Roll out a vendor risk management workflow integrated with procurement and Legal, including tiering, due diligence, and continuous monitoring.

- Partner with Engineering to define secure SDLC checkpoints and automate evidence from GitHub, CI, and cloud.

- Develop an AI/ML risk assessment framework covering model governance, training data privacy, and shadow AI usage across the organization.

Within 9 months, you will:

- Drive PCI DSS certification readiness, including SoA ownership, internal audits, and management review inputs.

- Establish KPI/KRIs and dashboards for control effectiveness and risk...