Job Description
POSITION – LEAD ANALYST GRC
Job Summary
The Lead Analyst – Governance, Risk & Compliance (GRC) will be responsible for leading all major efforts and day to day IT compliance, governance, and risk management functions. The role will be responsible for planning, design, implementation, operation, and maintenance of IT GRC efforts intended to support Business & IT Risk Management and compliance goals & objectives of the organisation.
The individual in this role shall have an expert understanding of compliance, governance, and risk management functions and major tools and processes relevant therein. The Lead Analyst (GRC) will drive the implementation and delivery of various IT GRC efforts to reduce overall IT security risk to the organisation and provide continual visibility to the management.
Roles & Responsibilities
Core Responsibilities
. Define IT/ IS policies, standards, and procedures suitable to organization in line with applicable legal & regulatory frameworks and work through the process to get them reviewed, approved, and published.
. Perform security and compliance assessments on new and existing systems, processes and technology and conduct periodic gap assessments to validate compliance on an ongoing basis.
. Lead efforts towards vendor due-diligence process and third-party risk management for Indian as well as overseas vendors.
. Conceptualize and development of IT & InfoSec measures, metrics, risk register and track trends to narrow gaps.
. Analyse and map complex technical and business requirements from a security perspective and make recommendations to enable business as well as reduce or contain over-all cyber risk.
. Collaborate & work with business units to assess and ensure controls are adequate, appropriate and effective.
. Collaborate and perform risk-based business impact analysis and support maturing of business continuity planning & cyber resiliency efforts.
. Liaising with and providing consultative support to IT risk & control owners and performers, and facilitating them to remediate any finding/ observations.
. Work with internal & external stakeholders on IT/ InfoSec exceptions & manage timely remediation of findings through facilitation & close coordination.
. Driving and tracking of IT GRC efforts, gaps, observations, findings, risks and remediations, and coordination with internal and external stakeholders
Other Responsibilities
. Lead internal & external compliance audits for PCI-DSS, SOX, GDPR, CCPA & Personal Data Protection law.
. Lead training and awareness sessions to explain IT GRC policies, standards to other stakeholders in simple and non-technical language.
. Stay current on developing regulatory concerns and changing IT/ InfoSec trends and drive sensitization across the organisation on applicability or impact to improve overall security posture.
. In-depth research on current IT & InfoSec technologies and assess new capabilities, controls and solutions that could enhance security posture of the organisation.
. Identify & assess strengths & weaknesses in the GRC program as they relate to privacy, security, business resiliency and compliance frameworks.
. Generation of reports for analysis, assessment and reporting to stakeholders.
Years of Experience
. A minimum of seven (7-9) years overall experience in Information Security and/ or Technology domain, of which (or additional), minimum five (5) years experience in IT GRC in an organisation of repute with global environment.
Education Qualifications & Certifications
Required Minimum Qualifications
. Master’s, Bachelor’s or Associate Degree in Computer Science, Computer Applications, Information Security or equivalent.
. At least one certification among CISA, CRISC, GRCP, GRCA, PMI-RMP
. Certified LA ISO 27001
Other Preferred Qualifications
. Other preferred: CGEIT, ISC2 (CISSP, CISM, CCSP etc.), CTPRP, CTPRA, C3PRMP, ITIL Expert etc. certification a plus
Skill Set Required
Required Primary Skills
. Advance knowledge of key IT GRC business workstreams and workflows including but not limited to Third Party Risk Management, Exceptions & Findings Management, Risk & Compliance assessments, audits & remediations, formation of policies, standards and processes, and various security services.
. Experience and through understanding of various legal & regulatory requirements, including but not limited to PCI DSS, SOX, HIPAA, GDPR, CCPA & PDPB.
. Advance knowledge of information security programs, remediation management, security auditing techniques, risk & control assessment and management.
. Experience of research and writing concise technical reports, briefs and business cases.
. Implementation expertise of all GRC functions and ability to integrate IT GRC with Enterprise GRC.
. Advance understanding of ISMS and IT security frameworks & standards, particularly NIST Cybersecurity Frameworks, ISO 27001, ISO 31000.
. Assessment & Implementation expertise using NIST CSF, ISO 27001, ITIL V3/4.
. Advance knowledge of infrastructure & security involving LAN, WAN, datacentres, DR Site, Cloud services and SOC with associated tools.
. Excellent written and oral communication skills.
. Track record of acting with integrity, being inquisitive, adaptable, and effective team player.
. Self-motivated, well-organized and strong work ethic with attention to details.
. Ability to adapt, prioritize and manage multiple tasks in a fast paced and rapidly changing environment.
. Continual feedback, timely communication, escalation and tracking of high priority issues without any supervision.
. Volunteer by trait who is result driven, professional, collaborative and committed to organisational goals & objectives.
. Ability to speak publicly, including large groups, with all levels of management.
