GRC Program Specialist

Job Summary:

The position is responsible for supporting the security direction of the business and elevating the company’s security posture. The GRC Program Specialist is expected to support the security strategy of the business with new and existing information system capabilities. Consequently, the position requires both an understanding of legacy systems, as well as innovative technologies and requirements. The GRC role is also responsible for the planning and design of policies and maintenance.

Job Expectations:

The ideal candidate is technical and possesses at least three or more years of experience in security, compliance, or risk management. The role oversees the business’ security requirements and obligations mandated by standards and regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), General Data Protection Regulation (GDPR), Health Information Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). In tandem with security leadership, the GRC role consistently assesses and validates the assurance of the security, vendor, and third-party risk management program. As a primary point of contact for internal and external auditors, the GRC role monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the GRC role must focus on strong risk management and corporate resiliency, and not be driven solely by compliance.

• Assist in periodic re-validation of our Top Risks and drive improvements for risk reduction
• Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our GRC processes and policies
• Maintain oversight in a GRC-related platform.
• Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks.
• Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation.
• Maintain strong oversight of third parties, vendors, and business partners to safeguard against undue risk presented by external entities. Escalating to security management and business unit leads when points of weakness are discovered.
• Analyze findings, and document, recommend and report program gaps to security leadership.
• Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practices, and procedures.
• Define qualitative and quantitative metrics to assess the success of the security program and provide regular reports to security and business leadership.
• Ensure security and technology teams maintain up-to-date configuration documentation for systems and processes. Maintain rigorous oversight of security systems and security configuration administration to reduce risk to enterprise systems and accounts.
• Function as a key participant in incident response to track occurrence and resolution, with strict documentation and reporting.
• Help support various parts of the company to adopt a common risk and control framework 
• Assist with all ongoing compliance activities related to the implementation, maintenance, monitoring, and continuous improvement of the Information Security Management System (ISMS)
• Evaluate the effectiveness of information security controls and performance by developing, monitoring, gathering, and analyzing information security and compliance metrics for management
• Advise and collaborate with SMEs, including Audit & Compliance teams, to ensure adequate security controls are in place to manage risk and are aligned with leading best practices
• Perform security policy and standard gap analysis, propose and draft documents and changes

The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job.  Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.

Knowledge, Skills and Abilities:

Required:

• Experience working with Agile methodology, JIRA, and GRC tools
• Specialist 3+ years of relevant industry experience
• Strong knowledge of and experience in security risk management lifecycle
• Familiar with security compliance frameworks and requirements, e.g., SOC 1/2, PCI, ISO27001, NIST CSF, and others.
• Experience in third party risk assessment and third-party risk continuous monitoring
• Experience in security policy governance lifecycle
• Experience working with, Cloud technologies/environments, AWS or other related cloud experience is required
• Effective communication, interpersonal and leadership skills to work with both engineering and other non-technical stakeholders
• Strong security and compliance domain knowledge
• Bachelor's degree or equivalent practical experience

#LI-JC1