Information Security Compliance Analyst

Описание вакансии

Every day, ePayPolicy helps over 10,000 insurance companies speed up incoming and outgoing payments. By helping them move from manual, outdated forms of payment collection to modern payment tools, we help their companies work faster and more efficiently. (Check out our almost 5-star customer reviews.)

How do we do it? With powerful payment tools that just work. Our secure, online ACH and credit card payment page is the core product for many of our companies. But we also provide an integrated suite of helpful features for insurance companies of all sizes, including point-of-sale financing, payables network tools, and check reconciliation, all within a single dashboard.

Our expert, live support team helps deliver exceptional care every day, with an industry-leading 97% customer retention rate. Our customers love us. We love them.

Founded in 2014, our growing team is based in Austin, TX, and has clients in all 50 US states. We’ve grown over 300% in the last three years - with big plans for the future.

Position Summary

The Information Security Compliance Analyst is a high-impact role designed for a professional who thrives at the intersection of technical security, risk management, and business operations. This position is the primary engine for our Third-Party Risk Management (TPRM) lifecycle and a key contributor to our broader GRC (Governance, Risk, and Compliance) program, privacy initiatives, and audit readiness.

The ideal candidate is a self-starting "problem-solver" who can navigate complex technical environments and manage multiple high-priority workstreams in parallel. You are expected to act as a strategic partner to the business, applying expert-level stakeholder engagement and a keen eye for process optimization to ensure security compliance serves as a seamless business enabler.

Key Responsibilities

1. Strategic Procurement Partnership & Project Management

• End-to-End Ownership: Act as a dedicated "Procurement Partner" for internal requestors, managing the workflow from initial intake through final vendor approval and onboarding handoff.
• Tiered Risk Assessment: Conduct initial technical security assessments. You will be responsible for defining the scope and risk profile of new vendors, strategically engaging senior technical leads when specific high-risk architectures or complex integrations warrant specialized review.
• Contractual Navigation: Facilitate the legal and contractual review process by translating security requirements into actionable contract language and liaising between Legal, Security, and external vendors.
• Cross-Functional Onboarding: Orchestrate the final onboarding steps by coordinating with Finance, People Ops, and IT Ops to ensure all operational requirements are met before communicating final approval to the organization.

2. Annual Vendor Lifecycle & Risk Decisioning

• Portfolio Management: Proactively manage the recurring annual assessment calendar for our existing vendor ecosystem. This requires exceptional time management to ensure deep-dive reviews are completed in parallel with active procurement projects.
• Critical Risk Analysis: Perform sophisticated analysis of vendor documentation (e.g., SOC reports, SIGs, penetration test summaries). You are expected to synthesize this data to make informed recommendations on risk acceptance, identifying where internal controls can mitigate vendor gaps.

3. GRC, Audit Readiness & Privacy

• Compliance Response: Serve as the "source of truth" for external parties, managing responses to inbound requests for compliance proof (Audit Reports, W9s, COIs, etc.).
• Audit Coordination: Support the evidence collection and control-testing phases for annual audits, including PCI DSS and ACH/NACHA.
• Privacy Operations: Support the Privacy Team as a first-line responder for data subject requests (DSRs) and foundational privacy inquiries.

4. Continuous Improvement & Automation

• Process Engineering: Continuously evaluate the TPRM and GRC lifecycle for bottlenecks; propose and implement workflows that increase efficiency.
• Automation Strategy: Partner with the Infrastructure team to automate manual evidence collection and vendor intake processes.

Required Skills & Qualifications

Technical Foundations

• Systemic Understanding: A strong grasp of system architecture and data flows. You must understand how interconnected systems affect the scope of security and compliance boundaries.
• Technical Literacy: Ability to interpret network diagrams, encryption standards, and vulnerability reports without requiring basic technical instruction.
• Compliance Expertise: Foundational knowledge of PCI-DSS, NACHA operating rules, and core GRC principles.

Professional Attributes

• Autonomous Execution: Proven ability to take a high-level objective and drive it to completion with minimal supervision.
• Audience Awareness: Exceptional communication skills with the ability to tailor complex technical risks into clear, actionable insights for non-technical stakeholders.
• Resourcefulness: A "figure-it-out" mindset—leveraging all available documentation, internal tools, and historical data to resolve ambiguity.
• Analytical Rigor: A natural tendency toward detail; you catch the discrepancies in complex reports that others typically miss.

Experience Requirements

• 3–5 years of experience in Information Security, IT Audit, or Third-Party Risk Management.
• Technical Depth: Demonstrated experience performing manual security reviews and control assessments (independent of automated GRC "check-the-box" platforms).
• Certifications: CISA, CRISC, or Security+ are preferred but not required.
• Experience in fast-paced, growth-oriented environments where building processes is as important as following them.

Why Join Us?

This role offers a unique level of visibility and ownership. You will report directly to the Head of InfoSec & Infra, serving as a key voice in how we scale our security posture. If you are a high-judgment professional who takes pride in being the "expert in the room" for compliance, this is the role for you.

Why ePayPolicy

• Competitive salary
• Comprehensive benefits package with employer-paid basic life and disability premiums
• 401K
• Unlimited PTO
• Company-sponsored quarterly “ePayItForward” initiatives
• Supportive and inclusive company culture with a focus on work/life balance
• Fully-stocked kitchen
• Lunch stipend when working onsite
• Open communication (We won’t box you in! If you have a cool idea for a product improvement or a suggestion on how to improve the customer experience, let’s talk about it. We value everyone’s ideas and opinions.)
• Huge opportunity for growth

We operate on a hybrid schedule for in-office employees. Standard schedules are three days per week in the office, however, the cadence and days are determined by each team and manager.

We value diversity here at ePayPolicy and understand the importance of creating a safe and comfortable work environment, encouraging individualism and authenticity in every member of our team. We strive to create an accessible and inclusive experience for all candidates. If you need an accommodation during the application or recruiting process, please submit a request to our team via this Interview Accommodation form: https://forms.gle/xKppyKTSqfTUi7hz5