Desired Skills
POSITION – LEAD ANALYST GRC
Job Summary
The Lead Analyst – Governance, Risk & Compliance (GRC) will be responsible for leading all major efforts and day to day IT compliance, governance, and risk management functions. The role will be responsible for planning, design, implementation, operation, and maintenance of IT GRC efforts intended to support Business & IT Risk Management and compliance goals & objectives of the organisation.
The individual in this role shall have an expert understanding of compliance, governance, and risk management functions and major tools and processes relevant therein. The Lead Analyst (GRC) will drive the implementation and delivery of various IT GRC efforts to reduce overall IT security risk to the organisation and provide continual visibility to the management.
Roles & Responsibilities
Core Responsibilities
. Define IT/ IS policies, standards, and procedures suitable to organization in line with applicable legal & regulatory frameworks and work through the process to get them reviewed, approved, and published.
. Perform security and compliance assessments on new and existing systems, processes and technology and conduct periodic gap assessments to validate compliance on an ongoing basis.
. Lead efforts towards vendor due-diligence process and third-party risk management for Indian as well as overseas vendors.
. Conceptualize and development of IT & InfoSec measures, metrics, risk register and track trends to narrow gaps.
. Analyse and map complex technical and business requirements from a security perspective and make recommendations to enable business as well as reduce or contain over-all cyber risk.
. Collaborate & work with business units to assess and ensure controls are adequate, appropriate and effective.
. Collaborate and perform risk-based business impact analysis and support maturing of business continuity planning & cyber resiliency efforts.
. Liaising with and providing consultative support to IT risk & control owners and performers, and facilitating them to remediate any finding/ observations.
. Work with internal & external stakeholders on IT/ InfoSec exceptions & manage timely remediation of findings through facilitation & close coordination.
. Driving and tracking of IT GRC efforts, gaps, observations, findings, risks and remediations, and coordination with internal and external stakeholders
Other Responsibilities
. Lead internal & external compliance audits for PCI-DSS, SOX, GDPR, CCPA & Personal Data Protection law.
. Lead training and awareness sessions to explain IT GRC policies, standards to other stakeholders in simple and non-technical language.
. Stay current on developing regulatory concerns and changing IT/ InfoSec trends and drive sensitization across the organisation on applicability or impact to improve overall security posture.
. In-depth research on current IT & InfoSec technologies and assess new capabilities, controls and solutions that could enhance security posture of the organisation.
. Identify & assess strengths & weaknesses in the GRC program as they relate to privacy, security, business resiliency and compliance frameworks.
. Generation of reports for analysis, assessment and reporting to stakeholders.
Years of Experience
. A minimum of seven (7-9) years overall experience in Information Security and/ or Technology domain, of which (or additional), minimum five (5) years experience in IT GRC in an organisation of repute with global environment.
Education Qualifications & Certifications
Required Minimum Qualifications
. Master’s, Bachelor’s or Associate Degree in Computer Science, Computer Applications, Information Security or equivalent.
. At least one certification among CISA, CRISC, GRCP, GRCA, PMI-RMP
. Certified LA ISO 27001
Other Preferred Qualifications
. Other preferred: CGEIT, ISC2 (CISSP, CISM, CCSP etc.), CTPRP, CTPRA, C3PRMP, ITIL Expert etc. certification a plus
Skill Set Required
Required Primary Skills
. Advance knowledge of key IT GRC business workstreams and workflows including but not limited to Third Party Risk Management, Exceptions & Findings Management, Risk & Compliance assessments, audits & remediations, formation of policies, standards and processes, and various security services.
. Experience and through understanding of various legal & regulatory requirements, including but not limited to PCI DSS, SOX, HIPAA, GDPR, CCPA & PDPB.
. Advance knowledge of information security programs, remediation management, security auditing techniques, risk & control assessment and management.
. Experience of research and writing concise technical reports, briefs and business cases.
. Implementation expertise of all GRC functions and ability to integrate IT GRC with Enterprise GRC.
. Advance understanding of ISMS and IT security frameworks & standards, particularly NIST Cybersecurity Frameworks, ISO 27001, ISO 31000.
. Assessment & Implementation expertise using NIST CSF, ISO 27001, ITIL V3/4.
. Advance knowledge of infrastructure & security involving LAN, WAN, datacentres, DR Site, Cloud services and SOC with associated tools.
. Excellent written and oral communication skills.
. Track record of acting with integrity, being inquisitive, adaptable, and effective team player.
. Self-motivated, well-organized and strong work ethic with attention to details.
. Ability to adapt, prioritize and manage multiple tasks in a fast paced and rapidly changing environment.
. Continual feedback, timely communication, escalation and tracking of high priority issues without any supervision.
. Volunteer by trait who is result driven, professional, collaborative and committed to organisational goals & objectives.
. Ability to speak publicly, including large groups, with all levels of management.
Desired Skills
- Knowledge of information security system architecture.
- Experience in leading an IT GRC project implementation.
- Hands on experience of GRC Applications
Source link
