ABOUT GREYSTAR

Greystar is a leading, fully integrated global real estate platform offering expertise in property management, investment management, development, and construction services in institutional-quality rental housing. Headquartered in Charleston, South Carolina, Greystar manages and operates over $300 billion of real estate in more than 265 markets globally with offices throughout North America, Europe, South America, and the Asia-Pacific region. Greystar is the largest operator of apartments in the United States, managing over one million units/beds globally. Across its platforms, Greystar has nearly $79 billion of assets under management, including over $35 billion of development assets and over $36.5 billion of regulatory assets under management. Greystar was founded by Bob Faith in 1993 to become a provider of world-class service in the rental residential real estate business. To learn more, visit www.greystar.com.

JOB DESCRIPTION SUMMARY

The Senior GRC Analyst is responsible for executing the day-to-day activities of the Global Information Security Governance, Risk, and Compliance (GRC) program. This senior individual contributor performs security risk assessments, evaluates internal and third-party security controls, supports compliance and audit activities, and helps administer the enterprise GRC technology platform used to monitor, track, and report on security measures. Works closely with the Manager, Information Security and the broader Information Security team to preserve the availability, integrity, and confidentiality of Greystar and customer information in compliance with applicable information security laws, policies, and standards.

JOB DESCRIPTION

Responsibilities

• Execute information security GRC program activities including control assessments, policy and procedure reviews, exception management, and documentation of security processes for global locations.
• Monitor for changes in laws, regulations, and industry standards affecting information security requirements (e.g., NIST, ISO 27001, PCI DSS, SOX, GDPR, CCPA), perform periodic compliance assessments, and translate changes into actionable requirements for the business.
• Conduct periodic risk assessments across business units, applications, infrastructure, and processes. Document findings, partner with control owners on remediation plans, and track issues through closure.
• Perform third-party risk management activities, including pre-contract security due diligence, recurring vendor risk reviews, and remediation tracking. Maintain the vendor risk inventory and supporting documentation.
• Respond to client, regulator, and internal audit requests, including security questionnaires (SIG, CAIQ), evidence collection, and findings remediation. Coordinate cross-functional input and maintain a library of standard responses.
• Partner with Legal, Privacy, and other stakeholders to fulfill Electronically Stored Information (ESI) requests, including identification, preservation, collection, and chain-of-custody documentation in support of legal holds, investigations, and regulatory inquiries.
• Audit internal control systems on a periodic basis to ensure that access levels, segregation of duties, and configuration baselines remain appropriate. Work closely with the Information Security Officer and Manager, Information Security to respond to audit findings that require action.
• Run periodic user access reviews and privileged access reviews across in-scope systems and applications. Coordinate with system owners and managers to validate access, document results, and drive timely remediation of inappropriate or excessive access.
• Maintain the enterprise security awareness program, including company-wide training curricula and ongoing awareness communications that promote secure behavior across the organization.
• Operate the phishing simulation program, including campaign design, results analysis, and assignment of remediation training for users who require additional reinforcement.
• Administer and enhance the enterprise GRC platform, including workflow configuration, control library maintenance, reporting, and user support.
• Develop metrics, dashboards, and reporting on the health of the GRC program for the Information Security Officer and senior leadership.

Qualifications

• Bachelor's degree in Information Security, Computer Science, Information Systems, or a related field, or equivalent work experience.
• Five or more years of progressive experience in information security, with at least three years focused on GRC, risk, audit, or compliance.
• Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning.
• Experience with third-party risk management, including vendor security assessments and due diligence.
• Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR.
• Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications.
• Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF), or a demonstrated ability to learn and apply new frameworks quickly.
• Strong analytical and problem-solving skills with the ability to translate technical risk into clear business language.
• Demonstrated ability to manage multiple priorities, drive issues to closure, and work independently with minimal supervision.
• Collaborative approach with the ability to influence partners across IT, Engineering, Legal, Privacy, Internal Audit, and the business.
• Industry certifications such as CRISC, CISA, CISSP, or CCSK are a plus.
• Experience with GRC platforms such as Hyperproof, OneTrust, Archer, or similar is a plus.
• Experience with security awareness training platforms such as KnowBe4 or similar is a plus.

#LI-BB1

Additional Compensation:

Many factors go into determining employee pay within the posted range including business requirements, prior experience, current skills and geographical location.

• Corporate Positions: In addition to the base salary, this role may be eligible to participate in a quarterly or annual bonus program based on individual and company performance.

• Onsite Property Positions: In addition to the base salary, this role may be eligible to participate in weekly, monthly, and/or quarterly bonus programs.

Robust Benefits Offered*:

• Competitive Medical, Dental, Vision, and Disability & Life insurance benefits. Low (free basic) employee Medical costs for employee-only coverage; costs discounted after 3 and 5 years of service.

• Generous Paid Time off. All new hires start with 15 days of vacation, 4 personal days, 10 sick days, and 11 paid holidays. Plus your birthday off after 1 year of service! Additional vacation accrued with tenure.

• For onsite team members, onsite housing discount at Greystar-managed communities are available subject to discount and unit availability.

• 6-Week Paid Sabbatical after 10 years of service (and every 5 years thereafter).

• 401(k) with Company Match up to 6% of pay after 6 months of service.

• Paid Parental Leave and lifetime Fertility Benefit reimbursement up to $10,000 (includes adoption or surrogacy).

• Employee Assistance Program.

• Critical Illness, Accident, Hospital Indemnity, Pet Insurance and Legal Plans.

• Charitable giving program and benefits.

*Benefits offered for full-time employees. For Union and Prevailing Wage roles, compensation and benefits may vary from the listed information above due to Collective Bargaining Agreements and/or local governing authority.

Greystar will consider for employment qualified applicants with arrest and conviction records.

Important Notice: Greystar will never request your banking details or other sensitive personal information during the interview process. Greystar does not conduct any interviews via text or messaging, and all communication will come from official Greystar email addresses (@greystar.com). If you receive suspicious requests, please report them immediately to AskHR@greystar.com.